Data (Use and Access) Act 2025
This page summarises the Data (Use and Access) Act 2025 (DUAA) for the InterSystems wiki. It is a statutory and policy evidence page, not legal advice.
Use the official title Data (Use and Access) Act 2025 even where GOV.UK pages sometimes omit the parentheses in page headings. The Act received Royal Assent on 19 June 2025. It was introduced in the House of Lords on 23 October 2024 and became 2025 c. 18 at Royal Assent.
Current Reading
DUAA is a wide UK data reform Act. It does not replace the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or the Privacy and Electronic Communications Regulations 2003 (PECR). It amends those regimes and adds wider data-access, digital-identity, public-service, health and adult social care standards, online safety research, trust-service, and related provisions. ICO guidance updated on 19 June 2026 says all DUAA data-protection provisions are now in force, so topic-specific ICO guidance should be used where available.
For this wiki, the most important healthcare point is Part 7, section 121 and Schedule 15. The explanatory notes say the health and adult social care provisions clarify that information standards under section 250 of the Health and Social Care Act 2012 can include information technology (IT) and IT services, and can apply to providers of IT, IT services, or information-processing services used, or intended for use, in connection with health or adult social care in or in relation to England.
That does not make a product DUAA-compliant by itself. It means NHS-facing suppliers and deployments need a more explicit standards-applicability analysis where an information standard is applied to their system, service, or role.
For healthcare-recording and interoperability analysis, DUAA should be read in the wider statutory chain: Health and Social Care Act 2012 section 250 is the base England information-standard power; Health and Care Act 2022 amendments move applicable information standards from "have regard" towards mandatory compliance for specified persons, with monitoring and enforcement levers; DUAA 2025 section 121 / Schedule 15 extends the information-standard question to IT, IT services, and information-processing service providers. Keep that chain separate from UK GDPR, Data Protection Act 2018, PECR, common law confidentiality, and NHS Act 2006 section 251 evidence.
Dates and Commencement
| Date | Event | Evidence handling |
|---|---|---|
| 23 October 2024 | First reading in the House of Lords. | Use as the Bill introduction date. |
| 19 June 2025 | Royal Assent. | Use as the date the Act came in as an Act, not as a blanket in-force date for every operational provision. |
| 20 August 2025 | Stage 1 commencement regulations brought specified technical provisions and new ICO statutory objectives into force. | Useful for regulator-governance timing. |
| 30 September 2025 | Stage 2 commenced section 124, relating to retention of information by internet-service providers in connection with child-death investigations. | Mostly outside this healthcare-product wiki unless patient-facing services also fall into a regulated online-safety context. |
| 1 December 2025 | Stage 3 commenced most digital verification services provisions in Part 2 and put the UK digital identity and attributes trust framework, statutory register, and related measures on statutory footing. | Relevant where NHS or patient-facing identity relies on digital verification services; HealthShare EMPI or NHS identity integration is not the same as being a registered digital verification service. |
| 5 February 2026 | Stage 3 commenced the majority of Part 5 data protection and privacy provisions. | Relevant to subject access, automated decision-making, research, recognised legitimate interests, international transfers, PECR changes, and local governance packs. |
| 6 February 2026 | Stage 3 commenced section 138 on offences relating to creating or requesting purported intimate images of an adult without consent or reasonable belief in consent. | Not normally relevant to InterSystems healthcare architecture unless a service has image-generation or image-handling features that create adjacent risk. |
| 19 June 2026 | ICO organisation guidance says all DUAA data-protection provisions are now in force and points to new or updated ICO topic guidance. | Use current ICO topic guidance where it exists. Subject access now has updated right-of-access guidance, while Right of Access in brief, SARs Q&A, research, automated decision-making/profiling, and IDTA/Addendum updates remain tracked where final ICO guidance is still pending. |
| Future / staged | Stage 4 covers measures needing longer lead-in, including National Underground Asset Register and electronic birth/death registration. Some Information Commission governance and code/enforcement details still need tracking. | Do not assume all non-data-protection DUAA provisions or regulator process changes are operational without checking commencement regulations and ICO guidance. |
What The Act Covers
| DUAA area | What the official sources support | Wiki relevance |
|---|---|---|
| Smart Data | Part 1 gives regulation-making powers for customer and business data access, intended to support real-time sharing with authorised third parties and schemes such as Open Banking / open finance. | Adjacent model for data portability and sector data-sharing schemes. Do not map directly to NHS records without a health-specific source. |
| Digital verification services | Part 2 creates a legislative structure for registered digital verification services, a trust mark, and public-authority information gateways. | Relevant to identity-proofing, digital credentials, and patient/provider identity patterns, but distinct from NHS login, CIS2, PDS, and HealthShare EMPI unless an implementation explicitly connects them. |
