The Data (Use and Access) Act 2025: what it changes for AI and automated decisions

The Data (Use and Access) Act 2025 replaces Article 22 of the UK GDPR and changes the rules for solely automated decisions that have a legal or similarly significant effect on people. The headline shift is from a general prohibition with narrow exceptions to a more permissive framework that lets organisations make such decisions on a wider range of lawful bases, provided they apply specific safeguards, including the right to be informed, to make representations, to obtain human intervention, and to contest the decision. The provisions came fully into force on 5 February 2026, and for any organisation using AI such as Claude to support consequential decisions, the practical message is to keep meaningful human involvement in the loop by design. This briefing sets out what changed and what to do.

It is written for UK decision-makers responsible for processes where AI informs decisions about people. It focuses on UK law and is distinct from the EU AI Act transparency obligations we cover separately.

First, the name and the dates

There is genuine confusion about the year, so it is worth being precise. The Act is the Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025. Its data protection changes were commenced in stages, and the automated decision-making provisions came fully into force on 5 February 2026. The ICO has confirmed that, as of 19 June 2026, all the data protection provisions of the Act are in force. So the law is a 2025 Act whose automated decision-making rules became live in 2026.

There is also a separate, genuinely 2026 instrument worth knowing about. The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 came into force on 12 May 2026 and require the Information Commissioner to prepare a statutory code of practice on processing personal data in relation to developing and using AI and to automated decision-making, including guidance on children's personal data. That code is being prepared and is the document to watch next.

What actually changed for automated decision-making

Section 80 of the Act removes the old Article 22 of the UK GDPR and replaces it with new Articles 22A to 22D. The structure is what matters.

The definitions are now explicit. A decision is "based solely on automated processing" if there is no meaningful human involvement in the taking of the decision. A decision is "significant" if it produces a legal effect for the person or has a similarly significant effect on them. When judging whether human involvement is meaningful, the law specifically requires consideration of the extent to which the decision is reached by means of profiling.

The substance of the change is the move from prohibition to a permissive framework with conditions. Under the old Article 22, solely automated significant decisions were generally prohibited unless a narrow exception applied. Under the new framework, as the ICO summarises it, organisations can rely on the full range of lawful bases for significant automated decisions, potentially including the legitimate interests basis, so long as they apply the required safeguards. That is a meaningful liberalisation for organisations wanting to automate, and it comes paired with mandatory safeguards rather than a free pass.

One important restriction remains. Where a significant decision is based, even partly, on special category data, such as health, the old, stricter position broadly continues: it cannot be taken solely by automated means unless the person has given explicit consent or the processing is necessary for a contract or authorised by law with an appropriate condition. Special category data is still treated as more sensitive.

The safeguards you have to keep

Where a significant decision is taken solely by automated means, the new Article 22C requires the controller to have safeguards in place. They must, as a minimum, provide the person with information about decisions taken about them, enable them to make representations about such decisions, enable them to obtain human intervention from the controller, and enable them to contest the decision. The Secretary of State can add to these safeguards by regulations, but cannot weaken the Article 22C core.

The pivot point in all of this is "meaningful human involvement". If a human is genuinely involved in a way that is meaningful, the decision is not "solely automated", and the Article 22C regime for solely automated decisions does not bite in the same way. If the human involvement is a rubber stamp, the decision is in substance automated and the safeguards apply. The law's explicit instruction to consider the role of profiling is a signal that token review will not be enough.

What this means for a Claude-assisted process

For organisations using Claude or any AI to support decisions about people, the design implication is clear and manageable. Where Claude informs a decision but a human genuinely weighs the output and makes the call, you have meaningful human involvement and the decision is not solely automated. The risk is letting a Claude-assisted step quietly become the decision, with a human nominally attached but not meaningfully involved.

The practical design follows from that. Keep a human meaningfully in the loop for any decision that has a legal or similarly significant effect on a person, and make sure that involvement is real: the reviewer can see the relevant information, has the authority and the time to disagree, and is not simply confirming the model. Where you intend to automate a significant decision fully, confirm you have a lawful basis and that special category data restrictions do not apply, and build in the Article 22C safeguards, the information, the route to representations, the human intervention on request, and the ability to contest. And complete a Data Protection Impact Assessment for this kind of processing, as the ICO expects.

The ICO guidance and the new code of practice

The ICO has been updating its guidance as the Act commenced, and has consulted on draft guidance on automated decision-making, including profiling; treat that guidance as the working reference and check its current status, as parts remain in draft. The forthcoming statutory code of practice on AI and automated decision-making, mandated by the 2026 regulations noted above, will be the most authoritative guidance once published, and is being prepared now. The sensible posture is to design to the Act and the current ICO guidance today, and to watch for the code so you can align to it when it lands.

What to do now

A short programme of work covers most organisations. Inventory the decisions in your business where AI is involved, and identify which are significant, meaning they have a legal or similarly significant effect on a person. For each significant one, decide whether it is solely automated or has meaningful human involvement, and be honest about whether that involvement is real. For solely automated significant decisions, confirm the lawful basis, check the special category data restrictions, and put the Article 22C safeguards in place. Complete a DPIA where this processing occurs. And assign someone to track the ICO's automated decision-making guidance and the forthcoming code of practice.

For help assessing where AI sits in your decision processes, see our AI readiness service. For deployments where sensitive personal data and tight control are involved, our private AI concierge service is built for that. And for ongoing senior ownership of AI governance, our fractional AI officer service provides it.

Sources

• Data (Use and Access) Act 2025, section 80 and new Articles 22A to 22D of the UK GDPR (legislation.gov.uk), accessed June 2026, including commencement of section 80 in full on 5 February 2026 via SI 2026/82.
• Information Commissioner's Office, "The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations?", updated 19 June 2026 (all data protection provisions in force; automated decision-making opens the full range of lawful bases with safeguards; special category data more protected; draft ADM guidance consulted on).
• The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 (SI 2026/425), made 16 April 2026, in force 12 May 2026, requiring the ICO to prepare an AI and automated decision-making code of practice.