Regulations setting out which UK bodies may seek a “designation notice” to run joint data processing with the intelligence services under the Data Protection Act 2018 have been finalised. The Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025 take effect 21 days after being made, which falls on 17 November 2025, and apply across England, Wales, Scotland and Northern Ireland.
The list covers ministerial government departments as a class; UK policing leadership including the Metropolitan Police Commissioner, the City of London Police Commissioner and all territorial chief constables; the Police Service of Northern Ireland and Police Service of Scotland; British Transport Police, Civil Nuclear Constabulary and Ministry of Defence Police; the Service Police Provost Marshals (including the Provost Marshal for Serious Crime); specified harbour and port constables; collaboration bodies under section 22A of the Police Act 1996; HM Revenue & Customs; the National Crime Agency; HM Land Registry; the parole bodies in each UK nation; the Probation Board for Northern Ireland; and any person with a statutory role in electronic monitoring.
The legal basis sits in sections 89 and 90 of the Data (Use and Access) Act 2025, which amended the DPA 2018 so that Part 4 can also apply to processing by a “qualifying competent authority” where that processing is designated. The Act created the designation notice mechanism in new sections 82A–82E of the DPA 2018.
A designation notice must be requested jointly by the qualifying authority and the intelligence service. The Secretary of State may issue a notice only where satisfied it is required to safeguard national security, the notice must specify the processing, it is reviewed at least annually, and it may be appealed to the Tribunal. A notice cannot authorise international transfers.
Before any notice is given, the Secretary of State must consult the Information Commissioner. The regulations themselves were made under the affirmative procedure and were approved by both Houses in September 2025 following committee scrutiny.
In operational terms, where processing is covered by a designation, the usual law enforcement regime in Part 3 is displaced and the Part 4 regime applies to the joint processing. Part 4 brings the intelligence‑services standards, including the six data protection principles and associated accountability and security duties overseen by the ICO.
“Joint processing” here means a joint controllership between the qualifying authority and at least one intelligence service. The DPA 2018 requires joint controllers to set out their respective responsibilities in a written arrangement, and section 82A expressly cross‑refers to section 104 for that purpose.
Ministers underlined during parliamentary debates that the measure does not permit blanket data sharing. Any designation is confined to the defined processing in the notice and must be justified as necessary for national security; it enables a single regime for that joint activity, not unfettered exchange.
The drafting is specific about institutional coverage. Non‑ministerial departments are excluded as a class, but HM Revenue & Customs and HM Land Registry are included expressly, alongside policing bodies and the National Crime Agency.
For data protection leads in listed bodies, preparation means confirming whether any joint activity will require a designation, mapping affected processing to Part 4 requirements, agreeing a joint‑controller arrangement, and ensuring records, security measures and staff training meet Part 4 standards ahead of commencement.