Mills & Reeve logo in purple text with a purple tagline: Achieve more. Together.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
26 Mar 2026
6 minutes read

Unlocking personal data in research: The Data (Use and Access) Act 2025 and what it means for life sciences

The Data (Use and Access) Act 2025 (DUAA) is ushering in a period of change for UK data protection laws, intended to make life easier, rather than introducing complex new obligations, for organisations and – while some things are changing – much remains the same. For those working in life sciences, whether in academia, biotech or pharma, these changes present an opportunity when using personal data in research and should be considered when planning their data privacy compliance programs.

This series of blogs from the IT & data team at Mills & Reeve aims to help you understand the impact that DUAA will have on established ways of doing things.

If you need a reminder about the meaning of some of the key data protection terminology used (eg, personal data, data subject, data controller, processing, etc), please refer to our glossary

A new era for research data

DUAA amends the UK GDPR and Data Protection Act 2018, aiming to strike a balance between enabling innovation and protecting individuals’ rights. It clarifies the rules around using personal data for scientific research and offers additional opportunities to use such data without relaxing the underlying data protection principles. Below, we highlight some of the most significant changes which research heavy organisations should be aware of.

Consent in research

DUAA adds to the UK GDPR, further explaining what consent means in the context of processing personal data.

Consent, according to the UK GDPR, must be both “specific” and “informed”. DUAA clarifies that, in the context of scientific research, a data subject’s consent meets the UK GDPR definition of consent despite not being obviously “specific” or “informed” where:

  1. The consent is given to the processing of personal data for the purposes of an area of scientific research.
  2. At the time the consent is sought, it is not possible to identify fully the purposes for which personal data is to be processed.
  3. Seeking consent in relation to the area of scientific research is consistent with generally recognised ethical standards relevant to the area of research.
  4. So far as the intended purposes of the processing allow, the data subject is given the opportunity to consent only to processing for part of the research.

This captures the previous position that a consent to scientific research more widely than the specific research being undertaken is possible, and it will be helpful in cases where technological advances mean that research becomes possible which was not at the time of data collection. There are some points to be aware of if this is the route chosen, namely:

  1. As far as possible the data subject should be given the opportunity to consent only to processing to part of the research (eg, for the particular study and not research more widely).
  2. If you use consent as your legal basis, the re-use provisions for scientific research discussed below would not apply (ie, any further processing would need to be consistent with the consent obtained unless a different exemption applies).

Re-use of personal data for scientific research

Previously, using data for a new research project often meant jumping through hoops to prove the new use was “compatible” with the original purpose for which the data was collected. The DUAA now provides a statutory presumption that re-use for scientific research (and certain other purposes) is compatible.

Note that it appears this cannot be relied upon by a controller to the extent that the controller used consent as the original legal basis for processing. It is also not entirely clear how that would work where one controller used consent as the legal basis and a new controller wants to use the same data for scientific research – currently reliance by third parties on consent would, strictly speaking, require those third parties to be covered by the original consent. This could cover, for example, access to personal data held by research databanks or biobanks.

New Article 14 – Information provision where the controller has not collected personal data directly from a data subject

Notwithstanding the consent limitations, there is an argument that the new provisions inserted into Article 14 envisage that there may be instances where a new controller can nevertheless rely on the scientific research legal basis, provided it complies with its other data protection obligations.

DUAA changes explicitly acknowledge the inherent challenges for controllers to comply with the information requirements in the context of accessing these types of resources, by clarifying that the general requirement to provide the information directly to data subjects does not apply where the provision is impossible or would involve a disproportionate effort. In those cases, privacy notices should be made available publicly in order to continue to comply with the principle of transparency of processing.

Recognised legitimate interests: A new lawful basis

A new lawful basis for processing personal data has been introduced where there are “recognised legitimate interests”. This allows organisations to rely on this legal basis without the usual balancing test for in certain circumstances, which may include scientific research where this is carried out in the public interest and the basis for the processing is set out in domestic law or relevant international law.

This includes a new Chapter 8A (Articles 84A – 84D) in the UK GDPR, added by DUAA, which sets out in one place the necessary safeguards for using personal data for research and improves the clarity of the legislation.

Looking ahead: Compliance and opportunity

DUAA’s changes are designed to support the UK’s ambitions as a global leader in research and innovation. For life sciences organisations, the Act offers greater flexibility and legal certainty – but also places a premium on transparency and robust governance.

Key takeaways:

  1. Take advantage of reduced administrative burdens but maintain clear public communications.
  2. Leverage the new compatibility presumption, but keep safeguards front and centre.
  3. Explore the new lawful basis for processing, and ensure your documentation is watertight.
  4. Keep an eye out for the data protection regulator’s updated guidance on the research, archiving and statistical provisions in DUAA. Final guidance is due for publication in the summer of 2026.

As always, the devil is in the detail and it is worth seeking specialist advice where needed. For further information, consult the ICO’s summary of changes.

If you’d like to discuss how DUAA affects your research or compliance strategy, get in touch with our team.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.