The Data (Use and Access) Act 2025 gives ministers broad powers to require traders and their processors to provide customers’ and business‑related data to customers or authorised third parties, and to prescribe how that data must be produced, accessed and transferred (dashboards, APIs, certification and interface bodies). It creates a mandatory structure for digital verification services (DVS) — a Secretary of State‑authored trust framework, accredited conformity assessments, a public DVS register, a trust mark and an information gateway allowing designated public authorities to disclose data to registered providers.
Beyond data portability and identity, the Act builds a National Underground Asset Register (NUAR) with statutory duties on undertakers to upload and keep apparatus records, modernises birth and death registers, rewrites large parts of the UK data‑protection architecture (new legal gateways, research safeguards, automated‑decision rules) and replaces the individual Information Commissioner post with a corporate Information Commission. For businesses and compliance teams this is not a single‑issue bill: it creates multiple regulatory regimes, new enforcement tools (interview and information notices, monetary penalties, public censure) and a dense menu of delegated powers that will be specified in secondary legislation.
At a Glance
What It Does
The Act allows the Secretary of State and Treasury to make regulations compelling data holders to provide customer and business data to customers or authorised third parties, and to require the use of prescribed interfaces, standards or dashboard services. It establishes a certified digital verification ecosystem (trust framework, register, trust mark), requires a statutory National Underground Asset Register (NUAR) and overhauls data‑protection rules and institutional architecture (creating the Information Commission).
Who It Affects
Traders and their processors, financial services firms (via FCA interface rules), digital identity providers and conformity assessment bodies, utilities and undertakers required to populate NUAR, ISPs and regulated online services, independent researchers seeking platform data, and public authorities that will disclose or receive data under the new gateways. Small and micro businesses that supply data are explicitly a focus of regulatory impact tests.
Why It Matters
The Act shifts many data flows from voluntary to regulatory: customers can expect greater access to their own transactional and usage data, while third‑party services will have clearer legal routes to obtain it. At the same time the government centralises policy choices (standards, scope, fees, enforcement) into a cascade of secondary instruments and new regulators; that produces legal certainty in some places and implementation risk and compliance cost in others. The changes also recalibrate privacy trade‑offs — creating specific pathways for research, public service delivery and national‑security exceptions that compliance teams must track closely.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
Part 1 gives ministers power to write ‘data regulations’ that force a trader or a business‑processor to provide customer data (information tied to an identifiable customer’s purchases, use and performance of goods/services) or business data (records about goods, supply chains, prices, feedback). Those regulations can set who counts as an authorised recipient, require APIs or dashboard services, impose standards and require data holders to keep records and to assist one another.
The regulations will also specify decision‑makers and interface bodies that can monitor authorisations and approvals; enforcers will have investigation powers, compliance notices, financial penalties and (subject to defined limits) powers of entry and inspection.
Part 2 creates a statutory digital verification service (DVS) regime. The Secretary of State must publish a DVS trust framework and optional supplementary codes; accredited conformity assessment bodies certify providers; the government runs a public DVS register; registered providers may receive information from public authorities via a new information gateway for identity verification.
The regime includes a trust mark, powers to refuse or remove registration (including on national‑security grounds), fees for registration and procedural protections such as review and appeal rights.Part 3 requires the Secretary of State to keep NUAR and obliges undertakers who have apparatus in streets to upload existing records during an ‘initial upload period’, to update entries, and to notify missing or incorrect underground‑asset information discovered during works. The scheme contemplates regulated access (including charges), prescribed data standards, guidance on protecting NUAR data and monetary penalties for failures to comply or to provide information.Part 4 modernises registers of births and deaths, authorising electronic registers and specifying how non‑hard‑copy entries count as official.
The Registrar General and local registration officers gain powers to set formats, require specified identity evidence, supply forms and publish guidance; the Act provides for transitional arrangements for legacy paper registers.Part 5 and related sections: the Act rewrites many elements of UK data‑protection law. It inserts new lawful‑basis material (a “recognised legitimate interests” gateway and a structured purpose‑compatibility mechanism), expands research and archiving safeguards (new Chapter 8A/Article 84B), revises consent rules for research and law‑enforcement processing, tightens automated‑decision safeguards for significant decisions (including new restrictions where sensitive data is involved), adjusts subject‑access timeframes and authorises joint processing arrangements between intelligence services and competent authorities.
