A summary of the most significant changes made to the Information Commissioner’s Office (“ICO” ) and the ICO’s powers, under the Data (Use and Access) Act 2025 (“DUAA”; “the Act”).
The Act will come into force in stages. Details of the regulations and exact dates that each measure will come into force will be available on GOV.UK.
This information is only for reference and is not regulatory guidance or legal advice. The ICO is responsible for publishing regulatory guidance on its website – www.ico.org.uk.
Provision(s) in the DUAA
Section 91
Title
Information Commissioner’s role – duties of the Commissioner
Description of measure
The DUAA introduces a new strategic framework for the ICO when carrying out its data protection functions, which includes a principal objective and several matters to which the Commissioner must have regard when undertaking its tasks, including the promotion of innovation and competition and the fact that children merit specific protection. The Act also includes requirements for the Commissioner to publish a strategy, setting out how the new framework will be delivered, and to report on what has been done in relation to it as part of the ICO’s annual reporting to Parliament.
How is this different from previous legislation?
The legislation brings clearer strategic direction to the ICO as it fulfils its regulatory tasks and functions for data protection, strengthening its obligations, reflecting the breadth of issues that impact data protection regulation, and delivering a greater degree of transparency and accountability.
The primary duty of the Commissioner will be to uphold the new principal objective. This incorporates the pre-existing duty in section 2(2) of the DPA 2018, requiring the Commissioner to secure an appropriate level of protection for personal data, alongside a new requirement for the Commissioner to promote public trust and confidence in the processing of personal data.
The other duties sit below the principal objective, formalising some of the existing ways in which the ICO works and reinforcing the importance of several specific areas, which should be considered across the full scope of the ICO’s data protection activities.
The new duties require the Commissioner to consider:
(a) the desirability of promoting innovation;
(b) the desirability of promoting competition;
(c) the importance of the prevention, investigation, detection and prosecution of criminal offences;
(d) the need to safeguard public security and national security;
(e) the fact that children merit specific protection with regard to their personal data as they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.
There is also a duty for the Commissioner to consult other regulators regarding economic growth, innovation and competition.
Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 91 of the DUAA omits section 2(2) from the DPA 2018, inserts new sections 120A-D into the DPA 2018 and amends section139 of the DPA 2018.
Provision(s) in the DUAA
Sections 92-93
Title
Information Commissioner’s role – codes of practice for the processing of personal data; codes of practice panels and impact assessments
Description of measure
The DUAA ensures that all statutory codes of practice issued by the Information Commissioner have the same legal effect and follow the same approvals process and review requirements. It also makes several changes to the process through which the ICO develops statutory codes, requiring a draft of a new code, or draft amendments to an existing code, to be considered by a panel of relevant experts, and for the ICO to undertake and publish impact assessments.
How is this different from previous legislation?
This ensures that any codes required by the Secretary of State under new section 124A of the DPA 2018 will have the same effect as all other codes issued by the Commissioner. They will be subject to the same Parliamentary approval, review requirements, and will be consistent in their legal effects, meaning that they are automatically admissible as evidence where relevant to issues in legal proceedings, and courts and tribunals will be required to take them into account where relevant. The DUAA also strengthens the processes through which the ICO develops these codes, with the new statutory requirements to consult a panel on a draft of the code and to publish impact assessments.
Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 92 of the DUAA inserts new section124A into the DPA 2018, amends sections 125, 126 and 129, and omits section 128 of the DPA 2018. It also amends the Registration Service Act 1953, the Statistics and Registration Service Act 2007 and the Digital Economy Act 2017.
Section 93 of the DUAA inserts new sections 124B and 124C into the DPA 2018.
Provision(s) in the DUAA
Section 94
Title
Information Commissioner’s role – manifestly unfounded or excessive requests
Description of measure
The Commissioner is permitted to charge a reasonable fee or refuse requests from data subjects or data protection officers which are manifestly unfounded or excessive. The DUAA extends this to requests made by any person.
It remains the case that the Commissioner is expected to respond to a request in most cases, with no charge. And in those instances where a request is deemed manifestly unfounded or excessive, it is for the Commissioner to show that it is.
How is this different from previous legislation?
While the DPA 2018 permits the Commissioner to charge a reasonable fee or refuse a request if it is manifestly unfounded or excessive, this only applies to requests from data subjects or data protection officers. These changes take account of the Commissioner’s broad range of stakeholders and will enable the regulator to act proportionately.
Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 94 of the DUAA amends sections 135 and 136 of the DPA 2018 and omits Article 57(4) of the UK GDPR.
