Part 5 of the Data (Use and Access) Act 2025 (DUAA) came into effect on 5 February 2026. The DUAA amends UK GDPR and the Data Protection Act 2018, adding in additional definitions and alternative legal gateways for processing personal data.
Local authorities (LAs) will need to be aware of the new ‘recognised legitimate interests’ lawful basis for processing, which allows for a Legitimate Interests Assessment (LIA) to be waived if processing for the purposes of security, direct marketing or ‘intra-group transmission of personal data’. Whilst LAs, as before, are unable to rely on legitimate interests for any processing that falls within their activities or obligations as outlined in law, suppliers and contractors now have greater flexibility. This means that privacy notices will have to be updated if this new basis is relied on.
Part 5 also outlines further provisions, restrictions and safeguards to govern the use of automated decision-making (ADM). ADM can now potentially be used for significant decisions using only personal data. ADM involving sensitive, or special category, data is still generally prohibited.
The DUAA also allows for softer approach to the re-use of some personal data, where an assumption of compatibility can be made without having to do a compatibility test (or LIA).
It also expands the scope of what can be considered ‘scientific or historical research’, or ‘statistical purposes’ when processing personal data. These can now be carried out for ‘commercial or non-commercial activities’, but the Act still prohibits re-identifying individuals from those statistics.
LAs should also be aware that it is now a statutory obligation to provide a way for individuals to complain about how their personal information is used, and mandates that complaints must be acknowledged within 30 days.
Part 5 of the DUAA is available to read.
You can also read the ICOs guidance on the DUAA.