It also gives the regulator new powers (interview and assessment notices, expanded information orders), creates duties to publish codes and impact assessments, and requires the Secretary of State to commission economic assessments and reports on AI training and copyright.Other Parts make targeted changes: the PEC rules are amended to clarify consent and cookie exceptions and shift enforcement arrangements to the new Commission; the Online Safety Act is adapted to permit regulated researcher access to platform datasets; the Act clarifies retention rules for biometric and INTERPOL‑sourced material and creates new offences for creating or requesting AI‑style “purported intimate images.” Across the Act many operational details are left to secondary legislation, and several provisions are explicitly subject to affirmative parliamentary procedure.
The Five Things You Need to Know
The Secretary of State and Treasury can, by regulation, require a trader or a processor to provide customer data or business data to customers or specified authorised third parties, and to mandate the use of specified interfaces, dashboards or APIs (Part 1).
Part 2 creates a DVS trust framework and a public DVS register: providers must hold conformity‑assessment certificates from an accredited body to be registered; the Secretary of State may refuse, remove or restrict registration — including on national security grounds (Sections 28–35).
NUAR is statutory: undertakers must upload archive records during an initial upload period, keep apparatus records up to date in prescribed form and may be criminally liable and civilly liable for failing to enter or correct data (Sections 106A–106C and related amendments to New Roads and Street Works Act 1991).
The Act amends the UK GDPR/2018 Act: it adds a recognised legitimate‑interest gateway (Article 6(1)(ea)), inserts a purpose‑compatibility test (Article 8A/Annex 2), creates research safeguards (Article 84B/Part 5 changes) and tightens automated‑decision protections for significant decisions and sensitive processing (Articles 22A–22D and related provisions).
The Information Commissioner’s functions transfer to a new corporate Information Commission with duties to promote innovation and competition as well as data protection, and the Act expands regulator enforcement tools (information and interview notices, assessment reports, monetary penalties and publication powers) and creates new procedures for codes of practice and panels (Part 6 and amendments to the 2018 Act).
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
New regulatory framework to compel access to customer and business data
This Part authorises the Secretary of State and the Treasury to make ‘data regulations’ that can require data holders (traders or processors) to provide customer or business data to customers or to authorised third parties. The regulations can set up procedural requirements (authorisation and approval processes), require particular technical interfaces (dashboards, APIs), create decision‑makers and interface bodies to monitor compliance, and create enforcement arrangements including compliance notices, financial penalties and criminal offences for obstructing access. The Secretary of State and Treasury must have regard to effects on customers, data holders, small businesses, innovation and competition when making regulations; some categories of regulations are subject to affirmative parliamentary procedure.
Digital verification services (DVS): certification, register and information gateway
The Act puts the DVS trust framework on a statutory footing: the Secretary of State must publish rules, oversee supplementary codes, and maintain a public register of DVS‑registered providers. A provider needs a certificate from an accredited conformity assessment body to register; registration can be refused or revoked (explicitly permitting national‑security refusals where reasons are withheld). Registered DVS providers gain a limited information gateway: public authorities may disclose specified personal information to them to enable identity or status checks, but disclosures remain subject to data‑protection limits and departmental consent rules (e.g., HMRC/WRA). The regime includes registration fees, appeals, a trust mark and sanctions for non‑compliance.
National Underground Asset Register (NUAR) and duties on undertakers
The Secretary of State must keep NUAR and prescribe its form, access, and charging regime. Undertakers (utilities and other apparatus owners) must upload existing records by an archive upload date and continue to enter or update prescribed information; failure attracts offences, fines and civil liability for losses caused by missing or incorrect data. Regulations will specify what is accessible to whom, publication or obfuscation rules, licensing of non‑Crown IP rights in NUAR content, and consultation obligations with Welsh Ministers where Welsh apparatus is concerned.
Modernising registers of births and deaths
The Act replaces legacy mechanics for registers: the Registrar General may require electronic forms, compel provision of equipment and forms by local authorities, and treat non‑hard‑copy registers as the official register where specified. The law sets rules for what counts as a signature or evidence of signature in electronic registers, provides parliamentary oversight for certain regulations, and contains transitional rules for existing paper records.
Substantive data‑protection reform and enforcement enhancements
This large cluster of amendments reshapes the UK GDPR and the Data Protection Act 2018: it inserts a new ‘recognised legitimate interests’ lawful basis with an Annex of permitted cases, recasts purpose‑limitation tests and creates a bespoke chapter of safeguards for research, archiving and statistics. It tightens consent requirements, clarifies the law for law‑enforcement processing, tightens rules and safeguards for automated decision‑making (especially where sensitive or special‑category data is involved), changes SAR timing and scope (reasonable/proportionate searches and extended timeframes), and creates national‑security carve‑outs and a process for designation of joint intelligence/competent‑authority processing. The Act also strengthens the regulator’s procedural toolkit (interview notices, assessment reports, powers to require documents) and requires the Secretary of State to publish assessments and AI‑copyright reports.
