In response to the Data (Use and Access) Act 2025 (DUAA) coming into force, the Information Commissioner’s Office (ICO) has launched public consultations to help shape final guidance.
The ICO has produced and is consulting on draft guidance to support organisations in understanding and applying upcoming amendments. These include:
- ‘recognised legitimate interest’ which is a new lawful basis, separate from the legitimate interests lawful basis; and
- ‘data protection complaints’ which is a new requirement for all organisations to have a process in place for handling data protection complaints.
These guidance pieces and consultations are a significant step in the ICO’s commitment to provide clear guidance on the amendments which give organisations more confidence in handling personal information.
Emily Keaney, Deputy Commissioner, said:
“We understand the importance of providing businesses with the certainty they need in light of changes in the law. These consultations provide us with a real opportunity to listen, learn and lead with clarity and we encourage all interested parties to engage with our consultations and help shape our final guidance to ensure it is robust and fit for purpose.”
The DUAA received Royal Assent on 19 June 2025 with the first provisions coming into force on 19-20 August 2025. The Department for Science and Innovation (DSIT) has set out the commencement plans.
Consultation details
‘Recognised legitimate interest’ is a new lawful basis. This new basis will give organisations greater confidence to use personal information for certain pre-approved purposes. These public interest purposes cover activities like crime prevention, public security, safeguarding, emergencies and sharing personal information to help other organisations perform their public tasks. Our detailed guidance will make it easier for organisations to successfully use recognised legitimate interest by explaining how it works, along with giving practical examples. Public authorities should continue to use the public task lawful basis when using personal information for public tasks or official functions. Further details on the 10-week consultation, which closes on 30 October 2025, can be found here.
By June 2026, organisations must have a process in place to handle data protection complaints. A complaint can come from anyone who is unhappy with how an organisation has handled their personal information. Our guidance sets out the new requirements and informs organisations of what they must, should and could do to comply. Further details on the eight-week consultation, which closes on 19 October 2025, can be found here.
ICO resources
To support organisations in their understanding of new data protection legislation, the ICO proactively publishes general data protection plans for new and updated guidance.
