Data Use and Access Act 2025 - what it means for general practice

The Data (Use and Access) Act 2025 is now law in the UK. Introduced as part of the government’s digital strategy, it updates the rules around how personal data is used, shared, and protected across sectors - including healthcare.

For GP practices the Act has significant implications, particularly in how you manage patient information, respond to data requests, and interact with third-party services.

The Act does not replace the UK GDPR or the Data Protection Act 2018, but it makes important changes to how these laws are applied. Much of it will come into force over the next year, so general practices should start preparing now.

Here’s what the new legislation means for you, your team, and your patients.

More flexibility in handling access requests

GP practices often deal with data subject access requests (DSARs) - especially from patients who want to see their full medical record. Under current rules, practices have one calendar month to respond, which can be difficult when dealing with large files or vague requests.

The new Act allows you to pause the one month deadline if the request lacks key details or needs clarification. Known as 'stopping the clock' this gives practices time to ask for more information before continuing the countdown.

This change is especially useful when a patient asks for 'all information' without specifying a timeframe or topic. It gives your admin team a better chance to manage expectations and respond accurately.

What you should do:

• Update your internal procedures to include this new flexibility.

• Make sure staff know when and how to request clarification.

• Document all pauses clearly in case you’re audited or challenged.

A new lawful basis - recognised legitimate interests

One of the most significant updates is the introduction of 'recognised legitimate interests' as a lawful basis for processing personal data. Previously, most GP data processing relied on public task, legal obligation, or consent.

This new basis allows organisations to process data without consent where the activity is in the public interest and where safeguards are in place. Examples include safeguarding, public health protection, serious crime prevention, and responding to emergencies.

For GPs, this may provide a clearer legal route for sharing data quickly with social care, safeguarding leads, or the police - especially when waiting for formal legal instructions could delay action.

However, this doesn’t remove the need for proper documentation - you’ll still need to:

• Explain the purpose of the data use.

• Ensure it’s proportionate and necessary.

• Record your decision-making process.

This is not a shortcut, but it does allow you to act more confidently when immediate data sharing is required for public protection.

International data transfers: a more practical approach

Previously, you could only transfer personal data outside the UK to countries with an official “adequacy decision.” This made it harder to use software or services hosted abroad.

The DUAA replaces that model with risk based approach. You can now transfer data to non-UK countries if you’re satisfied the protections in place are not “materially lower” than UK standards.

This is particularly relevant for practices using:

• Cloud-based patient record systems.

• Online booking platforms.

• Email, SMS, or video consultation tools that store data overseas.

You’ll need to assess the safeguards and possibly update your contracts or data protection impact assessments (DPIAs).

Action for practices:

• Identify where your patient data is stored and processed.

• Work with your suppliers to confirm compliance with the new risk-based standard.

• Keep records of your assessments.

Research and smart data: new opportunities on the horizon

The Act makes it easier for personal data to be used in scientific research by commercial companies, as long as the purpose is clear and appropriate safeguards are in place.

This opens the door for practices to support a wider range of research projects, including partnerships with universities, NHS trusts, and health tech companies. It could make it easier to participate in data-led initiatives to improve population health or service design.

The legislation also lays the groundwork for smart data schemes - secure, regulated systems where people can allow approved third parties to access their data for specific purposes.

While this is still in development, smart data in health could eventually allow patients to:

• Share parts of their health record with digital tools or apps.

• Access personalised services using real-time information.

• Transfer records more easily between services.

Practices aren’t expected to implement anything yet, but you should be aware that these schemes are likely to appear in the next few years.

Stronger ICO oversight and a duty to handle complaints

The Information Commissioner’s Office (ICO) will have greater powers to audit and investigate organisations, including GP practices.

At the same time, all organisations must now provide a clear and accessible route for people to complain if they believe their data has been misused or mishandled. You’ll need to respond to these complaints within 30 days.

This applies even if the complaint is about how long data is retained, how it’s shared, or what’s written in a patient record.

What you need to do:

• Update your privacy notice with a clear complaints section.

• Add a simple form or contact route on your website.

• Train staff on how to log and respond to data complaints.

If a complaint isn’t resolved, patients can escalate to the ICO - and the practice may face inspection or enforcement.

What GP practices should do now

Although many parts of the Act won’t be enforced until 2026, it’s important to prepare in advance. Here’s a practical checklist to guide your next steps:

• Review and update your DSAR policy, including how to use the stop-the-clock feature.

• Check your privacy notice - does it explain lawful bases, data sharing, and complaints clearly?

• Map your data flows, especially for international transfers.

• Speak to your IT and clinical system suppliers about how they meet the new data standards.

• Train your team, particularly on safeguarding-data related sharing and complaint handling.

The bigger picture: digital confidence and patient trust

The Data Use and Access Act 2025 is part of a wider government agenda to simplify data law and support innovation. For GP practices, it brings new opportunities to share data more confidently and collaborate in research and digital services.

But it also raises expectations around transparency, responsiveness, and professional accountability. How you prepare now will influence your compliance and your patient relationships in the years to come.

If your practice would benefit from a data protection review, template updates, or help with team training, your local LMC or federation may already have resources in place.