Introduction

The Data Use and Access Act 2025 (DUAA) is a UK Act of Parliament that reformed the country’s data protection and privacy framework, aiming to promote innovation and economic growth while maintaining high standards for personal rights and freedoms. The Act is wide-ranging, covering both personal data protection changes and broader digital policy matters.

The main points of the Act are;

Reforming Data Protection and Privacy (UK GDPR and PECR)

• “Recognised Legitimate Interests”: Introduces a new set of specific purposes for processing personal data (e.g., safeguarding national security, crime prevention) where organisations do not need to perform the standard “balancing test” to ensure their interests do not override individual rights.

• Scientific Research: Clarifies and broadens the definition of “scientific research” to explicitly include commercial and privately funded research, making it easier to use personal data for these purposes, including initial “broad consent” for future, unspecified research.

• Automated Decision-Making (ADM): Eases some restrictions on ADM that produces a legal or similarly significant effect, particularly for non-sensitive data, by allowing a wider range of lawful bases (like legitimate interests) while still requiring specific safeguards, such as the right to obtain human review.

• Cookies and Electronic Communications (PECR): Aligns the maximum fines under the Privacy and Electronic Communications Regulations (PECR) with the UK GDPR (up to 4% of global turnover). It also creates exemptions from the consent requirement for certain low-risk cookies (e.g., for statistical analysis to improve a website).

• Data Subject Access Requests (DSARs): Clarifies that organisations only need to conduct “reasonable and proportionate” searches to fulfil a DSAR, aiming to reduce the administrative burden on businesses.

Smart Data and Digital Services

• Smart Data Schemes: Establishes a framework to enable new sector-specific “Smart Data Schemes” (beyond the existing Open Banking) to mandate access to customer and business data. This aims to increase competition and allow customers and businesses to share their data more easily with third-party providers.

• Digital Verification Services (DVS): Creates a framework for the regulation and certification of providers of digital identity verification services, allowing organisations to apply for certification and use a “trust mark” to show they meet government standards.

• National Underground Asset Register: Puts the register, which maps the location of underground utilities and pipes, onto a statutory footing to facilitate data sharing and reduce damage and delays in construction.

3. Public Service Data Use

• Health and Social Care: Mandates the establishment of common information standards for IT systems in health and social care in England. This aims to improve the flow and interoperability of patient data, enhancing clinical outcomes and efficiency.

• Police Administrative Burden: Removes the requirement for police officers to manually record the justification every time they access or disclose personal data for law enforcement purposes, aiming to free up officers’ time.

• Electronic Registration: Enables the electronic registration of births and deaths.

In essence, the DUAA seeks to make the UK’s data regime more flexible and business-friendly in specific areas, especially for scientific research and public service efficiency, while modernising regulations for digital services and data sharing.

This summary has been deemed as accurate by AI

This Act has faced significant criticism and is justified in our opinion.

To cut a long opinion short, companies can now legally scrape any data about you from the web, use it to train its own AI to make money from you, then government can gain access to that information and put it together with your private medical history from NHS or any other government body and provide this to any third party company they wish for any purpose they wish. Safeguards were drafted and proposed, but voted to be removed by the current Labour government.

Business is not exempt from this. They can grab all that data too. Your business model, competitor analysis, pricing information, R&D materials, it can now all be accessed by these companies and yes, Labour prevented that being stopped too.

So you need to understand that basically your whole digital life and your business/employers data is not yours anymore. It will be used to train AI and in reality, be used against you, and you have effectively paid for it to happen.

You wont know anything about it. You wont have any control over what any of these companies or the governments do with it. You wont know if they want to change what data they gather and what they do with it, its all decided behind closed doors and there is no accountability or transparency.

You wont know who has this information when you apply for insurance or a job, they could have everything available to them to make decisions possibly based on one visit to a GP 20 years ago.

How a government can produce and approve such a piece of legislation to totally remove the rights to digital privacy from its citizens and businesses saying its promoting growth and enhancing rights is just unbelievable gaslighting.

It’s a mass data gathering and surveillance framework in preparation for Digital ID and in our opinion eventually leading to a Social Credit Scoring system, after a programmable CBDC from the BoE of course.