The Data (Use and Access) Act 2025 became law on 19 June 2025, following Royal Assent. This legislation introduces wide-ranging reforms to improve how data is accessed, shared, and protected across public and private services in the UK. It has particular relevance to the adult social care sector due to its emphasis on information standards, data protection, and improved data sharing between organisations.
While not all parts of the Act apply directly to adult social care, the Act includes several important provisions that will affect how providers manage digital care records, interact with NHS systems, and meet legal duties relating to data protection and cyber security.
You can read the full legislation here: https://www.legislation.gov.uk/ukpga/2025/18/enacted
Data (Use and Access) Act 2025 - Summary
Area Key changes
Interoperability Section 121 introduces statutory standards for digital systems in health and social care
CQC-registered providers Must use systems that comply with the new digital information standards
Data protection reforms New lawful basis, stricter rules on access requests, mandatory complaints procedure
Cyber and ICO enforcement Stronger ICO powers, higher penalties, enhanced audit and inspection rights
Key provisions for adult social care
Section 121: Standards for Information Systems in Health and Adult Social Care
Section 121 – legislation.gov.uk
This section requires the Secretary of State to introduce statutory digital information standards for IT systems used in health and adult social care in England. These standards will set out how systems should operate to enable seamless data sharing and integration between services.
This applies to:
- Local authority providers of adult social care.
- Independent and private providers, including those registered with the Care Quality Commission (CQC).
- IT suppliers providing systems to these organisations.
Once introduced, the standards will become mandatory, and suppliers who fail to comply may face enforcement action. Providers will need to ensure their systems meet the specified standards and that they work only with compliant suppliers.
Implications for care services
Here are some examples of how Section 121 could affect day-to-day care:
- Hospital discharge to home care: Hospital discharge summaries, medication lists, and care plans will need to be transferred digitally and accurately to social care providers. This should reduce delays and risks associated with poor communication at discharge.
- Coordination with GPs and community health services: Social care providers will be expected to share and receive updates from GPs and NHS teams in real time, supporting better continuity of care.
- Emergency or crisis response: Emergency services and urgent care providers will be able to access key data about a person’s care history and needs, enabling safer and quicker decisions.
- Ongoing homecare: Homecare visit records, observations, and tasks will be stored in structured formats that can be shared with others involved in care planning and delivery, improving consistency and reducing duplication.
Requirements for CQC-Registered Providers
The Act amends Section 250 of the Health and Social Care Act 2012 to make it clear that these information standards apply to private providers registered with the Care Quality Commission (CQC).
This means that CQC-registered adult social care providers—such as care homes, homecare agencies, and supported living services—must ensure their digital systems comply with the national standards, once introduced.
These changes aim to bring private providers in line with NHS organisations to ensure a joined-up approach to information sharing and digital interoperability.
See explanatory notes: Paragraphs 1129–1130
Data Protection and Cyber Security Reforms
The Act also includes important reforms to UK data protection law (the UK GDPR and the Data Protection Act 2018), which apply across all sectors, including adult social care.
New lawful basis for data use
A new lawful basis called “recognised legitimate interests” has been introduced. This allows organisations to process personal data without consent for specific public interest purposes, including safeguarding, protecting public health, and responding to emergencies. While this simplifies some data uses, organisations must still apply principles of proportionality and accountability.
Changes to subject access requests (DSARs)
The Act allows organisations to decline or delay data subject access requests if they are not reasonable or proportionate. The time limit for responding can also be paused while waiting for clarification from the requester.
Internal complaints process
All organisations are now required to have an internal complaints procedure for handling data protection concerns. A response must be issued within 30 days before a complaint can be escalated to the Information Commissioner’s Office (ICO).
Automated decision-making
The Act allows automated decision-making under certain safeguards but prohibits its use where special category data is involved (such as health or ethnicity data), unless extra conditions are met.
ICO powers and enforcement
The ICO has been given stronger powers to:
- Issue higher fines for breaches (including under PECR).
- Conduct audits and inspections.
- Require organisations to provide technical documentation or grant access to systems.
Implementation timetable
The Act became law on 19 June 2025. However, most of its provisions—including Section 121—will not take effect until commencement orders are issued by the Secretary of State. This means that specific start dates and technical requirements are still to be confirmed.
Providers should monitor official government channels and sector-specific guidance for updates. You can track commencement orders here: https://www.legislation.gov.uk/ukpga/2025/18
Recommended actions for care providers
- Review your digital systems: Start assessing whether your care management or record-keeping software is capable of meeting future interoperability requirements.
- Engage with IT suppliers: Ask your system providers how they plan to comply with the forthcoming standards under Section 121.
- Update data protection policies: Reflect changes to subject access rights, internal complaints procedures, and new lawful bases in your data protection documentation.
- Continue using the Data Security and Protection Toolkit (DSPT): Although not mentioned in the Act, DSPT remains the main framework for demonstrating good data and cyber practice in adult social care.
- Prepare for regulatory guidance: Look out for technical standards, timetables, and enforcement guidance from the Department of Health and Social Care (DHSC) and NHS England.
Register for updates
Register for our free newsletter to keep up to date with policy developments.
