UK New Data Use and Access Act 2025

 

The UK Data Use and Access Act 2025 (‘DUAA’) got royal assent in June 2025. The first provisions come into force on 19-20 August 2025. On 21 August 2025, the Information Commissioner’s Office (ICO) launched public consultations to help shape final guidance.


The DUAA brings several changes for organisations: 


  • Recognised legitimate interest is a new lawful basis, separate from the legitimate interests lawful basis; it is not yet in force; this should simplify the work of organisations which can use this new legal basis. See details below. 
  • New Right to Complain: data subjects are given this new right; subsequently, privacy notices will have to be amended to refer to a new data subject right to complain; in addition, by June 2026, organisations must have a process in place to handle data protection complaints.
  • Cookies: new exemptions from the cookie consent requirement, if 1) for analytics or 2) to detect and prevent fraud
  • Deadlines to answer Data Subject Access Requests:
  • if the controller reasonably requests further information, then the “clock stops” until this information is provided by the data subject.
  • The controller’s obligation is to provide such data as it can provide after a reasonable and proportionate search; This should provide reassurance when dealing with aggressive requests.
  • UK Secretary of State can decide to add new classes special category data: this would make it more difficult to process such data, for example by making it compulsory to draft a risk analysis and/or to appoint a DPO; for example, in the past, it has been discussed that all children data be special category data
  • Criteria to become an adequate country are simplified; the DUAA replaces the term 'adequacy decision' by 'data protection test'. The Act says that transfers can take place so long as the exporter, “acting reasonably and proportionately,” considers the test is met.
  • Solely automated individual decision-making is simplified, where 'solely' means that the human implication is limited; also, automated decisions that do not rely on special category data are no longer prohibited; 
  • Legitimate interest is simplified: the DUAA recognises as legitimate: direct marketing, security of network and information systems and transfers of personal data intragroup, and all items in Annex 1 (e.g. disclosures to public bodies who assert they need personal data to fulfill a public interest task).
  • Further processing of personal data (purpose limitation): the DUAA provides more details on this, and simplifies in some situations; but regarding scientific research , the rule is still to either re-obtain the consent of the person or to reinform the person.
  • Research: Exemption to provide a privacy notice to individuals if it would be impossible or involve disproportionate effort
  • so far, this exemption only applies where personal data has not been collected directly from individuals
  • with the DUAA, this exemption also applies if personal data has been collected directly from individuals
  • this should make it easier to launch a new research on large cohorts when lots of patients have moved and are very difficult to reach
  • ==> Comment from PharMarketing: such exemption was already granted by UK authorities and most EU/EEA authorities
  • Scientific Research: the definition of “scientific research” now includes commercial research; it remains to be seen how this will facilitate market access studies
  • U.S. or UK law enforcement’s access to personal data: controllers can use legal obligation as the lawful basis for processing personal and special category data where it is necessary to respond to such requests.


Zoom on the recognised legitimate interest:

This new basis will give organisations greater confidence to use personal information for certain pre-approved purposes. These public interest purposes cover activities like crime prevention, public security, safeguarding, emergencies and sharing personal information to help other organisations perform their public tasks. It is a specified purpose for handling personal information that is in the public interest.

Pre-approved purposes cover situations where you need to use personal information to:

  • share it with another organisation that has requested it from you because they need it for their public task or official functions (the ‘public task disclosure request condition’);
  • safeguard national security, protect public security or for defence reasons (the ‘national security, public security and defence condition’);
  • respond to, or deal with, an emergency situation (the ‘emergencies condition’);
  • prevent, detect or investigate crimes, including the apprehension and prosecution of offenders (the ‘crime condition’); or
  • protect the physical, mental or emotional well-being of people who need extra support to do this or protect them from harm or neglect (the ‘safeguarding condition’).


Data protection law says these purposes are activities in the public interest. Any potential impact on people is therefore justified – subject to other data protection considerations as normal.

The main benefit of relying on recognised legitimate interest is you don’t need to do anything else to justify using personal information for one of these purposes. You don’t need to balance people’s rights and freedoms against the relevant interests you have identified because the law has already done so.


NB: the ICO also released guidelines on how to apply data protection by design to blockchain, see here.


