Relevant DUA Act Provision: Section 67-69; introduces new Article 8A and Chapter 8A (Articles 84A–84D) UK GDPR; amends Article 4(23), Article 5(1)(b), and Article 6(2) UK GDPR.
The DUA Act introduces a structured legal framework for processing personal data for scientific, historical, and statistical purposes (“RAS purposes”), significantly enhancing legal certainty for data reuse. The reform includes:
- Definition and scope of scientific research:
Section 67 amends Article 4 UK GDPR to clarify that “processing of personal data for the purposes of scientific research” includes:
“any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”
The DUA Act affirms that this includes technological development, fundamental or applied research, and public health studies. Historical research may include processing for the purposes of genealogical research while ‘statistical purposes’ includes processing for statistical surveys or for the production of statistical results where the output is aggregate and non-identifying data that is not personal data, and the controller does not use the personal data processed or the data that results from the processing to support decisions about particular data subjects to whom the personal data relates.
Consent for scientific research: Section 68 amends Article 6(2) UK GDPR to permit broad consent in research contexts. Where specific purposes cannot be fully identified at the time of consent, consent may still be valid provided it:
- Is consistent with generally recognised ethical standards in the research field.
- Offers, where feasible, the option to consent only to part of the research.
This approach aligns with Recital 33 GDPR but codifies it as binding UK law.
- New Chapter 8A: legal basis and safeguards: Section 69 inserts Chapter 8A (Articles 84A–84D UK GDPR) to govern RAS processing:
- Article 84B: Conditions for lawful further processing
Processing for RAS purposes is permitted only if:
- The processing includes collection of personal data (from the individual or otherwise).
- The data is converted into non-identifiable information.
- The RAS purpose could not be fulfilled without the processing. - Articles 84C: Appropriate safeguards
Controllers must apply safeguards for the rights and freedoms of data subjects, including:
- Pseudonymisation
- Data minimisation
- Functional separation from other purposes - Article 84D: Secretary of State powers. The Secretary of State may make regulations to clarify what constitutes appropriate safeguards under Art 84B(2). but may not amend the substantive safeguards under Article 84C(2) to (4).
- Article 84B: Conditions for lawful further processing
- Compatibility presumption under Article 5(1)(b): The DUA Act amends Article 5(1)(b) to introduce a statutory presumption of compatibility for processing carried out for RAS purposes. . This presumption only applies where the specific conditions under Article 84B are met, namely, that personal data is collected, rendered non-identifiable, and the RAS purpose cannot reasonably be fulfilled without the processing. In addition, the controller must implement appropriate safeguards under Article 84C, such as pseudonymisation and data minimisation. This reform codifies what was previously implied in Recital 50 of the GDPR, but not legally binding. By embedding these criteria in primary legislation, the DUA Act creates a rules-based framework that provides legal certainty and reduces the need for re-consent or new lawful bases when data is reused, provided the statutory requirements are met.
This reform has material implications for universities, research institutions, and private research and development entities seeking to reuse data for longitudinal studies or health research. The DUA Act does not, however, expand the definition of “scientific research”, which remains consistent with the GDPR and the European Data Protection Board (EDPB) guidelines (e.g., EDPB Opinion 3/2019). Therefore, purely commercial objectives cloaked as research are unlikely to benefit from the presumption.
The DUA Act clarifies the need to apply safeguards under the new Chapter 8A provisions. Further it does not exempt research processing from other GDPR principles, such as transparency and accountability. As such, the presumption of compatibility does not negate the need for DPIAs or records of processing.
Divergence
While Recital 50 of the GDPR hints at compatibility for research purposes, it does not go as far as creating a statutory presumption. The DUA Act formalises this compatibility in binding law with new Articles 84B–84D and amending Article 5(1)(b). This reflects a UK shift toward a rules-based regime, diverging from the more interpretive EU approach. This reduces ambiguity in the UK but may complicate interoperability for multinational research projects subject to both UK and EUGDPR.
ICO Commentary
The ICO supports the DUA Act’s reforms on processing for scientific, historical, and statistical purposes. In its parliamentary response, it praised the changes as significantly “easier to navigate and understand”, while its official guidance highlights that the Act “makes it clearer when you can use personal information for the purposes of scientific research, including commercial scientific research. However, the ICO stresses that organisations must still apply appropriate safeguards, maintain transparency, and remain accountable, as evidence of compliance may be scrutinised during investigations.
Recommendations
- Review all further processing operations and determine whether they qualify as scientific, historical, or statistical under Article 89(1) and Article 4, as clarified by section 67 of the DUA Act.
- Where they do, document technical and organisational safeguards to ensure data minimisation (e.g., access controls, purpose limitation, pseudonymisation).
- Update privacy notices and internal records to reflect to reflect reuse for research, archiving, or statistical purposes under Chapter 8A.
- Conduct DPIAs where data minimisation or aggregation cannot be guaranteed at the outset, particularly in mixed-purpose research.
- Monitor regulations issued by the Secretary of State under Article 84D for sector-specific safeguard standards.
This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are:
|