Establishing the Information Commission and restructuring enforcement governance
The Act abolishes the singular Information Commissioner office and establishes the Information Commission corporate body with multiple non‑executive and executive members, formal strategy duties, reporting obligations and explicit duties to consider innovation and competition. The Commission inherits and extends enforcement powers — including the new interview‑notice and assessment‑report regimes — and must publish guidance, codes of practice and performance metrics.
Miscellaneous: online‑safety research, smart meters, biometric retention and intimate‑image offences
The Act amends sector laws. It authorises regulated researcher access to online service data under conditions and safeguards, inserts NUAR/retention and enforcement detail into street‑works law, empowers the Gas and Electricity Markets Authority to manage grants of 'smart‑meter communication licences', extends biometric retention rules (including pseudonymised retention and INTERPOL handling), requires economic and policy reports on copyright and AI training, and criminalises the intentional creation or requesting of AI‑style ‘purported intimate images’ of adults.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Customers and end users — the Act creates regulated routes for customers (or authorised proxies) to obtain their own transaction and use data, enabling portability, switching services and richer personal dashboards. That supports consumer‑facing fintech and comparison services.
- Independent researchers and public‑interest analysts — the Act authorises regulated researcher access to online safety data and creates RAS (research/archiving/statistics) safeguards designed to make large‑scale research practicable under defined safeguards.
- Public authorities and frontline services — DVS and NUAR give government and local authorities clearer mechanisms to obtain verified identity information and reliable underground‑asset records, improving service delivery, safety and verification for immigration, tenancy and public‑service checks.
- New entrants and certified DVS providers — firms that secure accreditation and registration gain preferential legal access to public information gateways and may use the trust mark to market verification services, strengthening their commercial position.
Who Bears the Cost
- Traders and data holders (and their processors) — the regulations may force data extraction, retention, standardisation and API implementation; they will face record‑keeping, interface and compliance costs, plus possible financial penalties and litigation risk for failures to meet upload or sharing duties.
- Small and micro businesses — the Act requires the Secretary of State and Treasury to consider small business impacts, but the Act explicitly allows fees, levies and cost‑recovery mechanisms; small suppliers may lack resources to comply with mandated interfaces, certification or record uploads.
- Relevant IT providers and conformity assessors — suppliers of identity, dashboard and API services will need to meet information‑standard rules, undergo accreditation and adapt commercial models; conformity assessment bodies carry accreditation responsibilities and liability for certification processes.
- Public sector budgets and capacity — the Secretary of State, Treasury and public authorities must stand up registers, codes, guidance, review processes and pay for accreditation, enforcement and subsidies; the Act anticipates fees and levies but leaves implementation funding choices to Ministers.
Key Issues
The Core Tension
The central tension in the Act is between two legitimate objectives that pull in opposite directions: enabling regulated access to business and customer data to promote competition, innovation and safer public services, versus protecting individuals’ privacy and limiting concentration of power. The bill solves for access and enforceability by giving ministers and new regulators broad rule‑making and enforcement powers, but that solution transfers risk — of privacy intrusions, compliance costs and gatekeeper effects — onto businesses, citizens and courts to remedy later.
The Act centralises many operational rules in secondary legislation and delegated instruments; ministers get extensive discretion to define what counts as customer or business data, who qualifies as authorised recipients, which technical interfaces must be used, and when fees or levies apply. That design speeds policy calibration but shifts the immediate compliance burden onto regulated parties who must track dozens of forthcoming regulations, standards and FCA rules.
Practically, firms will need to map contractual chains, update processor agreements and adapt to new monitoring and decision‑maker regimes — while legal uncertainty may persist until implementing instruments are published.
The Bill also tightens regulator powers (information and interview notices, financial penalties, public censures and removal of DVS registration) while preserving some classical protections (legal‑advice privilege, judicial warrants for dwelling entries). The result is an uneven enforcement landscape: powerful investigatory tools sit beside statutory limits and parliamentary procedures, producing both greater regulator reach and new procedural complexity for appeals, tribunal reviews and reviews of national‑security determinations.
Finally, the law creates a series of policy trade‑offs — data access for innovation and public service vs heightened privacy and security risks, and certification‑driven trust that can produce single‑point gatekeepers and cost barriers for small suppliers — that regulators and courts will have to balance in practice.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.