| National Underground Asset Register | Part 3 puts NUAR on a statutory footing. | Outside normal healthcare scope. Keep out unless infrastructure/public-estate use arises. |
| Births and deaths registers | Part 4 modernises birth/death registration arrangements. | Potentially relevant to demographic and life-event data flows, but no InterSystems or NHS product implication without a specific interface source. |
| Data protection and privacy | Part 5 amends UK GDPR, DPA 2018, and PECR rather than replacing them. GOV.UK highlights automated decision-making, subject access, children's data protection, research, recognised legitimate interests, international transfers, complaints, cookies/storage access, law enforcement, and intelligence-service changes. ICO guidance now says all DUAA data-protection provisions are in force as of 19 June 2026. | Relevant to every patient-data product, processor/controller model, portal, analytics, AI, research, and cloud-service claim. Requires local legal basis and governance evidence. |
| Information Commission / ICO | Part 6 changes ICO strategic duties, code processes, enforcement powers, and governance into the Information Commission model when commenced. ICO has published or updated topic guidance for several DUAA data-protection topics, while other guidance remains planned or in consultation. | Track regulator guidance. A GOV.UK factsheet is reference material; the ICO remains the regulatory guidance source. |
| Health and adult social care information standards | Part 7, section 121 and Schedule 15 clarify that information standards can include IT and IT services, and can apply to providers of IT, IT services, or information-processing services used or intended for health/adult social care in England. | High relevance to NHS Standards Directory, DSIC, GP Connect, clinical-safety, FHIR/UK Core, PRSB, and InterSystems supplier/deployment assurance. |
| Public service delivery and online safety provisions | Part 7 includes public-service delivery data sharing, retention duties for child-death investigations, and powers for independent online-safety research access. | Mostly contextual, unless a patient-facing or research service falls into those specific statutory contexts. |
| Biometric data, trust services, and intimate image offences | Part 7 and final provisions include biometric retention, electronic trust services, and intimate-image offences. | Boundary material unless a solution handles biometric identity, trust services, electronic signatures/seals, or image-generation risks. |
Data Protection And Privacy Changes
| Theme | What changed in the official summary | Healthcare / InterSystems interpretation |
|---|---|---|
| Research and statistical purposes | The Act clarifies research/statistical purposes and recognises that scientific research may include commercial scientific research. It also gives more certainty around broad consent for areas of scientific research, subject to conditions and safeguards; final ICO research guidance remains tracked for summer 2026. | Relevant to HealthShare Health Insight, OMOP, registries, population health, and research extracts. Still requires a lawful basis, transparency, data minimisation, research governance, and local approval. |
| Recognised legitimate interests | DUAA creates a new Article 6 lawful ground for specified recognised legitimate interests. ICO recognised-legitimate-interest and lawful-basis guidance is now available for DUAA interpretation. | Potentially relevant to safeguarding and emergency workflows, but do not use as a generic patient-data basis. Confirm the specific purpose, controller role, and special-category condition. |
| Purpose limitation and further processing | GOV.UK says the Act clarifies compatible further processing, including some public-interest circumstances and controller-change scenarios. ICO purpose-limitation guidance is updated for DUAA. | Relevant to shared-care records, analytics, secondary use, research, and cross-organisation record views. Still needs a data-sharing agreement, DPIA, transparency, and purpose-by-purpose mapping. |
| Subject access and data-subject rights | GOV.UK says DUAA clarifies time limits, adds a stop-clock mechanism where more information is needed, and codifies reasonable and proportionate searches. ICO organisation guidance says updated right-of-access guidance reflects the DUAA changes; the current guide covers one-month response, clarification pause, identity verification, reasonable efforts, and no unreasonable or disproportionate searches, while Right of Access in brief and SARs Q&A companion updates remain planned for summer 2026. | Relevant to portals, clinical viewer audit/search, record export, disclosure workflow, and customer support tooling. Product capability must be paired with local controller procedure. |
| Automated decision-making | DUAA creates a more permissive framework for solely automated decisions with legal or similarly significant effects, while requiring safeguards such as information, challenge, representation, and human intervention. ICO ADM/profiling guidance remains in consultation or drafting, with final guidance expected in winter 2026. | Important for AI Assistant, IntelliCare, triage, risk scoring, workflow automation, and analytics. A solution should avoid claiming safe ADM support without evidence of clinical safety, explainability, audit, human review, and local policy controls. |
| Children's data protection | Certain online services likely to be accessed by children must consider higher-protection matters when designing processing activities. | Relevant to Personal Community, patient portals, proxy access, paediatric workflows, NHS App adjacency, and family/dependant access models. |
