)
Overview
The UK’s new Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19th June 2025, introduces both clarifications and reforms relevant to researchers processing personal data. Although the Act is now law, most of its provisions will take effect gradually through secondary legislation, expected over the next two to twelve months. One section—Section 78—has already taken effect; the rest will follow through secondary legislation. In the meantime, universities and researchers should begin reviewing and updating their data protection practices in preparation for implementation.
Current Legal Landscape
To understand how the DUAA will affect research, it’s helpful to review the current legal framework. For academic researchers, compliance with data protection law is already a familiar part of the research process, as it often involves processing personal data—information relating to an identified or identifiable individual—governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). These laws also cover special category data, such as details about an individual’s health, ethnicity, or biometric characteristics. The rules apply to researchers in the UK working with global data, as well as those outside the UK processing data about UK individuals. Notably, they do not apply to data that has been anonymised.
Once in force, the DUAA will not establish a new data protection regime but will instead introduce targeted amendments to the UK GDPR and the DPA 2018 aimed at modernising how personal data is used—particularly in research and innovation—while maintaining key safeguards. Updated legislation reflecting these changes will be published on www.legislation.gov.uk. Researchers should regularly check this website for the most up-to-date legislation.
· Immediate Clarification for Data Subject Access Requests (DSARs)
Although most of the DUAA will come into force gradually, section 78—deemed to have retrospective effect from 1 January 2024—has already taken effect. It amends Article 15 of the UK GDPR and codifies the existing common law position that in response to a data subject access request the controller is only required to conduct “a reasonable and proportionate search for the personal data and other information.”
This reaffirms the position adopted in ICO guidance and endorsed by the High Court in Ashley v HMRC [2025] EWHC 134 (KB), confirming that controllers are not required to conduct searches that are unreasonable or disproportionate.
For researchers and universities managing large or complex datasets, this provides welcome legal clarity.
· Forthcoming DUAA Reforms Relevant to Research
The DUAA will introduce a wide range of changes to the UK’s data governance landscape, with a focus on enabling innovation in areas like artificial intelligence (AI) and research, while preserving alignment with core UK General Data Protection Regulation (GDPR) principles. This blog post focuses on the provisions most relevant to researchers and academic institutions once commenced. These include:
· A statutory definition of scientific research and statistical purposes
· Simplified Rules for Special Category Data in research contexts
· Rules on the re-use of personal data for compatible purposes
· A statutory definition of Scientific Research and Statistical Purposes
One of the most significant amendments the DUAA will make to the UK GDPR is the introduction of a formal legal definition of “scientific research.” Until now, this concept has appeared only in Recital 159 which offers interpretive guidance but does not carry legal force. Section 67 of the DUAA will amend Article 4(2) of the UK GDPR to define scientific research as: “any research that can reasonably be described as scientific, regardless of whether it is publicly or privately funded, or conducted as a commercial or non-commercial activity.”
This definition provides legal clarity for the wide range of research conducted in universities — from medical and environmental science to behavioural, technological, and social disciplines — and removes lingering uncertainty about the status of commercially funded or private-sector collaborations, formally recognising their legitimacy as scientific research. While this status was previously assumed in practice, its formal confirmation enhances legal certainty.
The DUAA will also introduce into the UK GDPR a binding legal definition of “processing for statistical purposes” into the UK GDPR, clarifying that it applies to activities such as conducting statistical surveys or generating statistical results. This definition, previously outlined only in Recital 162 of the GDPR, will now be formally incorporated into Article 4(2) of the UK GDPR, giving it binding legal force.
For processing to qualify under this definition, two key conditions must be met. First, the outcome must be aggregate data—that is, information that does not identify individuals and is therefore not considered personal data. Second, the controller must not use either the personal data or the statistical results to make decisions or take actions affecting specific individuals. In other words, while the data may originate from personal information, it must be transformed into non-identifiable aggregate form and not used to influence or target anyone directly. This distinction enables more flexible use of data in areas such as research and public policy, while continuing to safeguard individual privacy.
· Simplified Rules for Special Category Data
Another major change the DUAA will introduce concerns how researchers may process special category data—such as health or biometric information. Currently, researchers relying on the public interest basis under Article 9(2)(g) must demonstrate a “substantial public interest.” The new law will remove that requirement, provided valid, informed consent is obtained.
However, the removal of the public-interest test will not lower the strict consent standards that apply to Article 9 special category data; consent will still need to be explicit and granular enough for participants to understand the types of data collected and the broad research themes involved.
