On 11 June 2025, UK Parliament delivered a significant shift in the UK’s approach to data governance. After extensive debate and legislative ‘ping-pong’, the Data (Use and Access) Bill 2025 successfully passed both Houses and now awaits Royal Assent. Since its introduction, we have closely tracked the Bill’s development.
In October 2024, we published an in-depth analysis of its wide-ranging proposals to reshape data protection, enable data access, and support innovation across the UK’s digital economy. We subsequently published a March 2025 update article focusing on the key legal amendments relating to data protection, automated decision-making, and international data transfers.
With the legislative process now concluded, this article turns specifically to two of the Bill’s most significant and innovative pillars: the new Smart Data Schemes regime and the statutory framework for Digital Verification Services, particularly digital identity verification.
This legal briefing will focus on:
1: Smart Data Schemes: legal powers and operational impacts.
2: Digital Services and Digital Verification Services (DVS): statutory framework and compliance implications.
Smart Data Schemes: legal powers and operational impacts
We will first outline the legislative powers underpinning Smart Data Schemes before examining the resulting compliance obligations and market impact for businesses.
Legal basis for Smart Data Schemes
Part 1 of the Bill empowers the Secretary of State to establish sector-specific Smart Data Schemes by secondary legislation. The intention is to build upon the success of Open Banking and extend it to other sectors and industries, and by unlocking access to data, boost public services and grow the UK economy. These schemes will enable government-mandated data sharing between organisations and authorised third parties across multiple sectors, expanding far beyond the existing Open Banking framework.
Key legal features include:
• Ministerial rulemaking powers: The Secretary of State may specify which data sets must be shared, the conditions of access, permitted third-party recipients, and standards for technical interoperability.
• Sectors in scope: Initially targeting financial services, energy, telecoms, transport, retail loyalty programmes, and homebuying services, but capable of future expansion.
• Expanded data types: Unlike GDPR Article 20, portability (focused on personal data), Smart Data Schemes extend to non-personal customer data, usage data, and in some cases business data.
• Technical standards: Statutory instruments will specify data formatting, transfer mechanisms, security protocols, and rectification duties to ensure consistency across providers.
The new statutory regime replaces piecemeal legislative tools such as those under the Enterprise and Regulatory Reform Act 2013, and offers a more robust legal architecture to mandate data sharing where market-led initiatives are insufficient.
There are strong parallels between the Bill’s framework and the EU’s Data Governance Act and Data Act. However, the vision under the Bill is wider and is neither limited to the public sector (in the case of the Data Governance Act), nor focussed on information and communication technology (ICT) providers (as with the Data Act). Consequently the principles of data access and sharing schemes are unified across different sectors, but the details will vary from regulation to regulation.
New Smart Data Schemes will require implementing regulations to take effect. Accordingly, we will not see new schemes emerge until regulations are made.
Compliance requirements and business implications
From a compliance perspective, businesses subject to Smart Data Schemes will face both technical and legal obligations:
- Data standardisation: Organisations will need to cleanse, standardise, and maintain data sets in formats mandated by regulators, often requiring substantial system investment.
- Regulatory supervision: Sector-specific regulators will oversee compliance, with potential enforcement actions for non-compliance.
- Economic opportunities: Proponents such as techUK and the Open Data Institute (ODI) argue that Smart Data could drive £10–30 billion in economic growth through increased competition, better consumer switching, and improved service innovation.
- Interoperability concerns: Without centralised coordination, there is risk of divergent technical standards across sectors. Both ODI and industry stakeholders have emphasised the need for consistent, cross-sectoral governance to avoid fragmentation.
All Smart Data Schemes will operate under the same framework, which provides that customers will have a right to request access to their customer data, relating to goods, services or digital content purchased from a trader, and held by an authorised third party under the scheme. Authorised third parties will be enabled to use the customer data to provide services to the customer, such as personalised market comparisons and automatic switching of supplier. Data holders – defined as traders or any person who processed the relevant data in the course of a business – may be required to provide customer data to customers; or to maintain, store, rectify or make changes to that customer data, in much the same way as a controller has obligations in relation to personal data it controls. The regulations may also require the data holder to share the customer data with third parties, for instance a regulator, or alternative service provider in connection with a switch of service.
It is anticipated that regulations will also make further stipulations for data holders, such as a requirement to comply with specified standards or codes of conduct; using specified facilities or services including dashboard services and application programming interfaces (APIs), and providing information to customers on their rights. Any data holder under a Smart Data scheme which is also a data holder under the EU Data Act, may need to comply with both regimes.
In early 2025, the UK Government held a public consultation on introducing a new Energy Smart Data Scheme. While the focus was in supporting consumers to make choices in a complex market, other use cases were proposed, including capturing data for carbon reporting for businesses and to improve accuracy of EV charging point information. As a result of this groundwork, it would be unsurprising if the first regulations to be made under the Bill establish a Smart Data Scheme for the energy and utilities sector.
Digital services and Digital Verification Services (DVS)
We will first consider the statutory framework for Digital Verification Services and certification requirements, and then examine the compliance implications for providers and users.
Legal basis for Digital Verification Services
Part 2 of the Bill establishes the statutory foundation for the UK’s Digital Verification Services, effectively creating a regulated framework for digital identity providers to operate under government oversight.
Most of us will have already used a digital verification service (DVS) at some point to validate our identity online.
Key features include:
- Certification and registration: DVS providers must obtain certification and registration through a new statutory trust framework managed by the Office for Digital Identities and Attributes (OfDIA), operating under the Department for Science, Innovation and Technology (DSIT).
- Public trustmark: Certified providers will display an official trustmark, signalling compliance with security, privacy, inclusivity, and interoperability standards.
- Ministerial rulemaking: The Secretary of State retains power to update certification criteria and align UK standards with emerging international norms, ensuring long-term regulatory flexibility.
This framework formalises voluntary schemes trialled in recent years into binding legal obligations, creating a trusted national infrastructure for digital identity services.
It is hoped that in setting up a system of certification and oversight, the use of digital ID verification will expand, leading to efficiencies in processes in both public and private sectors, and reduce cost and time spent in administrative tasks. Financial services firms required to perform anti-money laundering checks are particularly likely to benefit from the greater use of trusted DVS providers.
Compliance implications for providers and users
The statutory framework carries significant compliance consequences:
• Certification burden: Providers must meet technical, security, and privacy standards subject to independent audit and ongoing supervision.
• Interoperability requirements: Providers will need to ensure compatibility across public and private sector use cases, including future integration with public services, financial services, and age-verification processes.
• Broader policy scrutiny: The Home Affairs Committee is actively reviewing potential risks and safeguards, particularly in the context of fraud prevention and law enforcement access.
For businesses seeking to become certified DVS providers, early engagement with the OfDIA certification regime will be critical to market entry.
Comments
Although the details remain to be seen, Parts 1 and 2 of the Bill introduce changes which are overall likely to be well received by UK businesses. However, while these reforms carry clear benefits in terms of innovation, consumer choice, and competition, regulated organisations face substantial compliance obligations, requiring technical preparation, governance realignment, and regulatory engagement. In both Smart Data and DVS, the emphasis will shift rapidly from legislative text to secondary regulations and detailed technical standards, which will define the real operational burden for businesses across the UK digital economy.