Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

Link(s):

ICO launches consultations for Data (Use and Access) Act 2025 amendments | ICO Data Use and Access Act 2025: plans for commencement – GOV.UK The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 Recognised legitimate interest guidance | ICO ICO consultation on draft recognised legitimate interest guidance | ICO Complaints guidance for organisations | ICO ICO consultation on draft complaints guidance for organisations | ICO

Context

In response to the Data (Use and Access) Act 2025 (DUAA) coming into force, the ICO has launched public consultations to help shape final guidance about amendments to the Act.  The Consultations relate to guidance about a new lawful basis for data processing (‘recognised legitimate interest’ – ‘RLI’) and to new guidance  about handling data protection complaints.   The ICO is seeking quality responses to help inform the final guidance.

Key points to note and next actions

• The DUAA received Royal Assent on 19^th June 2025 with the first provisions coming into force on 19^th-20^th August 2025. The Department for Science and Innovation (DSIT) has set out the commencement plans.  The amendments will give organisations more confidence to use personal information in the public interest, and support organisations establishing a data protection complaints process.

Recognised legitimate interest

• RLI is a new lawful basis, separate from the legitimate interests lawful basis, which has five conditions containing pre-approved purposes that are in the public interest.  They cover situations where you need to use personal information to:
  • share it with another organisation that has requested it from you because they need it for their public task or official functions (the ‘public task disclosure request condition’);
  • safeguard national security, protect public security or for defence reasons (the ‘national security, public security and defence condition’); 
  • respond to, or deal with, an emergency situation (the ‘emergencies condition’);
  • prevent, detect or investigate crimes, including the apprehension and prosecution of offenders (the ‘crime condition’); or
  • protect the physical, mental or emotional well-being of people who need extra support to do this or protect them from harm or neglect (the ‘safeguarding condition’). 
• For these purposes, you don’t have to assess whether a person’s rights, freedoms or interests outweigh the recognised legitimate interest.
• This Consultation will remain open until 30^th October 2025.

Handling data protection complaints

• There is a new requirement for all organisations to have a process in place for handling data protection complaints.  This could be built into existing complaints handling processes and procedures.
• The DUAA inserts a new requirement into the Data Protection Act 2018 (DPA18) which means organisations must:
  • give people a way of making data protection complaints to them;
  • acknowledge receipt of complaints within 30 days of receiving them;
  • without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; and
  • without undue delay, tell people the outcome of their complaints.
• The guidance aims to walk organisations through the new requirements and inform them of what they must, should and could do to comply. It includes helpful tips and practical advice for each stage in the process.
• This Consultation is open until 19^th October 2025.