)
Overview
On 19 June 2025, the UK enacted the Data (Use and Access) Act 2025 (DUAA), introducing measured reforms to the UK’s data protection framework. While not a wholesale rewrite, the Act makes targeted and meaningful adjustments—particularly for researchers—by clarifying existing obligations and easing certain constraints on the reuse of personal data, all while maintaining robust data protection safeguards.
Current Legal Landscape
The DUAA will not establish a new data protection regime but introduces targeted amendments to the UK GDPR and the DPA 2018 aimed at modernising how personal data is used. Updated legislation reflecting these changes will be published on www.legislation.gov.uk, and researchers should regularly check this site for the most up-to-date information. — as well as those in other public- and private-sector organisations, charitable research foundations, and biobanks — should begin reviewing and updating their data protection practices in preparation for full implementation of the DUAA.
For researchers, compliance with data protection law is already a familiar part of the research process, as many research activities involve processing personal data —information relating to an identified or identifiable individual — governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
These laws apply to the processing of personal data and include additional conditions for ‘special category’ data, such as health, ethnicity, or biometric information. Importantly, these rules do not apply to data that has been anonymised so that individuals are no longer identifiable. Data protection law applies only to living individuals.
Researchers must comply with data protection law when processing personal data in the context of activities carried out by a controller or processor established in the UK. This means that UK-based researchers are subject to the UK GDPR regardless of where the individuals whose data they process are located. For example, a UK university analysing personal data from participants in a global health study must comply even if some participants are based overseas.
· Immediate Clarification for Data Subject Access Requests (DSARs)
Although the DUAA is now law, most of its provisions will come into force gradually via staged commencement regulations over the coming months. However, one section—Section 78—has already taken effect, with retrospective application from 1 January 2024. This provision amends Article 15 of the UK GDPR and codifies the existing common-law position that, in response to a data subject access request, a controller is only required to conduct “a reasonable and proportionate search for the personal data and other information.”
This aligns with guidance from the ICO and was endorsed by the High Court Ashley v HMRC [2025] EWHC 134 (KB), confirming that controllers are not obligated to carry out searches that are unreasonable or disproportionate. For researchers and universities managing large or complex datasets, this provides welcome legal clarity.
· Forthcoming DUAA Reforms Relevant to Research
The DUAA will introduce a wide range of changes to the UK’s data governance landscape relevant to researchers. These include:
A statutory definition of scientific research
A statutory definition of processing for statistical purposes
Adjusted rules for processing special category data
Simplified rules for re-using personal data for research
· Clarification of the Definition of Scientific Research
One of the most significant DUAA amendments is the introduction of a statutory definition of “scientific research.” Previously mentioned only in Recital 159 of the UK GDPR, the term lacked legal force. Section 67 of the DUAA amends Article 4(2) to define scientific research as: “any research that can reasonably be described as scientific, regardless of whether it is publicly or privately funded, or conducted as a commercial or non-commercial activity.” This includes processing for technological development or demonstration, fundamental research, or applied research. The Act also clarifies that public-health research falls within the definition where conducted in the public interest. This may have implications for some privately commissioned health studies, depending on how “public interest” is interpreted. Additionally, the DUAA confirms that historical research includes genealogical research, broadening the lawful basis for processing in archival and genealogical projects.
Clarification of “Processing for Statistical Purposes”
The DUAA inserts a statutory definition of “processing for statistical purposes” into Article 4 of the UK GDPR. Processing qualifies as statistical where:
Results are produced in aggregate form (i.e., individuals are not identifiable), and
Neither the personal data nor the statistical output is used to make decisions or take actions affecting specific individuals.
This definition provides greater legal certainty for activities that use identifiable personal data to generate aggregate insights without individual-level consequences. Although the underlying data may still be personal, it must be handled so that no individual can be identified from the outcome and no decisions are taken about them. This clarification brings the definition into line with Article 89 UK GDPR and the DPA 2018 and will support more consistent, confident use of personal data for public-interest research and policy analysis while maintaining appropriate privacy safeguards.
Case Study: Academic Research on Student Mental Health
Scenario: A university research team is investigating long-term mental health trends among university students across the UK. The study involves collecting identifiable data from student surveys, including information on stress levels, counselling service use, and academic performance. Although personal data is used during the analysis phase, the researchers intend to publish only aggregate-level findings, such as “20% of students at risk of burnout seek help in their first year.”
Current challenge:
Under the existing UK GDPR framework, Article 89 and the DPA 2018 (including section 19 and Schedule 2, Part 6) already provide binding safeguards and exemptions for research and statistical purposes. However, the term “processing for statistical purposes” appears only in Recital 162 and in UK legislation without a clear harmonised definition. As a result, the research team faces uncertainty: Does their study qualify as “statistical purposes” under Article 89? Can they rely on the statutory exemptions in Schedule 2, Part 6? Must they anonymise earlier than necessary?
