Privacy & Information Security Law Blog

On July 25, 2025, the UK government published the four key stages for bringing the provisions of the Data (Use and Access) Act (the “DUAA”) into effect.  The DUAA received Royal Assent on June 19, 2025.  The stages are as follows:

• Stage 1 (August 20, 2025): On August 20, 2025, the following provisions will come into effect: technical provisions clarifying aspects of the legal framework; the new statutory objects for the Information Commissioner’s Office (“ICO”); and provisions requiring the UK government to publish an impact assessment, a report and a progress update on copyright works and artificial intelligence.
• Stage 2 (3 – 4 months after Royal Assent): Provisions relating to digital verification services and measures on the retention of information by providers of internet services in connection with the death of a child, will come into effect 3 – 4 months after Royal Assent.
• Stage 3 (6 months after Royal Assent): The main changes to UK data protection legislation introduced in Part 5 of the DUAA, and the provisions on information standards for health and adult social care in England, shall come into force approximately 6 months after Royal Assent.
• Stage 4 (early 2026): Provisions requiring additional steps for enforcement such as the development of new technologies or appointment of new staff, are expected to come into force in early 2026. Such provisions include those regarding the restructuring of the ICO, the electronic system of registering births and deaths, and measures relating to the National Underground Register.

Read The Data (Use and Access) Act 2025 (Commencement No.1) Regulations 2025.