2 of 6: Key Definitions and Scope of the Data Use and Access Act 2025 (DUAA)

Understanding the DUAA starts with the basics. Learn the key definitions—like data user, data provider, access agreement—and the scope of the Data Use and Access Act 2025.

The Data Use and Access Act 2025 (DUAA) introduces new terminology and a legal framework that complements existing UK data protection law. To stay compliant, organisations must understand who’s covered and what the Act regulates.

🔑 Key Terms You Need to Know

The DUAA sets out specific roles and responsibilities for participants in data access arrangements. Here are the most important terms:

• Data Provider: An organisation that holds data and makes it available for use by others under a lawful basis.
• Data User: The party receiving and processing data under an approved access arrangement.
• Access Arrangement: A legal instrument or contract defining the terms under which data is accessed, shared, used, and retained.
• Regulated Data: Data that falls within categories covered by DUAA rules — this includes personal, pseudonymised, and sensitive data.
• High-Risk Use: Processing activities that involve significant risks to rights, such as profiling, AI systems, or multi-party re-use.

📌 Who and What Is in Scope?

The DUAA applies to a wide range of organisations and data types, specifically when:

• Data is being shared across organisations, especially across sectors (e.g., public-private partnerships)
• There’s intention to use data for secondary purposes, such as research, innovation, fraud prevention, or AI development
• Data access is not clearly addressed by other legislation or existing sector-specific codes

Companies involved in employment screening, financial modelling, health tech, or AI deployment should assess DUAA relevance immediately.

🧭 DUAA and UK GDPR: A Complementary Relationship

Remember, the DUAA doesn’t override the UK GDPR. Instead, it strengthens transparency and governance by regulating how and under what conditions data can be accessed or re-used.

For example, an employer may already comply with UK GDPR when handling CVs. But if those CVs are later shared with another analytics provider for workforce planning, DUAA may require a formal access agreement, record-keeping, and risk assessment.

💡 Tip:

Start mapping your organisation’s data sharing relationships. Identify where you’re acting as a data provider or data user, even within group entities or external partnerships. DUAA obligations begin there.