Healthcare

Data Use and Access Act 2025: What Healthcare SMEs Need to Know

13 January 2026
9 min
Ben Gale
Data Use and Access Act 2025: What Healthcare SMEs Need to Know

A New Framework for Healthcare Data

The Data Use and Access Act 2025 represents the most significant change to UK data legislation since GDPR. For healthcare SMEs—GP practices, private clinics, care providers—the Act brings both simplification and new requirements.

Understanding these changes is essential for compliant operation and for taking advantage of new automation opportunities the legislation enables.

Info

The Data Use and Access Act received Royal Assent in 2025 and is being implemented in phases. Some provisions take immediate effect while others have transitional periods.

Key Changes for Healthcare Providers

Simplified Data Sharing Within Healthcare

The Act creates a clearer legal basis for sharing patient data between healthcare providers. Previously, practices often over-complicated data sharing due to GDPR uncertainty.

What's Changed:

  • Explicit legal basis for care coordination data sharing
  • Clearer guidance on what constitutes "legitimate interest" in healthcare
  • Simplified requirements for emergency data access
  • New framework for research data use

Practical Impact: GP practices can now share relevant patient information with other healthcare providers involved in a patient's care without requiring explicit consent for each sharing instance—provided it's for direct care purposes.

2025
Act implementation year
Simplified
Care coordination sharing
Clearer
Research data framework

The National Data Library

The Act establishes a National Data Library for health and social care data. While primarily relevant for research and large-scale analysis, it has implications for all providers:

Data Contribution: Healthcare providers may be required to contribute anonymised data to the library. The practical burden on small providers is limited:

  • Data flows through existing NHS systems
  • Anonymisation handled centrally
  • No additional reporting requirements for most SMEs

Data Access: Providers gain access to aggregated insights:

  • Benchmarking against similar practices
  • Population health trends
  • Treatment outcome data

Smart Data Schemes

The Act enables "smart data" sharing across sectors. For healthcare, this creates opportunities for:

  • Integrated health and social care - Better coordination between NHS and local authority services
  • Insurance and healthcare - Streamlined health assessments (with consent)
  • Wearable integration - Easier incorporation of patient-generated health data
Warning

Smart data sharing requires robust consent mechanisms. Ensure your systems can track and respect patient preferences for different types of data sharing.

What SME Healthcare Providers Must Do

Review Current Data Practices

The Act's implementation is an opportunity to audit existing data handling:

Documentation Check:

  • Data processing records up to date?
  • Lawful basis documented for each processing activity?
  • Third-party data sharing agreements current?
  • Patient-facing privacy notices accurate?

Technical Check:

  • Systems meet current security standards?
  • Access controls appropriate for staff roles?
  • Audit trails comprehensive?
  • Data retention automated correctly?

Update Privacy Notices

The Act changes some of the legal bases healthcare providers rely on. Privacy notices should reflect:

  • Direct care data sharing doesn't require individual consent
  • Research data use (anonymised) may occur unless opted out
  • National Data Library contributions
  • Any smart data scheme participation
Healthcare professional reviewing documentation on laptop
Updated documentation protects both providers and patients

Implement Opt-Out Mechanisms

Patients retain the right to opt out of certain data uses:

National Data Opt-Out:

  • Applies to research and planning use
  • Doesn't affect direct care
  • Must be respected when data is shared

Practice-Level Recording:

  • Record opt-out status in patient records
  • Ensure clinical systems respect preferences
  • Check preferences before any non-care data use

Staff Training Updates

Staff need to understand:

  • What data can be shared and when
  • How to verify sharing requests are legitimate
  • Patient rights under the new framework
  • When to escalate uncertain situations

Automation Opportunities Under DUAA

The Act's clearer framework enables automation that was previously legally uncertain.

Automated Care Coordination

With clearer data sharing rules, practices can implement:

Referral Automation:

  • Direct data transfer to receiving providers
  • Automatic updates on referral status
  • Patient notification at each stage

Multi-Provider Care Plans:

  • Shared access to relevant care information
  • Automated updates when care changes
  • Coordinated appointment scheduling

Research Participation

For practices wanting to contribute to medical research:

Automated Anonymisation:

  • Extract relevant data from records
  • Remove identifying information automatically
  • Format for research requirements
  • Respect opt-out preferences

Consent Management:

  • Track research consent by study
  • Automate eligibility checking
  • Manage participation across multiple studies

Compliance Automation

The clearer rules enable better automated compliance:

Data Sharing Logs:

  • Automatic recording of all data sharing
  • Lawful basis documentation
  • Audit trail generation

Subject Access Requests:

  • Faster identification of relevant data
  • Clearer inclusion/exclusion rules
  • Streamlined response processes
Pro Tip

The DUAA's clearer framework means less time spent on compliance uncertainty and more time available for patient care. Automation magnifies this benefit.