| International transfers | DUAA changes international-transfer tests and mechanisms. ICO guidance for adequacy, safeguards, and transfer risk/data-protection tests has been updated for DUAA terminology; IDTA/Addendum updates remain planned. | Relevant to cloud hosting, support access, external AI services, subcontractors, disaster recovery, and cross-border managed services. Verify customer terms, UK/EU region commitments, transfer mechanisms, and subprocessors. |
| Complaints | DUAA requires organisations to handle data-protection complaints from individuals. ICO guidance says the complaint-process requirement comes into force on 19 June 2026 and covers complaint route, acknowledgement, investigation/update, and outcome handling. | Relevant to local information-governance operating model, customer service workflow, processor/controller handoffs, and audit evidence. |
| PECR / cookies and storage access | DUAA adds low-risk exceptions for storage/access technologies, updates breach-reporting timing for public telecommunications services, and extends soft opt-in rules for UK charities. ICO storage/access technologies guidance was finalised after DUAA PECR changes. | Relevant to patient portals and websites for cookie banners, analytics, email/SMS communications, and consent management. Healthcare messaging must remain bounded by direct-care, appointment, public-task, and marketing rules. |
| ICO / Information Commission | GOV.UK says DUAA gives the Commissioner a new strategic framework and changes code and enforcement processes; the ICO says all data-protection provisions are now in force and maintains topic-guidance pages for final, updated, planned, and draft guidance. | Track ICO publications as versioned inputs. Do not use a GOV.UK factsheet as substitute regulator guidance where ICO guidance exists. |
Health And Adult Social Care Standards
DUAA's strongest direct impact on this wiki is the health and adult social care information-standard change. The explanatory notes say earlier legislation was insufficient because it did not address providers of the IT on which information processing relies. Section 121 and Schedule 15 are therefore framed to make IT and IT-service suppliers part of the standards picture when their products or services are used, or intended for use, in connection with health or adult social care in or in relation to England.
This is not a standalone invention of a new DSIC-like compliance label. It amends an existing England information-standard route. NHS England Digital describes information standards as legal requirements for consistent capture, governance, sharing, and digital exchange, and says the mandatory information-standard changes are effective from 6 August 2025 for standards published under the amendment to section 250.
Use this as a statutory layer above existing NHS standards evidence:
- NHS England / DHSC information-standard governance and the NHS Standards Directory remain the evidence route for named standards and applicability.
- DSIC remains the NHS England digital primary-care procurement, capability, standards, assurance, and Buying Catalogue environment.
- GP Connect remains an NHS England service/API family with specific supplier-progress and onboarding evidence.
- DUAA supports the proposition that information standards can bind or affect suppliers and IT service providers, but it does not identify a named InterSystems capability, product, certificate, or deployment by itself.
For named NHS Standards Directory entries, use the DUAA section 121 / Schedule 15 crosswalk on NHS Standards Directory and DHSC Standards Direction and NHS Standards Directory GP Connect, MESH, and ITK3 where those standards are in scope. For regulator guidance tracking, use the DUAA / ICO Guidance Tracker in Evidence Validation Queue.
Mapping To InterSystems
| DUAA surface | InterSystems relevance | What would prove compliance or readiness |
|---|---|---|
| Health/adult social care information standards applying to IT and IT-service providers | HealthShare, Health Connect, IRIS for Health, FHIR Services, TrakCare, HealthShare Personal Community, and customer-specific services may fall within scope when used or intended for health/adult social care in England. | A named standard, applicability statement, supplier role, product/version mapping, conformance evidence, implementation guide, clinical-safety case, test artefacts, and customer deployment pack. |
| Shared-care and direct-care record access | HealthShare Unified Care Record, Clinical Viewer, EMPI, Provider Directory, and Health Connect support record aggregation, viewing, identity, provider data, and integration patterns. | Data-sharing agreement, DPIA, DCB0129/DCB0160 safety case, access-control design, audit, patient transparency, source-system mapping, and evidence that local standards are implemented. |
| Data-subject rights and complaints | HealthShare and TrakCare deployments may need search, export, restriction, audit, and complaints workflow support. ICO complaint guidance is current, and the main subject-access guide is updated for DUAA; companion SAR products and local implementation evidence remain tracked. | Local controller procedure plus product configuration evidence showing how requests are located, filtered, exported, withheld, logged, acknowledged, escalated, and answered. |
| Research, analytics, and secondary use | HealthShare Health Insight, OMOP, Bulk FHIR Coordinator, FHIR Server, and Health Connect are relevant to datasets, registries, population health, and research extracts. | Lawful-basis and special-category analysis, research approvals, data minimisation, pseudonymisation/anonymisation design, retention policy, data-access committee controls, and export audit. |
