A New Framework for Healthcare Data
The Data Use and Access Act 2025 represents the most significant change to UK data legislation since GDPR. For healthcare SMEs—GP practices, private clinics, care providers—the Act brings both simplification and new requirements.
Understanding these changes is essential for compliant operation and for taking advantage of new automation opportunities the legislation enables.
The Data Use and Access Act received Royal Assent in 2025 and is being implemented in phases. Some provisions take immediate effect while others have transitional periods.
Key Changes for Healthcare Providers
Simplified Data Sharing Within Healthcare
The Act creates a clearer legal basis for sharing patient data between healthcare providers. Previously, practices often over-complicated data sharing due to GDPR uncertainty.
What's Changed:
- Explicit legal basis for care coordination data sharing
- Clearer guidance on what constitutes "legitimate interest" in healthcare
- Simplified requirements for emergency data access
- New framework for research data use
Practical Impact: GP practices can now share relevant patient information with other healthcare providers involved in a patient's care without requiring explicit consent for each sharing instance—provided it's for direct care purposes.
The National Data Library
The Act establishes a National Data Library for health and social care data. While primarily relevant for research and large-scale analysis, it has implications for all providers:
Data Contribution: Healthcare providers may be required to contribute anonymised data to the library. The practical burden on small providers is limited:
- Data flows through existing NHS systems
- Anonymisation handled centrally
- No additional reporting requirements for most SMEs
Data Access: Providers gain access to aggregated insights:
- Benchmarking against similar practices
- Population health trends
- Treatment outcome data
Smart Data Schemes
The Act enables "smart data" sharing across sectors. For healthcare, this creates opportunities for:
- Integrated health and social care - Better coordination between NHS and local authority services
- Insurance and healthcare - Streamlined health assessments (with consent)
- Wearable integration - Easier incorporation of patient-generated health data
Smart data sharing requires robust consent mechanisms. Ensure your systems can track and respect patient preferences for different types of data sharing.
What SME Healthcare Providers Must Do
Review Current Data Practices
The Act's implementation is an opportunity to audit existing data handling:
Documentation Check:
- Data processing records up to date?
- Lawful basis documented for each processing activity?
- Third-party data sharing agreements current?
- Patient-facing privacy notices accurate?
Technical Check:
- Systems meet current security standards?
- Access controls appropriate for staff roles?
- Audit trails comprehensive?
- Data retention automated correctly?
Update Privacy Notices
The Act changes some of the legal bases healthcare providers rely on. Privacy notices should reflect:
- Direct care data sharing doesn't require individual consent
- Research data use (anonymised) may occur unless opted out
- National Data Library contributions
- Any smart data scheme participation
Implement Opt-Out Mechanisms
Patients retain the right to opt out of certain data uses:
National Data Opt-Out:
- Applies to research and planning use
- Doesn't affect direct care
- Must be respected when data is shared
Practice-Level Recording:
- Record opt-out status in patient records
- Ensure clinical systems respect preferences
- Check preferences before any non-care data use
Staff Training Updates
Staff need to understand:
- What data can be shared and when
- How to verify sharing requests are legitimate
- Patient rights under the new framework
- When to escalate uncertain situations
Automation Opportunities Under DUAA
The Act's clearer framework enables automation that was previously legally uncertain.
Automated Care Coordination
With clearer data sharing rules, practices can implement:
Referral Automation:
- Direct data transfer to receiving providers
- Automatic updates on referral status
- Patient notification at each stage
Multi-Provider Care Plans:
- Shared access to relevant care information
- Automated updates when care changes
- Coordinated appointment scheduling
Research Participation
For practices wanting to contribute to medical research:
Automated Anonymisation:
- Extract relevant data from records
- Remove identifying information automatically
- Format for research requirements
- Respect opt-out preferences
Consent Management:
- Track research consent by study
- Automate eligibility checking
- Manage participation across multiple studies
Compliance Automation
The clearer rules enable better automated compliance:
Data Sharing Logs:
- Automatic recording of all data sharing
- Lawful basis documentation
- Audit trail generation
Subject Access Requests:
- Faster identification of relevant data
- Clearer inclusion/exclusion rules
- Streamlined response processes
The DUAA's clearer framework means less time spent on compliance uncertainty and more time available for patient care. Automation magnifies this benefit.
Common Compliance Questions
"Do I need to update all my consent forms?"
Not necessarily. The Act clarifies rather than fundamentally changes healthcare data processing. However, you should:
- Review current forms against updated guidance
- Update privacy notices to reflect any changes
- Ensure smart data and research sections are current
"What about data sharing with private providers?"
The Act's simplified sharing applies within the healthcare system broadly:
- NHS to private providers (and vice versa) for care purposes: simplified
- Commercial data sharing: unchanged, requires explicit consent
- Insurance sharing: requires specific consent unless under smart data scheme
"How does this affect international data transfers?"
Post-Brexit UK data protection has specific international transfer rules:
- EU transfers: adequacy decision in place
- Other countries: require appropriate safeguards
- Cloud providers: ensure UK data residency or approved transfer mechanisms
The Act doesn't change international transfer requirements significantly.
"What's the timeline for compliance?"
The Act has phased implementation:
- Core provisions: Immediate
- National Data Library requirements: 12-18 months
- Smart data scheme participation: As schemes launch
Preparing Your Practice
Immediate Actions (Next 30 Days)
- Download and review the Act summary from NHS Digital
- Audit current practices against new requirements
- Update privacy notice if changes needed
- Brief key staff on main changes
Short-Term Actions (Next 90 Days)
- Implement any required changes to data handling
- Update contracts with third-party processors
- Review opt-out recording processes
- Train all staff on updated procedures
Medium-Term Actions (Next 12 Months)
- Assess automation opportunities enabled by clearer rules
- Implement compliance automation where beneficial
- Monitor guidance updates from regulators
- Review and refine based on experience
Resources for Further Reading
- Data Use and Access Act 2025 - Parliament - Full legislation text
- NHS Digital Guidance - Implementation guidance (as published)
- ICO Healthcare Guidance - Data protection in healthcare
- BMA Guidance - Professional body advice
The DUAA represents an opportunity, not just an obligation. Clearer rules mean less compliance uncertainty and more confidence in implementing beneficial data sharing and automation.
Need help understanding how the Data Use and Access Act affects your practice? We help healthcare SMEs navigate regulatory changes and implement compliant automation.
Book a consultation to discuss your specific situation.
