The amendment, practical implications, and next steps for Competent Authorities.

In the evolving landscape of data protection, it is vital for UK police forces and all competent authorities (organisations processing personal data for law enforcement purposes) listed under Schedule 7 of the Data Protection Act 2018 (DPA 2018) to remain attentive to legislative developments. The arrival of the Data Use and Access Act 2025 (DUAA 2025) on 19th June 2025 marks a defining moment, particularly in how logging requirements under Section 62 of the DPA 2018 are approached. This blog post examines what has changed, the practical implications for day-to-day operations, and what Competent Authorities should do next.

The new legislation: what has changed?

Section 62 of the DPA 2018 originally imposed stringent logging obligations on competent authorities, requiring comprehensive, real-time records to be kept of every consultation (viewing) and disclosure (sharing) of personal data for law enforcement purposes. Whether it was viewing the record for reference or to update it, OR sharing the information via screen sharing, printing, screen grabs, or providing verbal updates, all these (and more) actions were required to be accompanied by a justification, provided in real time by the user (Officer). The spirit of these rules was to ensure transparency, traceability, and accountability.

However, a key amendment made by Section 82, Part 5 (Data protection and privacy) of the DUAA 2025 (1) removes the need for a justification for the consultation (viewing) and disclosure (sharing) of personal data for law enforcement purposes, as outlined under  Section 62 of the DPA 2018 (2). Section 142(3)(b) confirms that this comes into force 2 months after the DUAA 2025, so from August 2025.

The new legislation: what hasn’t changed?

The requirement to maintain exhaustive real-time logs for each access and use of personal data has been reduced, however, the following requirements of Section 62 DPA 2018 remain unchanged:

• the logs kept may still only be used for one or more of the following purposes:

o to verify the lawfulness of processing;

o to assist with self-monitoring, including the conduct of internal disciplinary proceedings;

o to ensure the integrity and security of personal data;

o the purposes of criminal proceedings.

• the logs must be made available to the Commissioner on request.

  
  

Practical implications for police and other law enforcement agencies

This amendment is designed to be pragmatic, recognising the operational realities faced by frontline and support staff. Here are some of the ways in which Competent Authorities may be affected:

• Reduced administrative overhead: from August 2025, staff will no longer need to record every activity in real-time, freeing up resources and reducing the risk of human error or incomplete logs during busy periods.

• Continued audit readiness: organisations must continue to ensure that new logging systems are robust enough to support retrospective investigations, internal audits, or responses to external scrutiny. Therefore:

  o Logging requirements must remain at the forefront of considerations when implementing new software which means Competent Authorities must still undertake a high level of due diligence prior to implementing new systems for law enforcement data, and must ensure they have policies and procedures in place to facilitate this, such as data protection impact assessments, documented non-functional system requirements and procurement standards.

  o There is no reduction in the expectation of traceability, transparency and accountability so Competent Authorities must continue to tell their data subjects about the data that is collected for logging purposes. Competent Authorities must also ensure that they act on any causes of concern identified within the logs, which means there has to be resource allocated to reviewing the logs.

• Training and policy updates: Staff at all levels will require updated guidance and potentially new training to ensure the correct use of revised logging protocols, especially if documented policies and procedures are reviewed and updated.  Old habits may need to be consciously unlearned.

  
  

Next steps

• To adapt to these changes swiftly and effectively, consider the following actions:

• Review and update policies: examine all and any internal data access and use policies to ensure alignment with the DUAA 2025. This should include any retention policies for audit logs.

• Upgrade technical systems: work with IT teams and vendors to configure logging systems, ensuring these systems are secure, reliable, and audit-ready.

• Communicate clearly: inform all relevant personnel about the changes, emphasising that while logging methods are evolving, accountability and the legal requirement to justify all data access remains unchanged.

• Audit and test: perform internal audits of new systems, simulate requests for records, and ensure the organisation can still meet regulatory and legal demands for traceability. You may wish to consider scheduling in monitoring activity and dip sampling of records. This should feature in your reports to oversight groups to assure the organisation of compliance in this area.

• Engage stakeholders: liaise with the Information Commissioner’s Office (ICO) and other oversight bodies to confirm compliance and resolve any ambiguities in the new requirements. The ICO are likely to publish updated guidance on law enforcement responsibilities in due course (3), but if you need guidance or a sense check ahead of this, don’t forget to utilise their helpline!

• Clarified accountability: reducing the logging burden does not diminish the ultimate accountability of organisations and individuals handling data under DPA 2018 and DUAA 2025. Every data access and processing activity must still be justifiable and documented to the appropriate standard.

  
  

Final thoughts

The Data Use and Access Act 2025 signals a more practical approach to data logging for UK law enforcement, recognising the dynamic demands placed on modern policing and law enforcement in general. While the real-time administrative burden is reduced, the responsibility for lawful, justifiable, and transparent data use is as great as ever.

Competent Authorities must seize this opportunity to modernise their practices, ensuring that operational agility goes hand-in-hand with unwavering accountability.

The road ahead offers more flexibility, but not less responsibility. Stay vigilant, stay compliant, and ensure your systems and staff are ready for this new era in data governance.