Provision(s) in the DUAA
Sections 95 and 102
Title
Information Commissioner’s role – analysis of performance
Description of measure
The DUAA introduces 2 new requirements to increase transparency of the Commissioner’s activities and strengthen accountability to Parliament and other stakeholders. The first is the requirement for the Commissioner to publish an annual analysis of its performance, using Key Performance Indicators through which performance can be measured effectively. The second is the requirement for the Commissioner to publish an annual report on regulatory action, including the nature of investigations, the time taken and the powers used.
How is this different from previous legislation?
This strengthens the reporting requirements for the ICO, increasing transparency and the means and metrics through which the ICO is held to account for its performance.
Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 95 of the DUAA inserts new section 139A into the DPA 2018.Section 102 of the DUAA amends section 139 and inserts new section 161A into the DPA 2018
Provision(s) in the DUAA
Sections 96-101
Title
ICO enforcement
Description of measure
The DUAA makes a number of changes to the Information Commissioner’s enforcement powers. Firstly, it makes a clarificatory amendment to its power to issue information notices, to make it clear that an information notice can require recipients to provide documents.
The Act introduces two new powers: extending the Commissioner’s existing power to issue assessment notices to enable such notices to require an organisation to commission and pay for a report to assist in an investigation; and a new power to issue interview notices, which enables the Commissioner to require a person to attend an interview to answer questions.
The Act also makes changes to the time available to the Commissioner to issue a final penalty notice after issuing a notice of intent. The change means that the Commissioner must issue a final penalty notice within the period of 6 months, or as soon as reasonably practicable thereafter . If the Commissioner decides not to issue a penalty, this provision also contains a new requirement to give a written notice stating this.
The DUAA removes an exemption to the Commissioner’s power to issue assessment notices to Ofsted in relation to its registration function for children’s homes, family centres, or adoption/fostering agencies. The removal of this exemption means that the relevant functions of Ofsted are subject to appropriate scrutiny of their data protection practices and processes where necessary.
How is this different from previous legislation?
This makes changes to 2 existing provisions: firstly, making clear that the information notice power in section 142 of the DPA 2018 empowers the Commissioner to request documents and secondly, amending the notice of intent in Schedule 16 of the DPA 2018 to allow the ICO more time to issue a penalty notice where needed.
The DUAA introduces 2 new investigatory powers which are designed to enable the Commissioner to obtain the evidence it needs to inform investigations and monitor compliance with the data protection framework.
The power to commission a report adds a new element to the assessment notice power in section 146 of the DPA 2018. In practice, while investigating compliance with the data protection regime, the Commissioner may need further information that goes beyond what organisation has shared or where this is particularly technical, such as on how specific encryption systems work. The organisation receiving notice from the Commissioner to commission such a report will need to identify an appropriate person to produce a report to the Commissioner’s specifications (or the Commissioner can appoint someone if they are not able to). The organisation will also need to pay for the report, which will then be shared with the organisation and the Commissioner. It will be used by the Commissioner to support his understanding of how personal data is being processed.
The Act introduces a second new power after section 148 of the DPA 2018. At present, the Commissioner can call a person to interview on a voluntary basis. The new interview notice power enables the Commissioner to require a person to attend an interview. If a person decides not to answer questions and if the Commissioner decides there has been an infringement of the data protection legislation and if enforcement action is appropriate, then this may be considered an aggravating factor and could result in a higher fine than had they cooperated. There are also criminal sanctions if an individual knowingly or recklessly makes a false statement under questioning.
Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 97 of DUAA amends section 142 DPA 2018 and makes consequential amendments to sections 143, 145, 148, 160 and Schedule 17.
Section 98 of DUAA amends section 146 DPA 2018 and adds new section 146A. This also makes consequential amendments to sections 155 and 160 of the DPA 2018.
Section 99 of DUAA amends section 147 of the DPA 2018.
Section 100 of DUAA adds new sections 148A, 148B and 148C after section 148 of the DPA 2018.
Provision(s) in the DUAA
Section 103; Schedule 10
Title
Information Commissioner’s role – enforcement – complaints by data subjects
Description of measure
The DUAA introduces a requirement for controllers to put in place a complaint-handling process, ensuring that data subjects are able to lodge complaints directly with the controller. The Act requires controllers to acknowledge receipt of the complaint within a period of 30 days, and to take appropriate steps to respond to the complaint.
The Act also provides that the Secretary of State may legislate in the future to require a controller to notify the Information Commissioner of the number of complaints made in a given time-period.
