The Data (Use and Access) Act 2025 (“DUAA”) represents the UK’s first major reform of data protection law since leaving the EU. The Act aims to modernise the UK’s data protection framework by reducing administrative burdens on businesses, supporting innovation and maintaining high standards of data protection while enhancing the UK’s position as a competitive destination for data-driven industries.

As most of the data protection reforms introduced by the DUAA came into effect on 5 February 2026, life sciences companies should consider how the new framework reshapes their data protection compliance. While the DUAA introduces new rules, it also creates opportunities for the sector.

New rules introducing opportunities for the life sciences sector:

  • Introduction of Research Definition and Broad Consent

The DUAA codifies what constitutes scientific, historical, and statistical research, making previously interpretative recitals legally binding. For life sciences companies, this brings welcome clarity. Scientific research includes commercial research, as well as technological development that can reasonably be described as scientific. Public health research, however, must now be conducted in the public interest to qualify.

In parallel, the DUAA formally recognises the concept of “broad consent” for scientific research, allowing individuals to consent to the use of their personal data for an “area of scientific research” rather than for specific, narrowly defined studies. This approach is available where it is not possible to identify the precise purpose of the research at the point consent is obtained, provided that seeking consent at this level aligns with generally recognised ethical standards for the relevant field and that individuals are given the option to limit their consent to particular aspects of the research.

This development is particularly relevant for long-term biobanks and multi-phase clinical trial programmes, where future research uses may not be fully known at the point of data collection.

  • New Recognised Legitimate Interests Legal Basis

A new legal basis for processing emerges: “recognised legitimate interests”. Unlike standard legitimate interests, this basis requires no balancing test, streamlining compliance for qualifying activities. Recognised legitimate interests include, among others, safeguarding vulnerable individuals, responding to emergencies, and crime prevention and detection (as further defined in Schedule 4 of the DUAA). For life sciences companies, the “safeguarding vulnerable individuals” provision could potentially apply for patient safety monitoring programmes for paediatric populations or adults with cognitive impairments participating in clinical trials.

  • Restructuring of Purpose Limitation for Personal Data Reuse

Schedule 5 of the DUAA introduces a list of purposes that companies can assume are compatible with the original collection purpose when reusing personal data. Importantly, for personal data originally collected based on the data subject’s consent, companies can only rely on Schedule 5 if it’s not reasonable to obtain an additional consent for the new use.

For example, the purpose to “protect vital interests”, as listed in Schedule 5, may support the use of patient data to protect life or health in urgent circumstances, which could be relevant in the context of adverse event responses or emergency medical interventions, without obtaining additional consent.

The Schedule 5 pathway may also be of particular relevance for certain retrospective research activities. In situations where re-consenting participants from historical studies would be impracticable – for example, where participants are deceased, untraceable, or very numerous – companies may seek to demonstrate that obtaining an additional consent is unreasonable and consider whether reliance on a compatible purpose could be appropriate for secondary analyses.

Other changes include:

  • Automated Decision-Making Expansion: The DUAA significantly expands automated decision-making capabilities, allowing broader use with appropriate safeguards. However, this expansion does not apply to special categories of data. For life sciences companies, automated decision-making using health information remains subject to the same restrictions as before: companies must obtain explicit consent or rely on specific legal authorisation with suitable safeguards. AI-driven diagnostic tools, and clinical decision support systems making automated decisions based on health data, are therefore unaffected by the DUAA’s expanded provisions.
  • Subject Access Request Practicalities: Companies now only need to conduct “reasonable and proportionate” searches when responding to data subject access requests. Additionally, time limits can be paused when clarification of requests is needed. Companies need to be able to demonstrate that clarification is reasonably required in order to respond to a data subject access request.
  • Information Obligation Relief: For processing of personal data for research purposes, companies may be permitted not to provide Article 13 UK GDPR privacy information where they intend to further process personal information for research purposes and providing such information would be impossible or involve disproportionate effort. In these cases, rights must be protected through other means, including by making the information publicly available. Note that this relief applies to further processing for research purposes, not initial collection. It is therefore less relevant for prospective clinical trials where data is collected directly from participants, but may assist with retrospective research using existing data where the company intends additional research uses beyond the original purpose.
  • International Transfers of Personal Data: The DUAA reformulates the standard for international transfers from requiring that UK GDPR protections are “not undermined” to requiring protection that is “not materially lower” than UK standards – the new “data protection test”. Key changes include formalizing transfer risk assessments for alternative transfer mechanisms, renaming adequacy decisions as “transfers approved by regulations”,  extending the review period from four years to “ongoing monitoring”, and granting the Secretary of State power to recognize new transfer mechanisms. Life sciences companies with global activities should review existing transfer mechanisms and risk assessments to ensure compliance with the reformulated data protection test and formalized assessment requirements.
  • Updates to the Complaints Procedure: Unlike the other DUAA provisions discussed above, the complaints procedure changes under Schedule 10 will not take effect until June 2026. These amendments establish a mandatory two-tier complaints framework, requiring companies to handle data protection complaints internally before individuals can escalate to UK’s Data Protection Authority (“ICO”). To prepare, companies should develop a formal complaints-handling policy with clear timelines and responsibilities, create accessible submission channels (online forms, email, postal), maintain complaint logs, update privacy notices to reference both internal and ICO complaint routes, and train staff to identify and escalate data protection concerns. Non-compliance can trigger ICO enforcement notices and financial penalties.

The DUAA represents a meaningful evolution of the UK’s data protection framework, offering life sciences companies greater flexibility for research and innovation while maintaining robust protections for individuals. Companies may wish to review their data processing activities, consent mechanisms, and international data flows to identify opportunities presented by the reforms and assess alignment with the updated requirements.