The Home Office has made the Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025, approved by both Houses under the affirmative procedure. The instrument applies UK‑wide and, having been made on 27 October 2025, takes effect on 17 November 2025 under the 21‑day commencement rule in regulation 1(2). The measure enables certain public authorities to participate in joint processing with the intelligence services within the DPA’s Part 4 regime, subject to case‑by‑case designation.
Sections 89 and 90 of the Data (Use and Access) Act 2025 expand the scope of Part 4 so that, in addition to processing by an intelligence service, Part 4 also applies to processing by a “qualifying competent authority” where that processing is covered by a designation notice. The Act inserts new sections 82A to 82E into the DPA 2018 and confirms that where a designation applies, the law enforcement regime in Part 3 does not.
A designation notice may be issued by the Secretary of State only on a joint application from the qualifying competent authority and at least one intelligence service. The Secretary of State must consider designation to be required for safeguarding national security, must consult the Information Commissioner before issuing a notice, and must ensure the notice specifies the processing and the authority covered. Designation cannot cover transfers to a country outside the UK or to an international organisation.
Designation notices are time‑limited. They take effect from the stated start date and lapse after five years unless a shorter period is set or the notice is withdrawn sooner. The Secretary of State must review each live notice at least annually and may withdraw it, including where designation is no longer required; withdrawal timing must take account of the need for an orderly transition to new arrangements.
Transparency and redress are built in. The Commissioner must publish a record of each designation notice while it remains in force, with text withheld only where publication would harm national security, be contrary to the public interest or risk safety. Any person directly affected can appeal to the Tribunal, which applies the judicial review standard and may quash the notice.
The Regulations set out who counts as a “qualifying” competent authority for these purposes. They include any UK ministerial department; chief constables across England and Wales, Scotland and Northern Ireland; the Metropolitan Police and City of London Police; British Transport Police, Civil Nuclear Constabulary and Ministry of Defence Police; the Provost Marshals of the service police (including for serious crime); harbour and port constabularies; collaboration bodies under section 22A of the Police Act 1996; HM Revenue and Customs; the Director General of the National Crime Agency; HM Land Registry; the Parole Boards for England and Wales and Scotland; the Parole Commissioners for Northern Ireland; the Probation Board for Northern Ireland; and any person with a statutory responsibility to secure electronic monitoring of an individual.
The list deliberately includes ministerial departments in general while identifying specific non‑ministerial bodies-such as HMRC and HM Land Registry-by name. For policing, it captures both territorial leadership roles and specialised national forces. Inclusion of parole and probation bodies, and of those legally responsible for electronic monitoring, ensures criminal justice functions can participate in joint operations where justified.
Once a designation notice is in place, the qualifying authority’s covered processing falls under Part 4 rather than Part 3 of the DPA. In practice, that means applying the intelligence‑services data protection principles and standards, and relying on Part 4 conditions for processing (including Schedule 9, and Schedule 10 where sensitive processing is undertaken). The Commissioner’s Part 4 guidance highlights the six principles and the expectation that serious personal data breaches be reported to the ICO.
Controllers carrying out designated joint processing must document their joint controller arrangement under section 104 DPA 2018, which the DUAA amended to accommodate these arrangements. Applications must describe the purposes and means of processing and explain why designation is required for national security. While Part 4 does not mandate a DPIA, the ICO notes that using a DPIA is a practical way to evidence compliance.
For openness, the Commissioner will publish a record of each designation notice and its duration, subject to necessary redactions. Organisations should expect the existence and timing of designations to be visible in the public record while they are in force. Appeals remain available to those directly affected.
Timing matters for implementers. Sections 89 and 90 of the DUAA were commenced in September 2025, enabling the Secretary of State to make these Regulations and, once in force on 17 November 2025, to consider designation applications. Teams in policing, HMRC, HMLR and relevant justice bodies should align internal governance, joint controller arrangements and security measures with Part 4 standards ahead of any application.
The Explanatory Note to the instrument states that no full impact assessment was produced given no, or no significant, impact is foreseen. Organisations should nonetheless record the specific legal basis for any designated processing and ensure public communications are ready in light of the Commissioner’s duty to publish designation records.