DUAA 2025 amendment to DPA 2018: definition of consent for law enforcement

Since the introduction of the UK GDPR (1) and the Data Protection Act (DPA) (2) in 2018, law enforcement agencies have made strides in improving their approach to consent. Yet public trust remains fragile, in no small part due to some relatively recent security incidents involving law enforcement information.

At the same time, many in-house Data Protection Officers already champion the UK GDPR’s Article 7 standard - pressing their organisations to:

• Build clear, standalone consent modules in digital and paper forms

• Train front-line officers on empathetic consent dialogues

• Audit and refresh consent records regularly

Their proactive approach demonstrates that policing can meet and even exceed best practices in consent management. And yet, some may still feel compelled to consent (3): leaving law enforcement confused as to whether saying “yes” on a witness statement genuinely means giving informed consent or simply complying under pressure.

Let’s look at how the latest legal update - Section 69 of the Data (Use and Access) Act (DUAA) 2025 (4) - reshapes the understanding of consent within law enforcement.

Consent in law enforcement now 

DUAA 2025 inserts the following into section 33 (other definitions) of the DPA 2018:

“(1A) “consent” of the data subject to the processing of personal data means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data…”

You may notice the similarities between this, and the existing Article 4(11) of the UK GDPR definition:

“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

This means, that “law enforcement consent” previously rather ambiguous and often understood to be an “acknowledgement” of how one’s personal data is processed rather than a genuine choice, can now be reviewed in line with the clear expectations.

Key legal conditions to watch

As with any processing, consideration of whether ‘consent’ is the most appropriate lawful basis must be made, and where it is relied on, consent management (including consent refresh and withdrawal) processes must be built in.

Where a stronger lawful basis exists, for example that grounded in law, this would likely be more appropriate to rely on. And this is where Section 69(4) of DUAA 2025 comes in, making it easier to make considerations on whether consent is an appropriate lawful basis.

It inserts Section 40A into the DPA 18, specifying the conditions for consent as follows:

• The controller must be able to demonstrate that the data subject consented to the processing;

• If the consent is given in writing, as part of a document which concerns other matters, the request for consent must be: clearly distinguishable from the other matters, in an intelligible and accessible form, and in clear and plain language. If this is not complied with, the consent is not binding.

• The data subject must be able to withdraw consent at any time in as easy a manner as it was to give consent. The consent withdrawal will not affect the lawfulness of processing in reliance on the consent before its withdrawal.

• When assessing whether consent is freely given, account must be taken of the likes of the following; whether the provision of a service relies on consent to processing of personal data not needed for the provision of the service.

Sound familiar? Well, it should. Take a look at Article 7 of the UK GDPR below:

“Article 7 Conditions for consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

The four pillars of valid consent can therefore be summarised as:

• Demonstrate it: You must show proof that a data subject actually consented.

• Distinguish it: If you bury consent in a longer form, the request must stand out in clear, plain language. If it’s hidden in legalese, it’s invalid.

• Withdraw effortlessly: Saying “I change my mind” must be as easy as saying “I agree.” Past lawful processing stays valid, but new access must stop.

• Ensure free will: Consent is void if it’s tied to unrelated services or if power dynamics (officer-victim, employer-employee) distort the choice.

  
  

What this means for practice

This change sharpens the spotlight on accountability. While many forces already aim for GDPR-level compliance, DUAA removes any doubt: the same high standard of consent applies across the board. That’s the same gold-standard as Article 4(11) and Article 7 of the UK GDPR, now explicitly embedded into law enforcement practice. No more ambiguity: ticking a box must be a conscious “yes,” not a default “fine”.

This amendment fully embodies the intention of the data protection laws: to give the data subject true control over their personal information.

To help law enforcement practitioners navigate this shift, here’s what must be done:

• Give genuine choice: Consent must be a genuine choice, without any detriment to the individual for refusing or withdrawing it. If consent is a condition for accessing a service or if there's an imbalance of power (e.g., police officer-victim of a crime, or employer-employee), it may not be considered freely given. Consent is also not indefinite.

  • Law enforcement, as any other organisation, should regularly review and refresh consent if it is being relied upon. With the update to the law, now may be an opportune time to review your processes, training, templates, conduct a consent audit and drive your compliance.

• Transparency: Individuals must be fully informed about what they are consenting to. This includes the specific purposes of processing, the types of data involved, and the controller's identity. Don’t take the latter for granted – the data subject who you’re dealing with as a law enforcement agency is likely seeking your support at a vulnerable time in their lives so they may not know the specifics of who you are and the remit of your responsibilities. Vague or ambiguous requests are invalid.

  • You should consider practicalities around how the privacy information is provided; for example, if you’re asking someone to sign a paper consent form, it may be more complaint to meet your transparency obligation by providing a printed copy of the privacy notice, and allowing the data subject to keep it for future reference.

• Pause and choose a different lawful basis if needed: If law enforcement can achieve the same purpose using a different lawful basis, consent is not the appropriate basis for processing. Consent isn’t the only lawful ground for processing personal data. In many investigations, law enforcement can rely on statutory powers or public interest grounds.

  • If you can retrieve medical records or other information under clear legal authority, don’t ask for consent as a shortcut. If you must seek consent, ensure the individual understands what information is being accessed, for what purpose, and that they have a genuine choice to refuse.

  • Bundled purposes? Split them or switch to a more fitting lawful basis.

    
    

What happens when things go wrong?

As with anything, there are consequences of getting it wrong. The Information Commission (as it will be known) is responsible for enforcing the UK data protection laws. If law enforcement obtains invalid consent, the Information Commission can take action, including issuing fines.

Even if it doesn’t get this far, don’t forget that individuals can also challenge law enforcement actions if they believe their consent was not validly obtained. This can lead to reputational and operational risks.

Beyond compliance

In essence then, while law enforcement can rely on consent, they must do so carefully, ensuring it is freely given, informed, and appropriate, and that they are not misusing exemptions or failing to consider alternative lawful bases for processing.

The updated DPA 2018 under DUAA isn’t just a checkbox exercise. It’s an invitation to rebuild trust at every interaction. When individuals knows exactly what they’re agreeing to, and feels free to refuse, they become a partner, not just a form-filler. That partnership fuels better evidence, stronger community relations, and fewer legal headaches.