Navigating joint processing provisions introduced by Data (Use and Access) Act (DUAA) 2025

The new joint processing provisions introduced by Section 89 of the Data (Use and Access) Act 2025 (DUAA) 2025 (1) significantly expand the scope of Part 4 of the Data Protection Act (DPA) 2018 (2), which governs processing by intelligence services.

As the DUAA lands, law enforcement agencies are encountering a regulatory reality that’s as complex as their operational environments. The new provision introduces a quiet but powerful shift: for the first time, police forces and other competent authorities may be designated to process personal data under intelligence services rules, but only when working jointly with those services to safeguard national security.

If that sentence made you raise an eyebrow, you’re not alone. This change challenges the foundations of information governance in law enforcement, and Data Protection Officers (DPOs) are recalibrating.

What’s new?

The new provisions inserted into Section 82 of the DPA 2018 allow the Home Secretary to formally designate law enforcement agencies as processors under Part 4 (intelligence services) in joint operations with MI5, MI6, or GCHQ. This means that Part 4 now applies not only to intelligence services, but also to “qualifying competent authorities” (e.g. police forces, NCA).

This designation allows them to process personal data under intelligence services rules, but only:

• when working jointly with an intelligence service as joint controllers;

• where the processing is necessary to safeguard national security; and

• the arrangement is formally approved via a designation notice.

This designation:

• must be necessary to safeguard national security;

• applies only to joint controller arrangements;

• is granted via a designation notice with clear scope, justification, and review criteria.

A designation notice must:

• be jointly applied for by the law enforcement agency and the intelligence service;

• describe the processing, purposes, and means;

• justify why national security requires the designation;

• be reviewed annually by the Home Secretary;

• be published by the ICO (unless redacted/withheld for national security reasons).

Notices last up to 5 years, unless:

• a shorter period is specified;

• withdrawn earlier by the Home Secretary;

• replaced by a new designation.

Why this changes everything

For DPOs and governance leads, this isn’t just a legal footnote, it’s a regime-switching moment.

This provision creates a legal bridge between law enforcement and intelligence services, enabling coherent data governance in joint operations. But it also introduces complexity: DPOs must be vigilant in tracking when and how data moves between regimes, and ensure that appropriate safeguards are in place at every step.

Your privacy notices, DPIAs, and joint controller agreements must reflect not just compliance, but clarity across regimes.

Strategic implications for DPOs

1. Regime navigation

• DPOs must now navigate under Part 3 and Part 4 of the DPA 2018, depending on the nature of operations.

• This requires regime-switching fluency i.e. knowing when intelligence service rules override law enforcement norms, and ensuring staff understand the shift.

2. Proactive risk management

• Designation under Part 4 introduces reduced data subject rights and expanded exemptions increasing reputational and legal risk.

• DPOs must anticipate scrutiny from the ICO and the public, especially where transparency is limited.

• Strategic mitigation includes robust DPIAs, clear audit trails, and scenario-based justifications.

3. Governance realignment

• Joint controller arrangements under s104 DPA 2018 must be revisited and formalised.

• DPOs should lead on:

  • drafting or reviewing joint processing agreements;

  • ensuring role clarity between agencies;

  • embedding accountability mechanisms across both regimes.

4. Strategic influence and advisory role

• DPOs must now operate as strategic advisors, not just compliance monitors.

• This includes:

  • Briefing senior leaders on the implications of designation;

  • Advising operational teams on lawful data use under intelligence service rules;

  • Shaping internal policy to reflect dual obligations.

5. Training and culture change

• Staff may be unfamiliar with Part 4 obligations. DPOs must design and deliver tailored training.

• This is a chance to embed a culture of ethical vigilance, especially where national security is invoked.

6. ICO engagement and public trust

• DPOs are the interface with the ICO on designation notices and oversight.

• They must also manage public trust, especially where transparency is limited due to national security.

• Strategic messaging and trust-building communication are essential.

Next steps for Law Enforcement DPOs

• Trace the boundaries of joint operations: Not every collaboration with intelligence services qualifies. You need clear protocols.

• Map your data lifecycle: Know when and how your agency flips into Part 4 and what that means for safeguards and transparency.

• Formalise your joint controller arrangements: Informal understandings won’t suffice. The law demands documented accountability.

• Train your teams for regime-switching: From frontline officers to IT admins, they need to know what changes when Part 4 applies.

• Prepare for ICO scrutiny and public questions: Even where transparency is restricted, your rationale must be rock-solid.