The Data (Use and Access) Act 2025 (DUAA) introduces several significant changes to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Here’s a summary of how these changes affect the Children’s Commissioner for England, along with examples of affected areas:

Key Changes and Their Impact

  1. Data Protection by Design: Children’s Higher Protection Matters (Section 81)
    • New Duty for Services Accessed by Children: The Act introduces a duty for information society services likely to be accessed by children to consider their higher protection needs.
    • Impact on the Children’s Commissioner: The Children’s Commissioner will need to ensure that services designed for or accessible by children incorporate these higher protection standards. This includes considering how to protect and support children, acknowledging their varying needs at different ages, and ensuring they understand the risks associated with their data.
  2. Lawfulness of Processing (Section 70; Schedule 4)
    • New Lawful Grounds: The DUAA introduces new lawful grounds for processing personal data, particularly for non-public bodies. This includes processing necessary for safeguarding vulnerable people.
    • Impact on the Children’s Commissioner: The Children’s Commissioner can process personal data without the need for a detailed legitimate interests assessment in specific situations, such as safeguarding children or responding to emergencies involving children.
  3. Purpose Limitation (Section 71)
    • Clarified Re-use of Data: The Act clarifies when further processing or re-use of personal data is compatible with the original purpose, including for safeguarding purposes.
    • Impact on the Children’s Commissioner: The Children’s Commissioner can re-use data collected for one purpose (e.g., educational support) for another compatible purpose (e.g., safeguarding) without needing additional consent, provided the lawful ground requirements are met.
  4. Data Subjects’ Rights (Sections 75-78; Section 104)
    • Subject Access Requests (SARs): The Act introduces a “stop the clock” provision for SARs, allowing organisations to pause the response time if they need more information from the data subject.
    • Impact on the Children’s Commissioner: The Children’s Commissioner can manage SARs more effectively, ensuring they have all necessary information before responding, thus reducing administrative burdens and improving response accuracy.
  5. Automated Decision-Making (Section 80; Schedule 6)
    • Permissive Framework: The Act creates a more permissive framework for automated decision-making, with safeguards such as providing information to data subjects and enabling them to challenge decisions.
    • Impact on the Children’s Commissioner: The Children’s Commissioner can use automated systems for decisions affecting children, such as eligibility for services, provided they implement the required safeguards.

Examples of Affected Areas

  • Service Design for Children: Ensuring that digital services and platforms used by children incorporate higher protection standards.
  • Safeguarding: Processing data to protect vulnerable children without extensive assessments.
  • Data Re-use: Using data collected for one purpose (e.g., health monitoring) for another compatible purpose (e.g., safeguarding) without additional consent.
  • Automated Systems: Implementing automated decision-making for service eligibility or support allocation, with necessary safeguards.
  • Subject Access Requests: Managing SARs more efficiently by pausing the response time when additional information is needed.

These changes aim to provide greater clarity, flexibility, and protection in data processing, benefiting the Children’s Commissioner and the children they serve.

If you would like to discuss further, please contact us.