In response to the Data (Use and Access) Act 2025 (DUAA) coming into force, the Information Commissioner’s Office (ICO) is consulting on two pieces of new guidance on:
- ‘recognised legitimate interest’, which is a new lawful basis for data processing, separate from the legitimate interests lawful basis; and
- ‘data protection complaints’, which is a new requirement for all organisations to have a process in place for handling data protection complaints.
Recognised legitimate interest
“Recognised legitimate interest” is a new lawful basis. The ICO says that this new basis will give organisations greater confidence to use personal information for certain pre-approved purposes. These public interest purposes cover activities like crime prevention, public security, safeguarding, emergencies and sharing personal information to help other organisations perform their public tasks. Its detailed guidance aims to make it easier for organisations to successfully use recognised legitimate interest by explaining how it works, along with giving practical examples. Public authorities should continue to use the public task lawful basis when using personal information for public tasks or official functions. This consultation ends on 30 October 2025.
Customer data protection complaints
By June 2026, organisations must have a process in place to handle data protection complaints. A complaint can come from anyone who is unhappy with how an organisation has handled their personal information. The ICO’s guidance sets out the new requirements and informs organisations of what they must, should and could do to comply. This consultation ends on 19 October 2025.
When does the DUAA come into force?
In July, the government set out its plans for bringing the DUAA into force:
- Stage 1 will include the commencement of technical provisions which clarify aspects of the legal framework; and measures requiring the government to publish an impact assessment, a report and a progress update on AI and copyright issues.
- Stage 2, three to four months after Royal Assent, will include the commencement of most of the measures on digital verification services in Part 2 of the Act; and measures in Part 7 on the retention of information by providers of internet services in connection with the death of a child.
- Stage 3, approximately six months after Royal Assent, will include the commencement of the main changes to data protection legislation in Part 5 of the Act; and the provisions on information standards for health and adult social care in England in Part 7.
- Stage 4, more than six months after Royal Assent, will include the commencement of provisions that require a longer lead-in time. Examples include measures on the National Underground Register in Part 3 of the Act, and the electronic system of registering births and deaths in Part 4, which rely on appropriate technology being in place. Changes to the Information Commissioner’s Office governance structures in Part 6 of the Act will take place once members of the Information Commission’s new Board have been appointed. This is expected in early 2026.