How the DUAA will help: the DUAA will introduce a binding statutory definition of “processing for statistical purposes” directly into Article 4 of the UK GDPR. This aligns UK GDPR, section 19 DPA 2018, and Schedule 2, Part 6, and removes ambiguity. As long as the researchers produce aggregate results and do not use the data to make decisions about individual students, their activity clearly falls within the scope of ‘statistical purposes’. This will give research teams a firmer and more consistent legal foundation for relying on Article 89 and related DPA exemptions.
· Simplified Rules for Special Category Data
The DUAA also introduces changes to how researchers may process special category data. It clarifies that researchers relying on explicit consent under Article 9(2)(a) do not need to demonstrate “substantial public interest” under Article 9(2)(g). This is particularly useful where explicit consent is possible and appropriate.
The Act also explicitly permits broad consent for general research purposes, allowing participants to consent even where specific research aims are not fully known at the time of collection. This is valuable for longitudinal, multiphase, or exploratory studies and for building research data repositories.
Where obtaining consent is impracticable—for example, legacy biobank samples—researchers may rely on recognised legitimate interests or the research exemption, provided robust safeguards are applied (e.g., pseudonymisation, minimisation, access controls).
· Rules on the Re-Use of Personal Data for Research
The DUAA simplifies how personal data can be re-used for research purposes. Under the current UK GDPR framework, controllers must conduct a compatibility assessment to determine whether a new purpose aligns with the original purpose of collection.
Once the DUAA comes into force, there will be a presumption of compatibility for research purposes, provided appropriate safeguards are in place, such as ethical approval, secure handling, pseudonymisation, and data-minimisation practices. Controllers must still document that research is the new purpose and demonstrate the safeguards applied.
The Act also clarifies the use of a transparency exemption, allowing reliance on public notices where informing individuals directly would be impossible or disproportionate. This is particularly relevant for large historic datasets and aligns with the existing Article 14(5)(b) disproportionate-effort exemption.
Ongoing Responsibilities & EU Data Flows
Despite these welcome changes, the DUAA will not reduce the core responsibilities that university researchers must uphold —particularly principles such as transparency, data minimisation, and data security, which will remain central to lawful data use. Researchers will need to continue to uphold data subject rights and engage governance structures—such as research ethics committees and data protection officers—throughout the research lifecycle. These bodies will also remain essential in determining whether data is truly anonymised and therefore outside the scope of regulation, or merely pseudonymised and within the scope of the regulation.
For UK-based universities engaged in EU-funded research or studies involving participants located in EU member states, the changes introduced by the DUAA are not expected to jeopardise the renewal of the EU–UK adequacy decision, as the UK’s core data protection principles remain closely aligned with the EU General Data Protection Regulation (GDPR).
Although the European Commission has not yet formally reassessed the UK’s data protection regime, the updated UK framework maintains substantial alignment with EU standards, supporting the expectation that personal data transfers between the EU and UK will continue without disruption.
What Researchers Need to Know – Key Takeaways
These changes will affect how researchers plan, conduct, and manage data throughout the research lifecycle. These include:
Expanded Definition of Research: Scientific research is now formally defined in law, covering technological, applied, commercial, and private-sector research.
Special Category Data: Explicit consent removes the need to meet the “substantial public interest” test under Article 9(2)(g).
Legal Clarity for Statistics: The DUAA clarifies how Article 89 safeguards apply to scientific and statistical processing.
Flexible Consent: Broad consent is permitted for general research purposes, supporting long-term and exploratory studies.
Simplified Re-Use: Re-use of personal data for research benefits from a presumption of compatibility where safeguards apply, as long as appropriate safeguards (e.g. ethical approval, pseudonymisation) are in place.
· Ongoing Compliance Obligations: Researchers must still uphold core data protection principles, including transparency, data minimisation, and secure processing.
What Institutions Need to Do – Preparatory Checklist
These are actions for data protection officers, ethics committees, and research governance teams preparing for the DUAA.
1. Establish a monitoring process for secondary legislation: Designate staff to track commencement orders and DUAA-related guidance, as most provisions will come into force over the next 2–9 months via secondary legislation.
2. Audit existing studies involving special category data: Identify projects currently relying on “substantial public interest” and evaluate whether to switch to valid consent or recognised legitimate interest under the DUAA.
3. Refresh consent templates and participant materials
· Accommodate evolving research aims
· Clearly describe data types and applicable safeguards
4. Update internal governance documents: Revise documents such as the Research Ethics Policy, Privacy Notices, Record of Processing Activities (RoPA), and Data Protection Impact Assessments (DPIAs) to reflect DUAA changes, including new transparency options (e.g. public notices).
5. Targeted training for research staff: Prepare brief, role-specific sessions for researchers, PhD supervisors, and support teams to ensure understanding and consistent application of the new framework.
Conclusion
In summary, the DUAA’s reforms are expected to support a more research-friendly legal environment, reducing compliance burdens while preserving strong safeguards. While awaiting commencement of remaining provisions, universities should assess how the DUAA may affect current practices, including consent processes, privacy documentation, and data-sharing protocols. For researchers, staying informed and engaging with governance teams will ensure responsible and compliant data use as the new framework comes into force.