3 of 6: Obligations for Data Providers and Data Users under the DUAA
The DUAA introduces specific duties for data providers and data users. Learn what your obligations are and how to structure compliant access arrangements and audits.
Under the Data Use and Access Act 2025 (DUAA), organisations must meet specific legal and governance obligations based on their role as either a data provider or a data user. This post outlines these duties and what compliance looks like in practice.
📤 Obligations of Data Providers
If your company shares data with another organisation, you’re likely acting as a data provider. The DUAA places several key responsibilities on you:
- Due diligence: Assess the suitability and trustworthiness of the receiving party.
- Risk classification: Categorise the level of risk based on data sensitivity and intended use.
- Access Arrangement: Put in place a written agreement that outlines what data is shared, under what conditions, for how long, and for what purpose.
- Ongoing oversight: Monitor data use over time, especially in high-risk scenarios such as AI training or profiling.
đź“Ą Obligations of Data Users
Organisations receiving and using shared data also have clear duties under the DUAA:
- Purpose limitation: Use the data only for the agreed purpose(s) as documented in the Access Arrangement.
- Security measures: Apply appropriate technical and organisational controls.
- Transparency: Notify data subjects where appropriate, especially when using personal or sensitive data.
- Accountability: Maintain records of data handling and make them available for inspection or audit.
🧾 Joint Responsibilities
Some obligations apply jointly, such as:
- Ensuring the lawful basis under UK GDPR is established before any sharing
- Agreeing on retention periods and deletion protocols
- Documenting audit and breach reporting processes
🏢 Real-World Scenario
Imagine a company providing payroll data to a third-party analytics provider for salary benchmarking. As the data provider, your firm must vet the provider, document a formal access agreement, and classify the sharing risk. The provider, as the data user, must limit use to benchmarking only and ensure proper security controls are in place.
đź’ˇ Tip:
Create a checklist or automated workflow for all data sharing activities. This will help you standardise compliance with DUAA requirements across different business units and vendors.
