The Department for Science, Innovation and Technology has made the Data (Use and Access) Act 2025 (Consequential and Other Amendments) Regulations 2025 (SI 2025/1331). The instrument was made on 15 December 2025, laid before Parliament on 17 December 2025 and gives effect to consequential and related changes across data protection, policing and elections law to align with the Data (Use and Access) Act 2025. According to regulation 2, regulations 1 and 2 come into force on the twenty-first day after laying, which falls on 7 January 2026.
The instrument restructures how certain Data Protection Act 2018 offences are treated for police recording purposes. Regulation 3 repeals section 199(1) of the Data Protection Act 2018 (recordable offences), while regulation 4 inserts an explicit list of relevant offences into the Schedule to the National Police Records (Recordable Offences) Regulations 2000. This preserves-and clarifies-the recordable status of these offences following the repeal, ensuring continuity in police recording practice.
The inserted list captures a suite of offences under the Data Protection Act 2018, including obstruction of inspections of personal data made under international obligations (section 119(6)); wrongful disclosure of information obtained by the Information Commissioner (section 132(3)); false statements in response to an information notice (section 144); destruction or falsification of information or documents (section 148(2)); false statements in response to an interview notice (new section 148C); unlawful obtaining, disclosure, procuring or retention of personal data, as well as selling or offering to sell such data (section 170(1), (4) and (5)); re-identification of de-identified personal data and processing of re-identified data (section 171(1) and (5)); alteration of personal data to prevent disclosure to a data subject (section 173(3)); requirements relating to relevant records in employment or service contexts (section 184(1) and (2)); and specified offences connected to the execution of warrants (Schedule 15, paragraph 15(1) and (2)). Where indicated in the instrument, certain entries do not apply insofar as the Data Protection Act 2018 provisions operate via the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016.
For operational policing, making these offences recordable means they fall within the categories that must be entered on national police records under the 2000 Regulations. By moving from a general statutory provision in section 199(1) to a detailed schedule, the regulations aim to provide clearer traceability for practitioners on what must be recorded and in what circumstances, particularly as new offences created by the 2025 Act come on stream.
The instrument also aligns secondary legislation with the revised structure of research, archiving and statistics provisions in the UK GDPR as amended by the Data (Use and Access) Act 2025. References to “Article 89 GDPR purposes” are replaced with “Article 84A GDPR purposes” across multiple elections and registration instruments, with accompanying definitions confirming that appropriate safeguards are required under Article 84B(2), read with Article 84C. This codifies that processing for archiving in the public interest, scientific or historical research, and statistical purposes should continue, but framed by the updated safeguard architecture.
The changes to elections law are extensive but technical. They cover the Representation of the People Regulations for England and Wales (2001), Scotland (2001) and Northern Ireland (2008), the Police and Crime Commissioner Elections Order 2012, the Scottish Parliament (Elections etc.) Order 2015, the Neighbourhood Planning (Referendums) Regulations 2012 and the Senedd Cymru (Representation of the People) Order 2025. In each case, provisions governing the supply, inspection and permitted use of full electoral registers, absent voter lists and related documents are updated so their data protection conditions point to Articles 84A–84C of the UK GDPR. For electoral administrators, national libraries and statistical authorities, the practical effect is continuity of access with references aligned to the new UK GDPR numbering and safeguard language.
A further set of amendments integrates the new offence under section 148C of the Data Protection Act 2018-false statements in response to an interview notice-into companies legislation. The Companies (Disclosure of Address) Regulations 2009, the Overseas Companies Regulations 2009, the Companies (Disclosure of Date of Birth Information) Regulations 2015 and the Register of People with Significant Control Regulations 2016 are updated so that disclosures to credit reference agencies can reflect section 148C alongside existing Data Protection Act offences. This aligns corporate disclosure gateways with the updated enforcement toolkit of the Information Commissioner.
Commencement is staged. Regulations 3, 4, 10, 11, 16 and 17 will take effect when section 100 of the Data (Use and Access) Act 2025 is fully commenced; these provisions include the insertion of section 148C and the related companies legislation changes. Regulations 5 to 9, 12 to 15 and 18 will commence when section 86 of the 2025 Act is fully in force, which is the set that underpins the new UK GDPR research, archiving and statistics framework. Organisations should track commencement orders to confirm the dates at which each change begins to apply in practice.
The territorial application is UK‑wide to the extent of the provisions amended. Regulations 1 and 2 extend to England and Wales, Scotland and Northern Ireland, and each subsequent amendment follows the extent of the underlying legislation it modifies, as specified in regulation 1(3). This ensures that electoral, policing and company law changes operate in the same jurisdictions as the instruments they alter.
The instrument records that the Secretary of State consulted the Information Commissioner in accordance with section 182(2) of the Data Protection Act 2018 before making these Regulations. It is signed by the Minister of State at the Department for Science, Innovation and Technology, Ian Murray, dated 15 December 2025, reflecting the government’s role in implementing the consequential updates required by the primary Act.
The explanatory note confirms that no full impact assessment has been produced, given the government’s assessment of no, or no significant, impact on the private, voluntary or public sector. For practitioners, the immediate actions are largely administrative: update references from Article 89 to Articles 84A–84C in policies and notices related to electoral documents and research use; prepare for the recordable status of the specified Data Protection Act offences; and ensure corporate disclosure frameworks and credit reference agency interactions recognise the addition of section 148C. The core policy intent is continuity with clearer statutory signposting as the Data (Use and Access) Act 2025 provisions take effect.