Law enforcement codes of conduct: s71A of the DPA 2018 as introduced by DUAA 2025

The Data (Use and Access) Act (DUAA) 2025 (1) has officially amended the Data Protection Act (DPA) 2018 (2), introducing Section 71A: Codes of Conduct - a provision that could reshape how law enforcement agencies approach data protection compliance.

While we await formal guidance from the Information Commissioner (3), now is the time to unpack what this means, speculate on its impact, and draw parallels with the legal sector’s already-established codes of conduct.

Section 71A: a new chapter for Law Enforcement data ethics

Section 71A empowers experts in the public sector (those deemed by the Commissioner to have sufficient knowledge and experience) to draft sector-specific codes of conduct for law enforcement processing under Part 3 of the DPA 2018. These codes, once approved and published by the Commissioner, can cover:

• Lawful and fair processing

• Data collection practices

• Transparency obligations

• Data subject rights

• Breach notification procedures

• International transfers

• Dispute resolution mechanisms

Importantly, adherence to an approved code may serve as evidence of compliance for controllers and processors, a welcome shift toward clarity and accountability.

Why this matters for law enforcement

Law enforcement processing often involves sensitive personal data, complex operational contexts, and heightened public scrutiny. A tailored code of conduct could:

• Standardise expectations across forces and agencies

• Support internal audits and compliance monitoring

• Enhance public trust through transparent practices

• Reduce ambiguity in interpreting legal obligations

But there are caveats.

The waiting game: no guidance, yet

The Information Commissioner’s Office (ICO) has not yet published formal guidance on Section 71A. And realistically, it will be a while yet before the Commissioner approves any codes under Section 71A. The generic code of conduct guidance (4) indicates a strict approval criteria is in place, and there is no reason the expectation for the law enforcement code would be any different.

The representative bodies for law enforcement, such as the National Police Chiefs Council (NPCC) will be able to draw up, and put forward for approval, codes of conduct that identify and address data protection issues that are important to their forces. But not yet. They can however, consider engaging with sector bodies, legal experts, and internal governance teams to prepare draft frameworks that reflect their unique processing activities.

This leaves law enforcement agencies in a holding pattern - aware of the change, but unsure how to operationalise it.

Lessons from the legal sector

In October 2024, the ICO approved the Association of British Investigators Limited UK GDPR Code of Conduct for Investigative & Litigation Support Services (5) conduct according to Article 40(5) of the UK General Data Protection Regulation (6).

Since then, the legal profession has been able to become a member of the code. The code includes advice, guidance, and practical examples in relation to:

• the roles and responsibilities of code members when acting as controllers, joint controllers or processors;

• Data Protection Impact Assessments (DPIAs);

• identification of the lawful basis for processing personal data;

• legitimate interests assessments; and

• consent to share when tracing and locating individuals in certain cases.

The following illustrates what the legal sector code currently emphasises and what this could look like in a law enforcement code:

The legal sector’s experience shows that codes of conduct can foster ethical culture, and public confidence, all of which are needed in law enforcement data practices (7) (8).

Risks and considerations

While codes of conduct offer promise, they also raise questions:

❌ Fragmentation: Will different forces have a different appetite for the codes?

❌ Over-reliance: Might adherence to a code be used to mask deeper compliance issues which may not be covered by the code?

❌ Lack of agility: Could codes become outdated as technology and threats evolve?

These risks underscore the need for ongoing review, stakeholder consultation, and Commissioner oversight.

Final thoughts

Section 71A is more than a legislative tweak, it’s an invitation to co-create ethical, practical, and transparent data protection standards for law enforcement. While we await the Commissioner’s next move, the sector should seize this moment to shape the future of compliance from the inside out.

If you're a law enforcement professional, regulator, or data protection officer, now’s the time to start the conversation. Because when it comes to trust, how we handle data is how we’re judged.

We’re here to help. We offer tailored briefings, hands-on workshops, and strategic reviews to help law enforcement bodies prepare for the incoming Codes of Conduct. Whether you're looking to draft an internal framework, benchmark existing practices, or engage stakeholders in meaningful dialogue - we’ll equip you with the tools to lead, not lag.

Use our "contact us" form, email or call, to schedule a discovery session and explore how your organisation can shape the future of data ethics with confidence.