Join us for our latest podcast episode breaking down the key changes introduced by the UK's new Data (Use and Access) Act (DUAA), explaining its phased rollout and objectives.

It clarifies that the Act amends, rather than replaces, existing data protection laws like the UK GDPR and Data Protection Act 2018. The discussion covers the shift from the ICO to the Information Commission, the introduction of 'Recognised Legitimate Interests' as a lawful basis for processing data, refined purpose limitation for research, and changes to international data transfers and individual rights, including Subject Access Requests. The episode concludes with key takeaways for organisations, particularly those in the education sector, emphasising the need for policy review and alignment with the new nuances.

Key Takeaways

• The Data (Use and Access) Act is an evolution, not a revolution, amending existing data protection laws rather than replacing them entirely.
• The Information Commissioner’s Office (ICO) is being replaced by the Information Commission (IC), with a broader mandate encompassing innovation and competition alongside data protection.
• A new lawful basis, 'Recognised Legitimate Interests', simplifies data processing for certain public interest activities like safeguarding and crime prevention.
• The Act clarifies conditions for secondary data processing, particularly for research purposes, and introduces a UK-specific 'Data Protection Test' for international data transfers.
• Operational practices, such as 'stopping the clock' on Subject Access Requests and a formalised initial complaints process, are now codified into law, and there's a reinforced legal protection for children's data.