Data (Use and Access) Act 2025 - Part 1: Access to Business and Customer Data

Baroness Jones of Whitchurch

Author Roger Harris  Licence CC BY 3.0  Source  UK Parliament

Jane Lambert

In Data Protection Law Reform (23 Dec 2025), I discussed the Conservative government's proposed Data Reform Bill and its Data Protection and Digital Information Bill.  Part 3 of that bill was headed "Customer Data and Business Data" and was intended to create a statutory framework for smart data, that is to say, sharing customer data and business data with third parties who will use that information to create new businesses and services.  The previous government set out its plans for smart data in The Smart Data Roadmap in April 2024.

As I mentioned in Data Protection Law Reform, the Data Protection and Digital Information Bill did not complete its passage through Parliament before the 2024 general election.  However, as Lady Jones of Whitchurch said on the second reading of the Data (Use and Access) Bill in the House of Lords on 19 Nov 2024, facilitating smart data was in the Labour Party manifesto.  In her speech, she said:

"My Lords, data is the DNA of modern life. It is integral to almost every aspect of our society and economy, from NHS treatments and bank transactions to social interactions. An estimated 85% of UK businesses handle some form of digital data, and the UK data economy was estimated to represent 6.9% of UK GDP. Data-enabled UK service exports accounted for 85% of total service exports, estimated to be worth £259 billion, but data use in the UK drives productivity benefits of around 0.12%, which is only one minute per worker per day."

That bill received royal assent on 19 June 2025.  I introduced it in Data Use and Access: Structure on 26 Dec 2025.

In that introduction, I said that the Act consisted of 8 parts and 16 schedules.   The first of those parts is headed "Access to customer data and business data" and consists of 26 sections.  It covers much the same ground as Part 3 of the Data Protection and Digital Information Bill, though Lady Jones said that there had been several important changes to make her bill more focused, more balanced, and better able to achieve its objectives.

The key provision of part 1 is s.1 (1):

"This Part confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data."

S.2 (1) of the Act enables the Secretary of State or the Treasury to make regulations requiring a data holder to provide customer data to a customer at his or her request or to a person authorized by the customer to receive the data (an “authorized person”), at the customer’s request or at the authorized person’s request.  

"Customer data" is defined by s.1 (2) as information relating to a customer of a trader.  It includes information relating to goods, services and digital content supplied or provided by the trader to the customer or to another person at the customer’s request.  It could be information about 

• prices or other terms on which goods, services or digital content are supplied or provided to the customer or another person, 
• how they are used by the customer or other person, or 
• their performance or quality when used by the customer or another person.

Such data can also include information relating to the provision of information described above or of other information relating to a customer of a trader, to a person in accordance with data regulations. A “trader” means a person who supplies or provides goods, services or digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.

S.4 (1) enables the Secretary of State or the Treasury to make regulations requiring a data holder to publish business data or to provide it to a customer of the trader to whom the business data relates, or
to another person of a specified description.  “business data”, in relation to a trader, means information:

• about goods, services and digital content supplied or provided by the trader,
• relating to the supply or provision of goods, services and digital content by the trader, such as 
• where goods, services or digital content are supplied or provided, 
• prices or other terms on which they are supplied or provided, 
• how they are used, or 
• their performance or quality,
• relating to feedback about the goods, services or digital content (or their supply or provision), and
• relating to the provision of information described above to a person in accordance with data regulations.

There will also be regulations on enforcement, fees, financial services and other matters.

Other than reg 2 (a) of The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, which provided for Part 1 of the Act: Access to Business and Customer Data to come into force on 20 Aug 2025, no regulations have been made.  There are likely to be further consultations on the secondary legislation, which I shall monitor.

Guidance from the Department for Science, Innovation and Technology accompanying the introduction of the bill on 24 Oct 2024 estimated that the legislation would bring an estimated £10 billion boost to the UK economy over 10 years.   Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time. 

Further Information

Jane Lambert  Data (Use and Access) Act 2025: Structure 26 Dec 2025

Data (Use and Access) Act 2025: Structure

Jane Lambert

 

An inkling of the scope and complexity of the Data (Use and Access) Act 2025 can be gained from the introductory text:

"An Act to make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about works protected by copyright and the development of artificial intelligence systems; to make provision about the creation of purported intimate images; and for connected purposes.

As I said in Data Protection Law Reform, the Act consists of 144 sections divided into 8 parts with 16 schedules.

