Blog

The new provisions inserted into Section 82 of the DPA 2018 allow the Home Secretary to formally designate law enforcement agencies as processors under Part 4 (intelligence services) in joint operations with MI5, MI6, or GCHQ. This means that Part 4 now applies not only to intelligence services, but also to “qualifying competent authorities” (e.g. police forces, NCA).

The ICO has fined Scottish charity Birthlink £18,000 for the destruction of approximately 4,800 personal records, some of which were irreplaceable. These weren’t just files. They were handwritten letters, photographs, and birth certificates; fragments of identity, belonging, and memory. The loss was not just operational, it was deeply human.

The changes made under the Data (Use and Access) Act (DUAA) 2025 signal a seismic shift in the way law enforcement agencies must think about information governance. From HR departments to intelligence units, automated decision-making (ADM) now sits at the heart of legal compliance and ethical risk. The amends made by DUAA 2025 allow you to use people’s personal information to make significant automated decisions about them in more circumstances, so long as you continue to a

The new s78A, introduced by s88 of the Data (Use and Access) Act (DUAA) 2025 (1), significantly expands the national security exemption under Part 3 of the Data Protection Act (DPA) 2018 (2), which governs law enforcement processing. Here’s a breakdown of what’s changed and what it means for competent authorities.

The Data (Use and Access) Act (DUAA) 2025 introduces critical updates to Subject Access Requests (SARs), specifically for competent authorities operating under Part 3 of the Data Protection Act (DPA) 2018. The changes now enable competent authorities to take longer to respond to requests to access personal information, if you need extra time because of the complexity or number of requests that someone has made. It also makes it clear that you only need to make reasonable sear

The Data (Use and Access) Act (DUAA) 2025 has officially amended the Data Protection Act (DPA) 2018, introducing Section 71A: Codes of Conduct - a provision that could reshape how law enforcement agencies approach data protection compliance. While we await formal guidance from the Information Commissioner, now is the time to unpack what this means, speculate on its impact, and draw parallels with the legal sector’s already-established codes of conduct.

Since the introduction of the UK GDPR and the Data Protection Act (DPA) in 2018, law enforcement agencies have made strides in improving their approach to consent. Yet public trust remains fragile, in no small part due to some relatively recent security incidents involving law enforcement information. The latest legal update - Section 69 of the Data (Use and Access) Act (DUAA) 2025 - reshapes the understanding of consent within law enforcement.

In an era where public trust hinges on transparency and responsibility, organisations face a growing challenge: how to protect personal data while making it count for something greater than operational integrity. At a recent session in York, led by Enterprise Works (University of York), we explored how data protection consultancy work, done with purpose, can become a driver for social value, community impact, and ethical leadership. Here’s how theory and practice meet to sha

The Data (Use and Access) Act 2025 (DUAA 2025) (1) has officially passed and with it comes a shift in how charities can communicate with their supporters. One of the most talked about changes? Charities can now send certain marketing emails without needing explicit consent from individuals. But before you hit “send,” let’s unpack what is actually allowed.

The Data (Use and Access) Act 2025 (DUAA 2025) has officially landed, bringing with it a series of targeted amendments to the UK’s data protection framework. While the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA 2018), and Privacy and Electronic Communications Regulations 2003 (PECR) remain the bedrock of UK data protection legislation, the DUAA 2025 introduces some meaningful updates, particularly around the use of cookies and similar track

Top tips for handling data protection complaints as introduced by Data (Use and Access) Act 2025

In the evolving landscape of data protection, it is vital for UK police forces and all competent authorities (organisations processing personal data for law enforcement purposes) listed under Schedule 7 of the Data Protection Act 2018 (DPA 2018) to remain attentive to legislative developments. The arrival of the Data Use and Access Act 2025 (DUAA 2025) on 19th June 2025 marks a defining moment, particularly in how logging requirements under Section 62 of the DPA 2018 are appr

The Data (Use and Access) Bill officially received Royal Assent on 19th June 2025, marking a significant shift in the UK’s data protection landscape. Now known as the Data (Use and Access) Act 2025 (DUAA 2025), this new legislation brings both exciting opportunities and important responsibilities for organisations handling personal data.

We were delighted to lead a lively and insightful session that blended legal clarity with strategic foresight. And from the buzz in the room to the quality of the conversations, one thing was clear - when you strip away the jargon, data protection becomes not just a compliance obligation, but a serious enabler of trust, growth, and competitive edge.

In today’s digital world, data is one of our most valuable assets. From names and addresses to passwords, financial details or confidential business data, we trust organisations to keep our information safe. But there’s a growing threat that doesn’t rely on breaking through digital defences such as hacking or coding, rather on human interaction and exploiting human vulnerabilities. It’s called social engineering and it’s one of the easiest ways for cybercriminals to get hold

At a time when headlines are heavy with crisis and complexity, Clive’s message was refreshingly clear: it's time for leaders to stop dwelling on what’s broken and start telling a new kind of story - one grounded in purpose, aspiration, and courageous action. As a data protection consultancy, we couldn’t agree more. Because while our industry is often pigeonholed as reactive, regulatory, and rigid, the truth is far more empowering: data protection, when done well, is a strat

When headlines break about confidential military documents strewn across a Newcastle street, the implications go far beyond shock value. They spotlight a critical but often under-addressed vulnerability in many organisations: the unmanaged print environment. In a digital-first world, print should no longer be an afterthought. Yet, when sensitive information is printed without control or oversight, it becomes dangerously exposed...

Data Protection Impact Assessments (DPIAs) are more than a compliance checkbox—they’re a strategic tool for driving measurable benefits. When aligned with the Benefits Realisation methodology, DPIAs can transform organisational changes into success stories.

The recent revelation of a former GCHQ intern unlawfully accessing and removing classified data, including the names of intelligence officers (1), is not just a breach of national security - it’s a wake-up call to every organisation handling sensitive or personal data. It reinforces a stark truth: no organisation is immune to insider threats.

Inside, we were immersed in a space alive with curiosity, connection, and shared stories. A gathering of entrepreneurs, creatives, tech innovators and those driving change asking one simple question: How do ideas become real? The common thread was clear - every success began with solving a problem, not selling a solution. And the lessons we took away reaffirmed much of what we believe about how meaningful, human-centric consultancy is delivered.