Key Definitions and Scope of the Data Use and Access Act 2025 (DUAA)

The Data Use and Access Act 2025 (DUAA) introduces new terminology and a legal framework that complements existing UK data protection law. To stay compliant, organisations must understand who’s covered and what the Act regulates.

🔑 Key Terms You Need to Know

The DUAA sets out specific roles and responsibilities for participants in data access arrangements. Here are the most important terms:

  • Data Provider: An organisation that holds data and makes it available for use by others under a lawful basis.
  • Data User: The party receiving and processing data under an approved access arrangement.
  • Access Arrangement: A legal instrument or contract defining the terms under which data is accessed, shared, used, and retained.
  • Regulated Data: Data that falls within categories covered by DUAA rules — this includes personal, pseudonymised, and sensitive data.
  • High-Risk Use: Processing activities that involve significant risks to rights, such as profiling, AI systems, or multi-party re-use.

📌 Who and What Is in Scope?

The DUAA applies to a wide range of organisations and data types, specifically when:

  • Data is being shared across organisations, especially across sectors (e.g., public-private partnerships)
  • There’s intention to use data for secondary purposes, such as research, innovation, fraud prevention, or AI development
  • Data access is not clearly addressed by other legislation or existing sector-specific codes

Companies involved in employment screening, financial modelling, health tech, or AI deployment should assess DUAA relevance immediately.

🧭 DUAA and UK GDPR: A Complementary Relationship

Remember, the DUAA doesn’t override the UK GDPR. Instead, it strengthens transparency and governance by regulating how and under what conditions data can be accessed or re-used.

For example, an employer may already comply with UK GDPR when handling CVs. But if those CVs are later shared with another analytics provider for workforce planning, DUAA may require a formal access agreement, record-keeping, and risk assessment.

💡 Tip:

Start mapping your organisation’s data sharing relationships. Identify where you’re acting as a data provider or data user, even within group entities or external partnerships. DUAA obligations begin there.

Similar Posts