Read more on the recongnised legitimate interest basis: https://ico.org.uk/for-organis...

Read the guidelines released by the ICO and the public consultations: https://ico.org.uk/about-the-i...


The EDPB announced a 


Simplification of GDPR for SMBs


In a statement adopted on 2 July 2025, the European Data Protection Board ('EDPB') announced planned simplifications measures to the GDPR.


New tools to help make GDPR application easier will include:

• a series of ready-to-use templates for organisations, building on and harmonising the work already done at national level;

• a common template for data breach notifications for Data Protection Authorities (DPAs), in view of streamlining data breach notifications and easing the burden of organisations, in support of a possible cross-regulatory European notification solution;

• direct and easily-applicable resources, including checklists, how-tos and FAQs, to help organisations understand their key obligations.


Also, the EDPB will enhance consistency of the application and enforcement of the GDPR by Data Protection Authorities ('DPAs').

PharMarketing's opinion:


1) Such simple tools already exist  and are available for free: for example:

  • the template proposed by the French DPA, the CNIL, for drafting the Register of Processing Activities ('ROPA');
  • the template for drafting a Legitimate Interest Assessment proposed by the UKP DPA, the ICO,
  • the free software for drafting a Data Protection Impact Assessment ('DPIA'), released by the CNIL

This list is not exhaustive: for example, the Spanish DPA, the AEPD, also released many very useful templates and videos.

Such tools are recognized by other DPAs. So, the announcement of tools by the EDPB will not reduce the burden of organisations.


2) The EDPB is not giving a derogation to small organisations to draft the ROPA or other mandatory deliverable like DPIAs; so the burden will remain the same.


3) DPAs are already flexible  regarding the level of detail for drafting the ROPA or the DPIA (for example if all clinical studies done by an organisation are similar); but this is not mentioned in the EDPB's press release.




UK: Sponsors Must provide a UK Phone on Patient Informed Consent Form (ICF)


The Medicines and Healthcare Products Regulatory Agency ('MHRA'), the UK Health authority, released recently a new template for the Patient Informed Consent Form ('ICF'): this has an impact on Clinical Trial Sponsors, as the template asks to provide a UK phone number for the sponsor to be contacted by UK patients.


It has been confirmed that deletion of telephone number will generate a deviation of the template and there is a risk to receive comments during the evaluation. 


Leaving the telephone number field blank will generate a deviation with a potential push back from MHRA, Ethics Committees NHS sites and other organizations.


Question: if a sponsor has no office nor legal entity in the UK, how will this work? Must all external sponsors appoint a UK DPO in addition to their global DPO? Can they ask a local CRO to provide a UK phone number?


Our interpretation at PharMarketing of the term ‘by ringing us’ is, as always, down to earth and very simple:

  • If sponsor has an office or a legal entity in the UK: provide UK office phone number.
  • If sponsor has no office and no legal entity in the UK: in that case, the sponsor must appoint a UK DPR and so, the phone number will be the one of the UK DPR.


Access the new MHRA template here: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/templates/transparency-wording-for-all-sponsors/#GDPRtemplate


Questions on privacy and clinical trials in the UK? Call our UK senior consultants: 

  • Dave Edwards at d.p.edwards ( at ) pharmarketing.net or 
  • Julianne Hull at j. .hull ( at ) pharmarketing.net




Guidances to be Updated next Winter


Due to the Data (Use and Access) Act which came into law on 19 June 2025, the Information Commissioner's Office ('ICO'), UK's Data Protection Authority, is planning to review most of its current privacy guidances.


This applies for example to the following guidances and tools:

  • UK Data Protection Representatives;
  • International Transfers guidance;
  • Legitimate interest update;
  • Guidance on the right of access;
  • Direct marketing and privacy and electronic communications (PECR).


Most updates are planned for Winter 2025/2026, so watch out for any revised guidance in our next Newsletters!

Access the full list of guidances to be revised here: https://ico.org.uk/about-the-i...



UK HRA Seeks Feedback on 


Clinical Trials Guidance

In June 2025, the UK Health Research Authority (HRA) published new guidance to accompany the updated clinical trials regulations which come into force on 28 April 2026.