Importantly, consent will be permitted for general research purposes, meaning individuals may consent even where “the specific purposes of the scientific research are not fully known at the time” of collection. This will be beneficial for exploratory studies, where research directions may evolve over time, as well as for multiphase or longitudinal studies. For example, this could be useful for creating broad data repositories for future, as-yet-undefined, research questions. If obtaining consent is impracticable (e.g., with legacy biobank samples), researchers will be able to rely on the “recognised legitimate interests” ground or the research exemption with Article 89 safeguards.
· Rules on the re-use of personal data for compatible purposes
The DUAA will also simplify how personal data can be re-used for research purposes. Under current rules, re-purposing data for research purposes typically involves a compatibility assessment to ensure the new use aligns with the original purpose. Once the Act commences, this step will no longer be required—provided that appropriate safeguards are in place, such as ethical approval and secure data handling. Importantly, the compatibility test is displaced, not abolished. Controllers must still document that research is the new purpose and ensure the application of Article 89 safeguards, such as pseudonymisation and data minimisation. This change will support more efficient data sharing between projects and institutions, helping to maximise the value of existing datasets—including those developed through cohort or multi-phase studies.
The Act will also introduce a transparency carve-out: where informing individuals of data re-use would involve “disproportionate effort,” controllers may use public notices instead of individual notifications. This aligns with recital 62 of the UK GDPR and aims to reduce administrative burdens (e.g., when dealing with very large, historic datasets where contact information may be outdated or incomplete) while maintaining transparency.
Ongoing Responsibilities & EU Data Flows
Despite these welcome changes, the DUAA will not reduce the core responsibilities that university researchers must uphold —particularly principles such as transparency, data minimisation, and data security, which will remain central to lawful data use. Researchers will need to continue to uphold data subject rights and engage governance structures—such as research ethics committees and data protection officers—throughout the research lifecycle. These bodies will also remain essential in determining whether data is truly anonymised and therefore outside the scope of regulation, or merely pseudonymised and within the scope of the regulation.
For UK-based universities engaged in EU-funded research or studies involving participants located in EU member states, the changes introduced by the DUAA are not expected to jeopardise the renewal of the EU–UK adequacy decision, as the UK’s core data protection principles remain closely aligned with the EU General Data Protection Regulation (GDPR).
Although the European Commission has not yet formally reassessed the UK’s data protection regime, the updated UK framework maintains substantial alignment with EU standards, supporting the expectation that personal data transfers between the EU and UK will continue without disruption.
What Researchers Need to Know – Key takeaways.
These changes will affect how individual researchers plan, conduct, and manage data during their studies.
Expanded Definition: Scientific research will be formally defined in law, covering all research that can reasonably be described as scientific—regardless of funding or commercial status.
Special Category Data: Public interest justification will no longer be required if valid consent is obtained.
Flexible Consent: Consent for general research purposes will be permitted, even if study details evolve later.
Data Re-Use: Personal data will be reusable for research without a new compatibility assessment, provided safeguards are upheld.
Compliance Still Matters: Transparency, ethics, and governance will remain vital.
What Institutions Need to Do – a Preparatory Checklist for Universities.
These are actions for data protection officers, ethics committees, and research governance teams preparing for the DUAA.
1. Map existing studies that rely on special category data and assess whether to switch from the public-interest condition to consent or recognised legitimate interest once the Act is in force.
2. Refresh consent templates to:
· Accommodate evolving research aims
· Clearly explain data types and applicable safeguards.
3. Update internal documentation—including the Research Ethics Policy, Privacy Notices, Record of Processing Activities (RoPA), and Data Protection Impact Assessments (DPIAs)—to reflect DUAA changes.
4. Develop and deliver training for researchers and PhD supervisors. Brief, targeted training sessions before commencement will help minimise confusion and ensure consistent application of the new rules.
Conclusion
In summary, once commenced, the DUAA’s provisions relating to research are expected to support a more research-friendly legal environment—reducing compliance burdens while preserving strong safeguards.
While awaiting formal commencement, universities should begin assessing how the DUAA may affect existing research workflows. This includes reviewing consent processes, updating privacy documentation, and ensuring that data-sharing protocols align with future expectations.
For individual researchers, the most practical step is to stay informed: attend institutional briefings, engage with research ethics and governance teams, and review updated policies as they become available. Active awareness and early adaptation will help ensure continued compliance and responsible data use as the new regime comes into effect.