Key Definitions and Scope of the Data Use and Access Act 2025 (DUAA)
The Data Use and Access Act 2025 (DUAA) introduces new terminology and a legal framework that complements existing UK data protection law. To stay compliant, organisations must understand who’s covered and what the Act regulates.
🔑 Key Terms You Need to Know
The DUAA sets out specific roles and responsibilities for participants in data access arrangements. Here are the most important terms:
- Data Provider: An organisation that holds data and makes it available for use by others under a lawful basis.
- Data User: The party receiving and processing data under an approved access arrangement.
- Access Arrangement: A legal instrument or contract defining the terms under which data is accessed, shared, used, and retained.
- Regulated Data: Data that falls within categories covered by DUAA rules — this includes personal, pseudonymised, and sensitive data.
- High-Risk Use: Processing activities that involve significant risks to rights, such as profiling, AI systems, or multi-party re-use.
📌 Who and What Is in Scope?
The DUAA applies to a wide range of organisations and data types, specifically when:
- Data is being shared across organisations, especially across sectors (e.g., public-private partnerships)
- There’s intention to use data for secondary purposes, such as research, innovation, fraud prevention, or AI development
- Data access is not clearly addressed by other legislation or existing sector-specific codes
Companies involved in employment screening, financial modelling, health tech, or AI deployment should assess DUAA relevance immediately.
🧭 DUAA and UK GDPR: A Complementary Relationship
Remember, the DUAA doesn’t override the UK GDPR. Instead, it strengthens transparency and governance by regulating how and under what conditions data can be accessed or re-used.
For example, an employer may already comply with UK GDPR when handling CVs. But if those CVs are later shared with another analytics provider for workforce planning, DUAA may require a formal access agreement, record-keeping, and risk assessment.
💡 Tip:
Start mapping your organisation’s data sharing relationships. Identify where you’re acting as a data provider or data user, even within group entities or external partnerships. DUAA obligations begin there.