The guidance explains what will change in terms of processes, legal requirements, and expectations for anyone involved in setting up or delivering clinical trials.


The HRA is inviting feedback on the guidance. If you have any comments, complete the online survey by 5pm on Wednesday 10 September 2025.


HRA will use the feedback they receive to update the final guidance which HRA plans to publish this autumn.

Read the guidance: https://www.hra.nhs.uk/plannin...





 Welcome to Dr Dragutin Rafailović from Serbia!


Dr. Dragutin Rafailović is an experienced Drug Safety Physician with a demonstrated delivery of medical, clinical, and scientific advisory expertise in clinical research studies and post marketing programs, signal detection and aggregated reporting. Skilled in medical review, medical writing, signal detection, medical monitoring, literature review, clinical research, and client/staff training. 


He is a strong pharmacovigilance professional with a medical degree (MD) and line management experience. Dragutin has a complete understanding of guidelines (FDA, ICH, EMA, GCP and Medical Devices Regulation (MDR) 2017/745) and experience of GDPR.


Dragutin is experienced with providing advanced pharmacovigilance services to multiple customers with medicinal products in various phases of their lifecycle including clinical development and marketed products. He also served as physician for two and a half years at the Clinic of Urology, Clinical Center of Serbia.

Dragutin is a devoted father to a daughter. He loves basketball, watches, and archaeology.


As you might know, it is now mandatory to have a local privacy representative in Serbia if your organisation processes or received personal data from people there, and if you don't have an office in Serbia. In addition, Dragutin will be an invaluable asset as he knows the local regulations and guidelines for privacy and GxP, and he speaks the local language.


You can contact Dragutin at d.d.rafailovic@pharmarketing.net



Examples of Non-Compliance 


with Health Data Privacy

Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.


For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisation: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).


Many thanks to GDPR hub NOYB and to IAPP for all this valuable information!


Austria:


Fact:


A court held that an ambulance service unlawfully processed a patient’s personal data to send a letter about donations. The data was originally obtained for providing emergency services and constituted sensitive data under Article 9(1) GDPR. Read more or edit on GDPRhub...


Takeaway:


In order to reuse the patient's personal data for another objective (donation versus emergency healthcare), the ambulance service would have needed to obtain the consent of the patient first. Personal data can only be used for the objective it was collected for.


Denmark:


Fact:


Denmark's data protection authority ('DPA'), Datatilsynet, issued serious criticism of a dental company after it allegedly recorded employees' conversations without consent. The DPA said the company did not have a legal basis to record individuals and "acted in violation of the principle of transparency by never informing the complainant that the conversations were being recorded."

Read the press release here (in Danish).


Takeaway:


As indicated in the article below related to Germany, employee surveillance is forbidden in most European countries.


Germany:


Fact:


The Federal Labour Court held that an employer unlawfully processed an employee's health data by having him surveilled in order to verify if they were faking their incapacity to work. It also awarded the employee €1,500 in immaterial damages. Read more or edit on GDPRhub...


Takeaway:


Here we have an interplay between the privacy law, the healthcare law and the labour law. Performing employees surveillance is banned in most countries in Europe. If an employer wants to implement continuous surveillance, then it should 1) get the waiver from local authorities 2) inform employees and visitors.


Another example of such surveillance is when employers implement a software on the laptops of employees working from home, to check that the employee types regularly on the keyboard during work hours: this is forbidden, even if the employer informs the employee.


Greece:


Fact:


The DPA fined an association for people with autism €10,000 for failing to comply with an access request by the legal guardians of a child and for unlawfully transmitting the child’s personal data to third partiesRead more or edit on GDPRhub...


Takeaway:


Legal guardians are entitled to submit a Data Subject Access Request, and the association should have answered withing one month. Regarding the unlawful transmission of personal data to third parties, this is strictly prohibited by privacy laws. See our recommendations on a similar incident in Italy below.


Italy:


Fact:

The municipality of Bologna accidentally forwarded a document with the names of special needs students and information about their health to unauthorized staff as well as 53 families. The DPA fined the municipality €40,000. Read more or edit on GDPRhub...


