The Data (Use and Access) Act 2025: A New Era for UK Data Governance

What is the Data (Use and Access) Act 2025 and how will it help fraud prevention?

The Data (Use and Access) Act 2025 (the “DUAA”) marks a significant shift in the UK’s approach to data protection and digital innovation. It received Royal Assent on 19 June 2025 and is intended to modernise the UK data protection framework to better align with the needs of a digital economy.  It aims to:

• Simplify compliance for businesses
• Encourage responsible data sharing
• Support innovation in digital services
• Strengthen public trust in data use

The DUAA does not replace the UK GDPR or the Data Protection Act 2018 (DPA 2018); instead, it amends and supplements them. Organisations must continue to comply with the existing legal framework, as modified by the DUAA.

The key features include:

• Simplified subject access request (SAR) processes (in force since 19 June 2025): Organisations can now conduct “reasonable and proportionate” searches and pause deadlines while clarifying vague or excessive requests.
• ICO enforcement powers (coming into force in August 2025): The Information Commissioner’s Office will be given stronger powers to issue interview and information notices, conduct audits and inspections, and impose penalties for non-compliance.
• Support for Smart Data initiatives (expected in late 2025): This will enable secure, consent-based data sharing in sectors like energy, telecoms and finance to empower customers.  These schemes will also support fraud prevention through real-time anomaly detection and public-private data collaboration.
• Creation of a national digital identity verification system (expected in late 2025): This will be a voluntary, government-backed digital ID system to support/ complement existing identity verification methods.  It aims to reduce identity fraud and improve access to services such as banking, healthcare, and education by enabling individuals to verify their identity online securely.
• Recognised Legitimate Interests (expected in late 2025):  This will allow organisations to process personal data for pre-approved purposes (such as crime prevention and safeguarding) without the need to conduct a Legitimate Interests Assessment.  (See further below.)
• Expanded use of automated decision-making (expected in early 2026): This will ease current restrictions on using AI to make legally significant decisions (such as those involving credit scoring, fraud detection, or access to services) without requiring consent or a contractual necessity. However, this is conditional on key safeguards: individuals must be clearly informed when such decisions are made, meaningful human oversight must be in place, and there must be a clear and accessible right to challenge the outcome. These safeguards are not optional – they remain a mandatory part of the framework to ensure fairness, accountability, and transparency in automated processing.
• Cookies and Tracking Technologies (expected in early 2026):  The DUAA will work alongside the existing Privacy and Electronic Communications Regulations and update UK cookie rules.  It will allow implied consent for low-risk uses like website analytics, thereby helping to reduce annoying pop-ups. High-risk uses, such as profiling for ads, will still need explicit consent. While not aimed at fraud prevention, these changes could help detect suspicious behaviour and limit the abuse of cookie banners by fraudsters who trick users into enabling tracking.
• Improved frameworks for international data transfers (expected by Spring 2026): The DUAA will introduce “data bridges” to simplify cross-border data flows while maintaining the UK’s data adequacy status with the EU and other key jurisdictions.
• Enhanced protections for children’s data (expected by June 2026): This will give statutory force to the Age-Appropriate Design Code (meaning that non-compliance could lead to enforcement action) and strengthen rules around profiling, data minimisation, and parental consent.  This will better protect minors online and is intended to cover emerging technologies such as immersive environments and generative AI.

Recognised Legitimate Interests: A New Lawful Basis

One of the most practical changes in the DUAA is the introduction of a Recognised Legitimate Interests list. This will allow organisations to process personal data for specific, pre-approved purposes without conducting a Legitimate Interests Assessment; thereby reducing the administrative burden.  These purposes include:

• Disclosures to public bodies for official tasks
• National security, public security, and defence
• Emergency response (e.g. natural disasters)
• Crime prevention and detection
• Safeguarding vulnerable individuals

While fraud prevention is not explicitly referred to, it is widely understood to fall within the scope of “detecting, investigating or preventing crime”, which is listed as a recognised legitimate interest. This interpretation aligns with the legal classification of fraud as a criminal offence.  However, organisations should monitor ICO guidance for confirmation on whether fraud prevention will be explicitly recognised in future updates to the list, and if they are in any doubt, conduct a Legitimate Interests Assessment in the usual way when relying on Legitimate Interests as a lawful basis for processing personal data.

This provision is expected to come into force in late 2025 and is designed to streamline lawful data use while safeguarding individual rights and maintaining transparency and accountability.

How Does It Help Prevent Fraud?

The DUAA introduces several mechanisms that strengthen fraud prevention:

• Smart Data Sharing: Enables real-time detection of anomalies and suspicious/ fraudulent activity.
• Digital Identity Verification: Reduces identity fraud through secure, voluntary ID systems.
• Recognised Legitimate Interests: Allows lawful data use for fraud prevention without a full Legitimate Interests Assessment.
• Automated Decision-Making: Supports AI-driven fraud detection with mandatory safeguards to protect individuals.
• Cookies and Tracking Technologies: By simplifying consent for low-risk tracking, the DUAA will enable organisations to use behavioural data for fraud detection (e.g. identifying unusual login patterns or transaction behaviours). It will also reduce the risk of consent mechanisms being exploited by fraudsters to deploy malicious trackers.
• Improved Data Access for Law Enforcement: Facilitates faster and more effective investigations by law enforcement and regulatory bodies.

What Are the Pitfalls?

Despite its benefits, the DUAA gives rise to several concerns:

• Privacy Risks: Expanded data sharing and AI use could erode privacy if not properly regulated.
• EU Data Adequacy: Divergence from EU GDPR may threaten the UK’s adequacy status, potentially affecting international data flows.
• SME Compliance Challenges: Smaller organisations may struggle with implementation due to limited resources and legal expertise.
• Oversight Ambiguity: Exemptions for law enforcement and national security could be misused without robust oversight and judicial safeguards.

• Biometric Data Use: New rules on biometric data (e.g. facial recognition) require careful implementation to avoid overreach.

Conclusion

The Data (Use and Access) Act 2025 represents a bold step toward a more agile and innovation-friendly data environment in the UK. It offers powerful tools for fraud prevention and digital transformation, but its success will depend on:

• Careful implementation
• Strong regulatory oversight
• Transparent public-private collaboration

As the DUAA rolls out, organisations should monitor guidance from the ICO and Department for Science, Innovation and Technology (DSIT) to ensure compliance and maximise its benefits.

Let’s talk solutions

If your business requires assistance in formulating its fraud response plan or in relation to fraud prevention and detection, please email Elaine Mitchell with any questions or to arrange a call so we can understand more about your business and the specific challenges you face.

We are always keen to invest our time helping organisations navigate the complex world of responding to and avoiding fraud so please do reach out and get to know us.