What the Data (Use and Access) Act 2025 Means for UK Care Providers — And Why Going Digital Requires More Than Just New Software
News and information from the Advent IM team.
- by Olivia Lawlor-Blackburn
- Advent IM Blog
The Data (Use and Access) Act 2025, which became law on 19 June 2025, introduces several meaningful shifts in how data is handled, accessed, and governed across the UK, and adult social care providers will feel its impact in practical and positive ways. One of the most significant changes is the new legal duty on the government to introduce information standards for health and social care IT systems. These standards are designed to encourage better interoperability, safer information flow, and more consistent technical expectations across health and care settings, creating a more connected digital environment for providers who have long struggled with fragmented systems and uneven data-sharing practices. Rather than being simply a technical mandate, the shift offers an opportunity for organisations to take a closer look at how they manage information governance, supplier relationships, and internal assurance processes.
From a governance, risk, and compliance perspective, the DUAA builds on existing frameworks like UK GDPR and the Data Protection Act 2018 by clarifying several areas where providers had been operating with ambiguity. For example, the Act now enables individuals to raise concerns directly with data controllers, reinforcing transparency and encouraging organisations to maintain clear, accessible processes for handling complaints. It also sets out a “reasonable and proportionate” approach to responding to subject access requests, which may help social care organisations manage workloads more effectively without compromising individual rights. Updates to rules on automated decision‑making provide more flexibility in when such tools can be used, so long as appropriate safeguards remain in place. In practice, these adjustments give organisations a clearer understanding of what good compliance looks like and support them in designing processes that are both practical and lawful.
Another quiet but important theme in the Act is its emphasis on secure, reliable data flow. Government commentary around the DUAA makes it clear that enabling real‑time access to essential health and care information is a long‑term aim, particularly across the NHS, local authorities, and adult social care providers. This aligns well with the digital maturity journey many care organisations are already on and complements the expectations set out in the Data Security and Protection Toolkit, which remains the sector’s primary mechanism for demonstrating strong data and cyber security practice. Rather than rewriting the rulebook, the DUAA adds structure and clarity, allowing providers to strengthen their internal governance in a way that supports both service quality and operational resilience.
It is also important to recognise that although digital systems play a central role in meeting these new expectations, progress is not achieved through software alone. Sustainable digital capability grows out of strong governance, consistent processes, and confident, well‑supported people. Even the most advanced digital system will rely on accurate and consistent recording practices, thoughtful access controls, and well‑understood data‑sharing pathways. In the same spirit, the DUAA’s provisions that allow the Secretary of State to request compliance evidence from IT suppliers — and even publish statements where necessary — give providers more assurance and encourage more balanced, transparent relationships with technology partners. This isn’t about catching organisations out; it is about creating a healthier, more accountable digital supply chain for the entire sector.
For many care providers, the DUAA can serve as a useful framework for reviewing current systems, updating policies, and refining internal practices. Taking time to understand how existing digital tools support interoperability, checking in with suppliers about their readiness for the forthcoming standards, and updating internal documentation to reflect the new complaints and access provisions can all help build confidence and reduce risk. Continuing to progress through the DSPT remains vital, not only because it complements the DUAA, but because it strengthens cyber resilience and reinforces good data hygiene across the organisation. As further technical standards are released by DHSC and NHS England, providers will have additional clarity to guide their digital development and long‑term planning.
Overall, the DUAA is less a disruptive overhaul and more a thoughtful evolution of the UK’s data environment. It recognises the complexity of care settings and supports providers in building systems, processes, and cultures that are secure, connected, and resilient. Digital transformation has always been most effective when it grows out of good governance, clear processes, and confident people; the DUAA simply strengthens the foundation on which that transformation can continue. If approached steadily and with the right support, the Act offers care providers a clearer framework for using data well and a positive path toward safer, more consistent digital practice across the sector.