| Automated decision-making, AI, and clinical workflow automation | HealthShare AI Assistant, IntelliCare, risk scoring, triage, and workflow automation may be affected if decisions have legal or similarly significant effects. | Clinical-safety case, human-in-the-loop controls, override/challenge workflow, model/prompt governance, audit logs, transparency material, local policy, and evidence that the service does not make unsupported autonomous clinical decisions. |
| International transfers and cloud/managed services | InterSystems cloud services, external AI services, offshore support, disaster recovery, monitoring, or subprocessors could create transfer questions. | Contract, DPA, subprocessor list, hosting region, support-access controls, transfer mechanism, technical safeguards, and customer-specific trust/security documentation. |
| Digital verification services | NHS login, CIS2, PDS, local identity proofing, provider authentication, and patient portal access may interact with identity and attribute services. | Evidence of the identity route used, whether a registered digital verification service is involved, assurance-level mapping, integration design, and separation from EMPI/matching functions. |
| PECR and patient-facing services | Personal Community, portals, websites, patient messaging, reminders, surveys, and analytics can touch storage/access technologies and electronic communications. | Cookie/analytics classification, consent model, direct-care versus marketing boundary, SMS/email preference handling, and local privacy notice. |
DSIC And GP Connect Relationship
DUAA is not DSIC. DSIC is NHS England's digital primary-care procurement and assurance environment. GP Connect is a national service/API family inside the NHS England primary-care and interoperability stack. DUAA is the statutory data, access, privacy, digital identity, and information-standard layer that can affect supplier obligations and assurance evidence across the wider environment.
For DSIC / HealthShare analysis, this means:
- Add DUAA as a standards-governance dependency, not as a substitute DSIC compliance route.
- Continue to map DSIC at capability and standard level: patient information, appointments, consultation, prescribing, referral, document, task, reporting, scanning, citizen/patient-facing services, personal health record, unified care record, and national services.
- Treat DUAA section 121 / Schedule 15 as support for asking whether the relevant NHS information standards apply directly to the IT supplier or service provider.
- Keep DSIC supplier catalogue evidence, GP Connect supplier-progress evidence, PRSB conformance evidence, and DUAA statutory evidence separate.
Assurance Questions
For any InterSystems or partner solution, ask:
- Which DUAA provisions are actually in force for the use case, and what ICO guidance exists?
- Which NHS England / DHSC information standard applies to the product, IT service, information-processing service, or deployment?
- Is InterSystems acting as supplier, processor, subprocessor, controller, joint controller, system integrator, hosting provider, or platform provider?
- What product/version, component, interface, API, and deployment architecture is in scope?
- Is there conformance or assurance evidence for FHIR, UK Core, GP Connect, MESH/ITK3, DCB0129/DCB0160, PRSB CIS, DSIC capability standards, or other named standards?
- How are subject access, complaint handling, audit, disclosure, retention, and patient transparency handled?
- Are AI, automated decision-making, research, analytics, digital identity, cookies, messaging, international transfers, or online services in scope?
- Which local artefacts prove readiness: DPIA, DSA, DTAC/DSPT material, clinical-safety case, supplier responsibility matrix, onboarding pack, test results, migration/training plan, and go-live evidence?
Evidence Boundaries
- DUAA received Royal Assent on 19 June 2025, but provisions are staged. ICO guidance now says all data-protection provisions are in force as of 19 June 2026; still check commencement and current guidance for non-data-protection provisions and implementation specifics.
- GOV.UK factsheets are reference summaries and explicitly point to ICO guidance for regulatory guidance. Use ICO material where it exists; keep planned or draft ICO guidance in the validation queue until final.
- DUAA section 121 / Schedule 15 is England-specific for health and adult social care information standards; do not apply that point wholesale to Scotland, Wales, or Northern Ireland without nation-specific evidence.
- DUAA does not prove InterSystems product conformance, DSIC catalogue listing, GP Connect assurance, PRSB conformance, clinical safety, or local information-governance approval.
Open Evidence Work
- Track DUAA commencement for remaining non-data-protection staged provisions, Information Commission governance/process changes, NUAR, and birth/death registration provisions.
- Track final ICO companion guidance updates for Right of Access in brief, SARs Q&A, research, automated decision-making/profiling, IDTA/Addendum transfer material, and enforcement/code processes through the DUAA / ICO Guidance Tracker in the Evidence Validation Queue.
- Map section 121 / Schedule 15 against the NHS Standards Directory, DSIC standards, GP Connect, DCB0129/DCB0160, and PRSB standards once NHS England / DHSC publishes implementation-specific interpretation.
- Add supplier/customer evidence showing how InterSystems contracts, DPIAs, clinical-safety artefacts, and deployment packs handle DUAA-related obligations.