Structure

The parts of the Act are as follows:

• Part 1 Access to customer data and business data (sections 1 to 26);
• Part 2 Digital verification services (sections 27 to 55); 
• Part 3 National Underground Asset Register (sections 56 to 60); 
• Part 4 Registers of births and deaths (sections 61 to 65); 
• Part 5 Data protection and privacy (sections 66 to 116):
• Chapter 1 Data protection (sections 66 to 108);
• Chapter 2 Privacy and electronic communications (sections 109 to 116);
• Part 6 The Information Commission (sections 117 to 120); 
• Part 7 Other provision about use of, or access to, data (sections 121 to 138); and 
• Part 8 Final provisions (sections 139 to 144).

The schedules are as follows:

Schedule 1: National Underground Asset Register (England and Wales): monetary penalties; 

Schedule 2: National Underground Asset Register (Northern Ireland): monetary penalties;

Schedule 3: Registers of births and deaths: minor and consequential amendments; 

Schedule 4: Lawfulness of processing: recognised legitimate interests; 

Schedule 5: Purpose limitation: processing to be treated as compatible with original purpose; 

Schedule 6: Automated decision-making: minor and consequential amendments; 

Schedule 7: Transfers of personal data to third countries etc: general processing;

Schedule 8: Transfers of personal data to third countries, etc: law enforcement processing;

Schedule 9: Transfer of personal data to third countries etc: minor and consequential amendments and transitional provision; 

Schedule 10: Complaints: minor and consequential amendments;

Schedule 11: Further minor provision about data protection;
Schedule 12: Storing information in the terminal equipment of a subscriber or user;
Schedule 13: Privacy and electronic communications: Commissioner’s enforcement powers;
Schedule 14: The Information Commission;
Schedule 15: Information standards for health and adult social care in England; and
Schedule 16: Grant of smart meter communication licences.

Further Information

The Departments of State and Ministries concerned with this legislation have prepared explanatory notes on the statute.  Probably the most useful are the Overview (paras 1 to 15) and the Legal Policy (paras 16 to 83).  Also useful are the Guidance on Data Use and Access Act 2025: plans for commencement by the Department for Science, Innovation and Technology ("DSIT"), the Information Commissioner's index page and the DSIT's fact sheets on the UK GDPR and the Data Protection Act, the ICO and the Privacy and Electronic Communications Regulations 2003.

Subsequent articles will discuss particular parts and schedules of the Act.  Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form at any time.

Related Articles

Jane Lambert  Data Protection Law Reform 23 Dec 2025

Jane Lambert Data (Use and Access) Act 2025 - Part 1: Access to Business and Customer Data 11 Jan 2026

Data Protection Law Reform

Author Robert Harker Licence CC BY-SA 3.0  Source Wikimedia

 

Jane Lambert

Shortly after EU law ceased to apply to the UK, the government of the day proposed changes to this country's data protection laws.  I discussed those proposals in Dowden's Data Protection Plans on 27 Aug 2021.  A consultation was launched on 10 Sept 2021, which I considered in Consultation on Changing the Data Protection Laws on 12 Sept 2021.  Draft legislation was introduced on 17 June 2022, which I mentioned in The Proposed Data Reform Bill on 25 June 2022.  That bill never made it past its first reading because the minister responsible for piloting it through the Commons was replaced when Liz Truss became prime minister.  The new minister introduced the Data Protection and Digital Information Bill, which was more far-reaching than the Data Reform Bill (see the Data Protection and Digital Information (No 2) Bill 2022-2023). That bill fell with the Conservative government when the general election was held.  One of the first acts of the incoming Labour government was to introduce the Data (Use and Access) Bill on 23 Oct 2024.  That bill received royal assent on 19 June 2025.

The Data (Use and Access) Act 2025 consists of 144 sections divided into 8 Parts with 16 schedules.   The Department for Science, Innovation and Technology describes the legislation as "a wide-ranging Act which includes provisions to enable the growth of digital verification services, new Smart Data schemes like Open Banking and a new National Underground Asset Register" in its Guidance.  The new Act "will not replace the UK General Data Protection Regulation (“UK GDPR”), Data Protection Act 2018 or the Privacy and Electronic Communications (EC Directive) Regulations 2003, but it will make some changes to them to make the rules simpler for organisations, encourage innovation, help law enforcement agencies to tackle crime and allow responsible data-sharing while maintaining high data protection standards."

According to the Information Commissioner, the statute updates some laws about digital information matters and changes data protection laws in order to promote innovation and economic growth.   Its provisions will be phased in between June 2025 and June 2026.  The Department for Science, Innovation and Technology has published useful fact sheets on the UK GDPR and Data Protection Act 2018, the Information Commissioner's Office and the Privacy and Electronic Communications Regulations 2003.

Anyone wishing to discuss this article is welcome to call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time.  In subsequent articles, I shall review the Act and analyse its provisions.