What the new data protection law means for local councils

Yesterday the new Data Use and Access Act 2025 passed royal assent, meaning the UK now has new data protection legislation in place.

The legislation will arrive in a rolling fashion over the next two to twelve months.

This blog post is designed to be an introductory guide to the changes that will impact local councils.

So, what the big changes?

The great-big, critical change to the way you do things is… nothing. (That is, if you've been doing what we've recommended councils do for the last few years, then you're already compliant).

In seriousness, however, it's important to note that this is not anything like a data protection revolution, instead it should be seen as data protection evolution.

Firstly, one thing that councils can safely disregard. When it comes to the legislative changes, the first area of change is data protection 'definitions'. There are, for example, clear data protection definitions regarding commercial, scientific, and historical research. However, it's not the kind of research that councils do, and therefore doesn't apply.

When it comes to a council's choice of lawful basis for processing personal data, there is a new lawful basis of 'recognised legitimate interests'. 'Legitimate interest' existed previously as a lawful basis, but this is an additional basis.

The only one of the new predefined interests that we can see that might impact councils is crime detection and prevention purposes which might apply to councils' use of CCTV.

We are currently awaiting guidance from the Information Commissioner, and will update councils in due course.

There are several changes around reuse of people's data for other purposes from which it was gathered, but again, that is for innovation and scientific and research purposes, so it's not going to affect councils.

There is a change for elected representatives, including councillors, to continue to process 'special category' data for up to 30 days after they cease to be elected representatives. Currently councillors get a four day window to wrap their affairs up and this will extend it to 30.

There is one, however, change that does affect councils in relation to the rights of data subjects, and that is that when the council receives a 'subject access request', you're going to be required to carry out a “reasonable and proportionate search”.

In this context, the terms reasonable and proportionate may be newly introduced, but their meaning is clear. If you have been following our guidance and have consolidated all council-held data within a single integrated system, such as Microsoft 365, or an equivalent platform that combines file storage, email, and collaboration tools - and you have adopted a policy confirming that all council data processing occurs exclusively within that system - then it would be considered reasonable and proportionate to limit your search to that environment. You can then use the built-in compliance and search tools provided within the system to meet your obligations effectively.

In other words, it would be a proportionate search because it takes seconds to do it and it is reasonable because you have defined where you keep all of your council's data.

If you needed a more strong reason to get your council’s data in order, this is it. Disparate systems and allowing councillors to handle council data in their personal email accounts aren’t just inefficient, and inappropriate, they’re also a serious risk to compliance and trust.

The rest of the legislation brings into law what has been carried out in best practice for a long time, which has evolved as data protection has been interpreted by the courts.

For example, there's a whole section about automated decision making. It allows councils to carry out more automated decision making than you have been able to do before, but you still need to inform people about what you are doing. You still need to give people the opportunity of reviewing the processing and you still have to comply with GDPR rights related to automated decision making.

There have been changes to how data is transferred outside the UK. Before, councils relied on whether the other country was considered “adequate” in data protection terms, meaning it had strong enough data protection laws. Now, instead of this general approach, there is a new set of rules (a schedule) that clearly sets out how data transfers must be handled. These rules are based on specific regulations rather than general judgments.

This means if you’re sending personal data to another country, such as using a cloud service hosted overseas, you now need to follow detailed steps set by UK law, rather than assuming it's okay just because the country is generally seen as safe.

Overall, there is no real change for councils that are already confident in their GDPR compliance and who have followed our regular advice over the years.