The Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025
Sections 89 and 90 of the Data (Use and Access) Act (c. 18) (“the DUAA”) amend the Data Protection Act 2018 (c. 12) (“the DPA”) to enable joint processing between qualifying competent authorities and intelligence services, under Part 4 of the DPA. This enables the controllers, previously unable to process jointly, to process personal data within a single, common regime. The controls and safeguards under Part 4 of the DPA will apply to all such joint processing. Section 89(2) of the DUAA amends section 82 of the DPA, widening the scope of Part 4 of the DPA. Previously, Part 4 of the DPA only applied to processing by or on behalf of the intelligence services. As amended, section 82 also applies Part 4 of the DPA to the processing of personal data by a qualifying competent authority where the processing is the subject of a designation notice. Section 89(2) of the DUAA inserts new subsection (2A) into section 82 of the DPA, which grants a power to the Secretary of State to make regulations to specify and describe which competent authorities (as defined in section 30 of the DPA) are “qualifying competent authorities”, and so able to apply for or be issued with a designation notice.
Lifecycle
Department
Made
27 Oct 2025
—
In force
17 Nov 2025
Enabling power
The Secretary of State makes these Regulations in exercise of the powers conferred by section 82(2A) of the Data Protection Act 2018. In accordance with section 182(2) of that Act, the Secretary of State has consulted the Commissionerand such other persons as the Secretary of State considers appropriate. In accordance with sections 82(4) and 182(7) of that Act, a draft of the Regulations has been laid before Parliament and approved by a resolution of each House of Parliament.
DocumentsOpen on legislation.gov.uk →