The Data (Use and Access) Act 2025 is the UK’s most significant recent data-protection change — and it directly affects AI, especially automated decisions. Here’s what it means in 2026, cited to official sources. (dgm implements osFoundry as an independent partner. General information, not legal advice.)

What the DUAA is

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025 and is being commenced in stages (gov.uk; Act text). Crucially, it amends, not replaces, UK GDPR and the Data Protection Act 2018 — and it’s the UK’s chosen alternative to a standalone “AI Act” for data matters.

The big change: automated decision-making

Section 80 of the DUAA replaced Article 22 UK GDPR with new Articles 22A–22D (legislation.gov.uk). The shift:

  • More permissive baseline — solely-automated decisions with legal or similarly significant effects are now permitted in wider circumstances for ordinary (non-special-category) data, provided safeguards are met.
  • Mandatory safeguards — inform individuals about significant decisions; let them make representations; let them contest; provide human intervention.
  • Special-category data ADM stays restricted (subject to limited conditions).

So the DUAA opens up automated decision-making somewhat, but conditions it on safeguards — particularly meaningful human involvement.

Other AI-relevant changes

  • Scientific research clarified — research may include commercial research, with consent allowed for broad areas of related research; this eases AI/data-science R&D.
  • “Recognised legitimate interests” — a new lawful ground for specified purposes (crime prevention, safeguarding, emergencies) without the usual balancing test.

Key dates

  • Part 5 (ADM provisions) came into effect 5 February 2026 (SI 2026/82 — confirm exact effect).
  • A statutory ICO Code of Practice on AI and ADMSI 2026/425 — was made 16 April 2026 and came into force 12 May 2026.

Watch for the ICO’s updated ADM guidance (final expected ~Summer 2026), which interprets these provisions in practice.

Where osFoundry and dgm fit

The DUAA’s central practical demand for AI is safeguarded automated decisions — and that’s a design decision. dgm implements AI with the new safeguards built in: informing individuals, enabling representations and contest, and providing human intervention for significant decisions, on osFoundry (with data control via self-hosting or an EU region — it publishes US/EU/JP regions, not a UK one). Human-in-the-loop isn’t a bolt-on; we scope it from the start.

dgm is an independent integration partner with zero integrations so far, and not a law firm. Confirm commencement and specifics with your DPO and the ICO. To scope a DUAA-aware AI project, book a consultation with dgm.