How is this different from previous legislation?
This creates new statutory requirements for controllers to put in place complaints-handling processes and to respond to complaints lodged with them by data subjects.
Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 103 of the DUAA inserts new sections 164A and 164B into the DPA 2018.
Schedule 10 of the DUAA makes consequential amendments to the UK GDPR and DPA 2018.
Provision(s) in the DUAA
Section 105
Title
Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (EITSET)
Description of measure
The DUAA amends the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (EITSET) to ensure certain new and amended enforcement powers are available for the Information Commissioner for the purposes of regulating trust service providers under the UK eIDAS Regulation. The changes are expected to facilitate regulatory investigations and to help ensure that the Information Commissioner continues to be able to act as an effective supervisory body for trust service providers established in the UK.
How is this different from previous legislation?
The amendments made to the current enforcement provisions within the DPA 2018 apply equally to the Information Commissioner’s enforcement powers as the supervisory body for trust service providers, including the new enforcement power to require an organisation to commission and pay for a technical report to assist in an investigation by issuing an assessment notice (an extension of the Information Commissioner’s existing power to issue assessment notices), and the new enforcement power to require a person to attend an interview and answer questions.
The new offence of intentionally or recklessly making a false statement in response to an interview notice will also apply to trust service providers.
Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 105 amends sections 146A, 148A, 148B and 148C of the DPA 2018.
Provision(s) in the DUAA
Section 115; Schedule 13
Title
Privacy and Electronic Communications Regulations (PEC Regulations) – Commissioner’s enforcement powers
Description of measure
The DUAA updates the Commissioner’s powers of enforcement in relation to the PEC Regulations. It applies some of the more modern approach to enforcement powers, as already set out in Parts 5 to 7 of the DPA 2018. The new powers include, amongst other things: powers for the Commissioner to impose information notices, assessment notices, enforcement notices, and penalty notices; the power to commission a report; the interview notice power; and the relevant rights of appeal for persons who wish to appeal against the imposition of such notices.
The new applied powers are subject to modifications, to make them relevant to the PEC Regulations, set out in new schedule 1.
The DUAA also introduces a delegated power, which permits the Secretary of State to amend the fixed monetary penalty amount for infringements of regulation 5A (Personal data breach).
How is this different from previous legislation?
Currently Part V and Sections 55A to 55E of, and Schedules 6 and 9 to, the Data Protection Act 1998 are applied for the purposes of enforcing the PEC Regulations. These provisions are subject to modifications set out in schedule 1.
The DUAA aligns the PEC Regulations’ enforcement sanctions (powers and fines) with the DPA 2018. These reforms will ensure the regulator has the tools it needs to enforce effectively and reflects the increasingly complex nature of some investigations.
Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 115 amends regulation 5C of the PEC Regulations and repeals and replaces regulation 31 and Schedule 1. It also repeals regulations 5(6), 5B, 31A and 31B of the PEC Regulations.
Provision(s) in the DUAA
Sections 117-120; Schedule 14
Title
The Information Commission
Description of measure
The DUAA establishes a body corporate, the Information Commission, to replace the Information Commissioner’s Office, which is structured as a corporation sole. The Information Commission will be led by a chair, chief executive, and other non-executive and executive members with shared decision-making responsibilities. The chair of the Information Commission will retain the title of “Information Commissioner”.
The Act contains provisions to abolish the office of the Information Commissioner, and transfer functions and property to the new Information Commission. These provisions will not change the role of the regulator; all functions that currently rest with the Information Commissioner will continue to sit with the new Information Commission.
How is this different from previous legislation?
The Information Commissioner’s Office is currently structured as a corporation sole, with all powers and responsibilities vested in one individual, the Information Commissioner. The DUAA replaces this governance model with a body corporate, the Information Commission, led by a chair, chief executive, and other non-executive and executive members with shared decision-making responsibilities.
This will bring the ICO in line with other domestic regulators, enhancing overall diversity and resilience in decision making. | Section 117 and schedule 14 will be commenced at 2 months to establish the Information Commission without functions.
Sections 118-120 will be commenced separately to align with the appointment of the Information Commission.
Which provision(s) in the UK GDPR and/or the DPA 2018 are changing?
Section 117 inserts new section 114A into the DPA 2018 establishing the Information Commission.
Section 118 abolishes the Information Commissioner, omitting relevant sections of the DPA 2018.
Schedule 14 inserts new Schedule 12A into the DPA 2018, setting out the governance structure of the new regulator.
You can contact us for more informations or ads here [email protected]