Blog

The new provisions inserted into Section 82 of the DPA 2018 allow the Home Secretary to formally designate law enforcement agencies as processors under Part 4 (intelligence services) in joint operations with MI5, MI6, or GCHQ. This means that Part 4 now applies not only to intelligence services, but also to “qualifying competent authorities” (e.g. police forces, NCA).

The ICO has fined Scottish charity Birthlink £18,000 for the destruction of approximately 4,800 personal records, some of which were irreplaceable. These weren’t just files. They were handwritten letters, photographs, and birth certificates; fragments of identity, belonging, and memory. The loss was not just operational, it was deeply human.

The changes made under the Data (Use and Access) Act (DUAA) 2025 signal a seismic shift in the way law enforcement agencies must think about information governance. From HR departments to intelligence units, automated decision-making (ADM) now sits at the heart of legal compliance and ethical risk. The amends made by DUAA 2025 allow you to use people’s personal information to make significant automated decisions about them in more circumstances, so long as you continue to a

The new s78A, introduced by s88 of the Data (Use and Access) Act (DUAA) 2025 (1), significantly expands the national security exemption under Part 3 of the Data Protection Act (DPA) 2018 (2), which governs law enforcement processing. Here’s a breakdown of what’s changed and what it means for competent authorities.