Share
Relevant DUA Act Provisions:
- Law Enforcement: Section 80(3) and Schedule 6 creating Sections 50A to 50D into Part 3 of the DPA 2018
- Intelligence Services: Sections 96 and 97 of the DPA 2018, amended by Sections 96–97 of the DUA Act.
The DUA Act extends the existing automated decision-making (ADM) regime, first introduced by Articles 22A–22D UK GDPR, to Part 3 (law enforcement processing) and Part 4 (intelligence services processing) of the DPA 2018, ensuring consistency across general and sector-specific data protection frameworks.
For law enforcement, Sections 50A–50D DPA 2018
- introduces revised statutory definitions of “solely automated processing” and “significant decision
- A significant decision is defined as one that produces an adverse legal effect or similarly significant adverse effects on the data subject. This narrows the scope of protection compared to the general regime, potentially excluding benign or neutral outcomes from ADM safeguards
- "Solely automated" is defined consistently with the general UK GRPR ADM regime. It now includes an explicit obligation to assess the extent of profiling involved, codifying what was previously a matter of interpretation under case law and regulatory guidance.
- Significant decisions based solely on automated processing are permitted only where required or authorised by law and appropriate safeguards are provided by that law. These safeguards must include, at a minimum:
- the right to human intervention,
- the right to make representations, and
- the right to contest the decision.
- Section 50C provides a qualified exemption: where the relevant law does not include the above safeguards, the controller may still rely on ADM and “reconsider the decision as soon as reasonably practicable” with “meaningful human involvement.” This introduces a post-decision safeguard not found in the EU GDPR.
- ADM involving special category data remains prohibited, unless there is a specific legal basis (e.g. UK statute) or the data subject has given explicit consent, in accordance with Section 50B(4).
For intelligence services, Sections 96 and 97 of the DPA 2018 are revised to reflect the same core structure. The DUA Act introduces new rules as follows:
- Defines “entirely automated decision-making” for the first time under Part 4 (Intelligence Services Processing). It refers to a decision taken solely by automated means, where no person has reviewed, influenced, or authorised the outcome before it takes effect in relation to a data subject.
- A decision must not be based solely on automated decision-making unless it is:
- authorised by law (including internal rules under the Intelligence Services framework); and
- subject to appropriate safeguards that are either set out in that law or established by the controller.
- The safeguards must include the right to:
- human intervention,
- express a view, and
- contest the decision, mirroring the safeguards under Section 50C (law enforcement ADM) and Article 22C (general UK GDPR ADM regime).
- The Act introduces broad exemptions where the application of these safeguards would prejudice national security, public safety, or the prevention or detection of crime. These carve-outs reflect the Intelligence Services' unique statutory context and investigative mandates.
Divergence
Section 50C exemption is a significant divergence from EU law by permitting post-facto human review in lieu of prior (ex-ante) safeguard. The UK’s post-facto human review model contrasts with the EU’s emphasis on proactive human oversight before an automated decision takes effect. The UK’s revised framework under both Part 3 and Part 4 provides statutory clarity but broadens operational discretion in sensitive public functions. Unlike the EU GDPR, which imposes prior conditions for automated decision-making, the UK framework, particularly under Part 4, permits post-facto reconsideration as a fallback safeguard, thereby creating greater operational flexibility for intelligence agencies.
ICO commentary
The ICO welcomes the alignment of ADM principles across general, law enforcement, and intelligence regimes under the DUA Act. It notes that while the exceptions for national security and law enforcement are broader, the new consolidated framework improves legal certainty, especially regarding profiling and the processing of sensitive data. The ICO has indicated that the new structure represents a practical improvement over the former fragmented legislative architecture.
Recommendations
- Map all automated workflows in law enforcement and intelligence systems, particularly those involving profiling or sensitive data.
- Assess whether such processing constitutes “significant decisions” under the new DUA Act definition and implement controls accordingly.
- Maintain auditable records of human-in-the-loop decision-making processes and post-decision reviews where applicable.
- Confirm that ADM involving special category data meets the conditions under Section 50B or 96, including either explicit consent or a statutory basis, and retain clear records so as to ensure that legal bases are properly documented.
- Monitor future ICO guidance and case law regarding the interpretation of “reasonably practicable” threshold for human intervention and reconsideration under Section 50C.
|
This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are:
|
United Kingdom