Data Use and Access Act 2025 – What Practices Need to Know

The Data Use and Access Act 2025 (DUAA) is now law. While much of the focus has been on AI and digital ID, the Act also has important implications for health and care data.

This image shows a small caution bollard on the return key of a keyboard

Key points for practices

  • Towards a single patient record: The Act gives Government new powers to enforce national information standards. For the first time, IT suppliers (such as EPR providers) will be legally required to comply, aiming to make different systems work together more easily. This is part of the move towards a single NHS patient record viewable via the NHS App. Practices themselves are not expected to implement new standards yet, but suppliers will be compelled to, so future system upgrades may follow.
  • EU data adequacy: Free flow of data between the UK and EU is vital for research and cross-border public health (e.g., clinical trials, disease surveillance). Some groups have raised concerns that the Act could put this at risk, but the most controversial changes were removed. The EU has postponed its formal “adequacy” review to December 2025.
  • Privacy and trust: The Act does not change existing protections around patient data security or who can access NHS data. Ministers have repeatedly stated that NHS data is “not for sale.” However, concerns remain about how “scientific research” is defined, and whether private companies could use these provisions for profit.
  • Future direction: The debate highlights the importance of privacy, transparency, and public trust in how patient data is used. As the new Health Data Research Service develops, practices may see more discussion about access to de-identified GP data for research purposes.

What this means for GP practices

  • Day-to-day processes are unchanged: No immediate changes to how practices collect, store, or share patient data.
  • Recognised “legitimate interests”: Schedule 4 of the Act creates a new lawful basis under UK GDPR for certain disclosures, including responding to requests from other public bodies, safeguarding, emergencies, crime, national security and defence. In practice, this means that:
    • if a statutory body (for example, police, local authority, NHS provider) asks for patient information and confirms that it needs the information to carry out its public task, you are entitled to rely on that confirmation. You do not have to make your own separate judgement about whether their task justifies the request. Your responsibility is to check the request is genuine, record the confirmation, and share only the minimum necessary information.
    • You can continue to share information as you have before, provided the request is clear and proportionate.
  • Safeguarding: The Act explicitly includes a lawful basis for sharing information to protect vulnerable individuals (children or adults at risk). This reflects existing safeguarding duties in practice.
  • Suppliers will be affected first: The main shift is enforcement on IT system suppliers, not frontline practices.
  • Patient questions may rise: Patients may hear about the Act and ask if their GP record is being sold or shared. Reassure them that existing protections under UK GDPR and the Data Protection Act 2018 remain in place.
  • Keep an eye on updates: We will share guidance if new regulations change what practices need to do.

Related content