Takeaway:


Human error can always happen, especially when people are in a hurry like in this situation when the vendor experienced a workers' strike. Organisations must make sure they implemented all technical and organisational security measures they can.


In order to avoid sending emails with sensitive infos to the wrong persons, typical measures are:


  1. Training employees regularly
  2. Allowing only experienced employees to send sensitive information
  3. Adding a small software to the email software, so that a) a pop up will open everytime an employee enters a recipient which is outside the organisation and b) delays the sending of the email by 2 to 3 minutes; these measures prove effective and avoid many data breaches.


Fact:


The Association of Psychologists of Lombardy suffered a leak of sensitive data following a ransomware attack. The DPA found violations of Articles 5(1)(f) and 32(1) GDPR and imposed a €30,000 fine. Read more or edit on GDPRhub...


Takeaway:


In its holding, the Garante identified that the Data Controller had not implemented basic security measures like MFA or automated monitoring and alerting systems to prevent the detection of suspicious activities, hence the fine.


Fact:


The Garante fined pharma company Menarini €21,000 for storing patient data for an indeterminate period up to of 25 years, for personal data collected to train an algorithm for cancer screening. Another reason for the fine was that the information notices to patients were not clear enoughRead more or edit on GDPRhub...


Takeaway:


This decision seems a bit harsh, as

1) a storage period of 25 years is common in clinical research and

2) Menarini had provided information notices to patients, so the process looked quite well covered from a privacy point of view.


Now, as we don't have access to how Menarini justified it needed to store for 25 years nor to the information notices, it is difficult to judge.


Netherlands:


Fact:


The Highest Administrative Court held that a mental health care institution was not obliged to comply with a data subject's erasure request. Retaining the data was necessary under the medical treatment agreement and for the management of the institution’s services. Read more or edit on GDPRhub...


Takeaway:


The GDPR is not the only law managing patient data: in each country, the local health law also puts obligations and rights on health professionals and on patients. Most of them mandate healthcare organisations to keep patient records for a given deadline, even if the patient sends an erasure request.


Sweden:


Fact:


The DPA reprimanded a health care provider for sending sensitive data via unencrypted emails, in violation of Article 32(1) GDPR. Read more or edit on GDPRhub...


Takeaway:


All data, whether in transit or at rest should be encrypted.

For this reason, many life science organisations recommend to share health data via a secure server (e.g. Micerosoft SharePoint), rather than sending the data via email.


US:


Fact:


The U.S. Department of Health and Human Services' (HHS) Office for Civil Rights ('OCR') announced a USD225,000 settlement with Deer Oaks, an organisation providing psychological and psychiatric services to residents of long-term care and assisted living facilities.


Health Information of individuals, including patient names, dates of birth, patient identification numbers, facilities, and diagnoses were publicly accessible online from 2021 to 2023. In addition, Deer Oaks experienced a cyber attack in August 2023. Lastly, Deer Oaks failed to conduct a risk analysis to determine the potential risks and vulnerabilities to the ePHI that it held.


Takeaway:


When an organization processes health data, even de-identified, it is mandatory to conduct a risk analysis for the private life of the patients. The goal of such analysis is to review the risks, their potential impacts, and the existing security measures in place to prevent and/or mitigate incidents and their impacts, and to come to the conclusion that the impacts for patients are negligible or limited. Such risk analysis must be shared with data protection authorities if requested.

Read the press release from the HHS here: https://www.hhs.gov/press-room...


Fact:


The U.S. Department of Health and Human Services' Office for Civil Rights announced a USD250,000 settlement with Specialty Surgery Center of Central New York over alleged violations of the HIPAA stemming from a 2021 ransomware incident. The surgery center will bolster its security measures to ensure patients' sensitive health data remains safeguarded and will have its efforts monitored by the OCR for two years.
Full story


Takeaway:


Same as for the incident with Deer Oaks above.



1)  Employees of a CRO can send de-identified patient health information to the trial sponsor using their personal email address?  yes / no: 


No,  as personal email addresses are not secured enough, and somebody might be able to 'see' the PHI transmitted.

2)  It is now mandatory to appoint a local Privacy Representative in Albania, China, Moldova, Serbia, South Korea and Switzerland yes / no

 

Yes