Common Compliance Questions

"Do I need to update all my consent forms?"

Not necessarily. The Act clarifies rather than fundamentally changes healthcare data processing. However, you should:

  • Review current forms against updated guidance
  • Update privacy notices to reflect any changes
  • Ensure smart data and research sections are current

"What about data sharing with private providers?"

The Act's simplified sharing applies within the healthcare system broadly:

  • NHS to private providers (and vice versa) for care purposes: simplified
  • Commercial data sharing: unchanged, requires explicit consent
  • Insurance sharing: requires specific consent unless under smart data scheme

"How does this affect international data transfers?"

Post-Brexit UK data protection has specific international transfer rules:

  • EU transfers: adequacy decision in place
  • Other countries: require appropriate safeguards
  • Cloud providers: ensure UK data residency or approved transfer mechanisms

The Act doesn't change international transfer requirements significantly.

"What's the timeline for compliance?"

The Act has phased implementation:

  • Core provisions: Immediate
  • National Data Library requirements: 12-18 months
  • Smart data scheme participation: As schemes launch

Preparing Your Practice

Immediate Actions (Next 30 Days)

  1. Download and review the Act summary from NHS Digital
  2. Audit current practices against new requirements
  3. Update privacy notice if changes needed
  4. Brief key staff on main changes

Short-Term Actions (Next 90 Days)

  1. Implement any required changes to data handling
  2. Update contracts with third-party processors
  3. Review opt-out recording processes
  4. Train all staff on updated procedures

Medium-Term Actions (Next 12 Months)

  1. Assess automation opportunities enabled by clearer rules
  2. Implement compliance automation where beneficial
  3. Monitor guidance updates from regulators
  4. Review and refine based on experience

Resources for Further Reading

Success

The DUAA represents an opportunity, not just an obligation. Clearer rules mean less compliance uncertainty and more confidence in implementing beneficial data sharing and automation.


Need help understanding how the Data Use and Access Act affects your practice? We help healthcare SMEs navigate regulatory changes and implement compliant automation.

Book a consultation to discuss your specific situation.

Ben Gale

Ben Gale

25 years IT and leadership experience. Based in Woodley, Reading. Helping Thames Valley businesses automate workflows and reduce admin overhead.

Learn more about Ben →

Frequently Asked Questions

What is the Data Use and Access Act 2025 and how does it affect healthcare providers?

The DUAA is the most significant change to UK data legislation since GDPR. It creates clearer legal bases for sharing patient data between healthcare providers, establishes the National Data Library, and enables smart data sharing across sectors while simplifying care coordination requirements.

Do healthcare providers need to update consent forms under the DUAA?

Not necessarily. The Act clarifies rather than fundamentally changes healthcare data processing. However, you should review current forms against updated guidance, update privacy notices to reflect changes, and ensure smart data and research sections are current.

What is the timeline for DUAA compliance for healthcare SMEs?

The Act has phased implementation: core provisions take immediate effect, National Data Library requirements have a 12-18 month timeline, and smart data scheme participation applies as individual schemes launch.

How does the DUAA change data sharing between NHS and private healthcare providers?

The Act simplifies data sharing within the healthcare system broadly. NHS to private providers and vice versa for care purposes is simplified. However, commercial data sharing remains unchanged and requires explicit consent, and insurance sharing requires specific consent unless under a smart data scheme.

Related Articles

Healthcare

Why 62% of UK Healthcare Professionals Fear AI Errors

UK healthcare professionals have Europe's highest AI error concerns. Learn confidence-building strategies and how to start with low-risk automation.

10 min
Healthcare

Automating Patient Administration: A Guide for GP Practices

A practical guide for GP practices and private clinics on automating patient notes, appointment reminders, referral tracking, and GDPR compliance.

11 min
Healthcare

The Hidden Cost of Manual Processes in Healthcare

Missed appointments, invoice delays, and admin burden cost healthcare SMEs dearly. Discover where automation delivers immediate ROI.

10 min

Want Help Implementing This?

Book a free 15-minute discovery call and we'll discuss how to apply these concepts to your business.

Book Your Free Discovery Call