LegalizeData (Use and Access) Act 2025
Part 1 — Access to customer data and business data
Introductory
Customer data and business data
1
- (1) This Part confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data.
- (2) In this Part—
- “business data”, in relation to a trader, means—information about goods, services and digital content supplied or provided by the trader,information relating to the supply or provision of goods, services and digital content by the trader (such as, for example, information about—where goods, services or digital content are supplied or provided,prices or other terms on which they are supplied or provided,how they are used, ortheir performance or quality),information relating to feedback about the goods, services or digital content (or their supply or provision), andinformation relating to the provision of information described in paragraphs (a) to (c) to a person in accordance with data regulations;
- “customer data” means information relating to a customer of a trader, including—information relating to goods, services and digital content supplied or provided by the trader to the customer or to another person at the customer’s request (such as, for example, information about—prices or other terms on which goods, services or digital content are supplied or provided to the customer or the other person,how they are used by the customer or the other person, ortheir performance or quality when used by the customer or the other person), andinformation relating to the provision of information described in paragraph (a), or of other information relating to a customer of a trader, to a person in accordance with data regulations;
- “data holder”, in relation to customer data or business data of a trader, means—the trader, ora person who, in the course of a business, processes the data;
- “data regulations” means regulations under section 2 or 4 (and see section 23);
- “trader” means a person who supplies or provides goods, services or digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.
- (3) For the purposes of this Part, a person (“C”) is a customer of a trader (“T”) if C has at any time—
- (a) purchased goods, services or digital content supplied or provided by T (whether for use by C or another person),
- (b) been supplied or provided by T with goods, services or digital content purchased from T by another person, or
- (c) otherwise received goods, services or digital content free of charge from T.
- (4) In subsection (3), the references to purchase, supply, provision or receipt of goods, services or digital content at any time include purchase, supply, provision or receipt before this section comes into force.
- (5) In subsections (3) and (4), references to purchasing goods, services or digital content include entering into an agreement to do so.
- (6) In this Part—
- (a) a reference to providing customer data or business data to a person (however expressed) includes a reference to providing the person with access to such data or with the ability to provide other persons with access to such data, and
- (b) a reference to a person receiving customer data or business data (however expressed) includes a reference to a person obtaining access to such data or the ability to provide other persons with access to such data.
Data regulations
Power to make provision in connection with customer data
2
- (1) The Secretary of State or the Treasury may by regulations make provision requiring a data holder to provide customer data—
- (a) to the customer, at the customer’s request, or
- (b) to a person of a specified description who is authorised by the customer to receive the data (an “authorised person”), at the customer’s request or at the authorised person’s request.
- (2) In this Part, in relation to customer data, “third party recipient” means a person of a description specified by provision made under subsection (1)(b) (and see section 25(1)).
- (3) The Secretary of State or the Treasury may by regulations make provision enabling or requiring a data holder—
- (a) to produce, collect or retain, or arrange for the production, collection or retention of, customer data;
- (b) to make changes to customer data, including to require rectification of inaccurate customer data, at the request of a customer or authorised person.
- (4) The Secretary of State or the Treasury may by regulations make provision for a person who is an authorised person in relation to customer data to take, on the customer’s behalf, action that the customer could take in relation to goods, services or digital content supplied or provided by a person who is, or has been, a data holder in relation to the customer data.
- (5) In deciding whether to make regulations under this section, the Secretary of State or the Treasury must have regard to (among other things)—
- (a) the likely effects for existing and future customers,
- (b) the likely effects for data holders,
- (c) the likely effect on small businesses and micro businesses,
- (d) the likely effect on innovation in the supply or provision of goods, services and digital content affected by the regulations or other goods, services and digital content, and
- (e) the likely effect on competition in markets for goods, services and digital content affected by the regulations or other markets.
Customer data: supplementary
3
- (1) This section is about provision that regulations under section 2 may (among other things) contain.
- (2) The regulations may include—
- (a) provision about the procedure by which customers authorise persons to receive customer data or to do other things;
- (b) provision restricting the persons that may be authorised to persons that comply with specified conditions;
- (c) provision for a specified person to decide whether a person satisfies the conditions for authorisation (and see section 6 for further provision about decision-makers).
- (3) The regulations may make provision about requests relating to customer data, including provision about the circumstances in which a data holder may or must refuse to act on a request.
- (4) The regulations may make provision about the providing of customer data and the taking of action described in section 2(4), including—
- (a) provision requiring a data holder to provide customer data on one or more occasions, for a specified period or at specified intervals;
- (b) provision requiring a data holder, customer or third party recipient to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;
- (c) provision requiring a data holder or third party recipient to comply with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;
- (d) provision requiring a data holder or third party recipient to provide, or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;
- (e) provision about interface bodies (see section 7).
- (5) The regulations may include—
- (a) provision enabling or requiring a data holder to produce, collect or retain, or arrange for the production, collection or retention of, records of customer data provided in accordance with the regulations;
- (b) provision enabling or requiring a third party recipient to produce or retain, or arrange for the production or retention of, records of customer data received in accordance with the regulations.
- (6) The regulations may make provision requiring a person who, in the course of a business, processes customer data of a trader to assist, or take specified steps to assist, the trader in complying with regulations under this Part.
- (7) The regulations may make provision about the processing of customer data provided to a third party recipient in accordance with the regulations, including—
- (a) provision requiring a third party recipient to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;
- (b) provision requiring a third party recipient to comply with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;
- (c) provision requiring a third party recipient to provide, or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;
- (d) provision about interface bodies (see section 7);
- (e) provision about further disclosure of the data, including provision for a person to whom customer data is further disclosed to be subject to—
- (i) some or all of the obligations imposed on a third party recipient by the regulations in relation to the customer data;
- (ii) conditions imposed by the third party recipient.
- (8) The regulations may make provision enabling or requiring a data holder or a third party recipient to publish specified information relating to the rights and obligations of persons under the regulations, including—
- (a) information about the rights of customers in relation to customer data processed by the data holder or a third party recipient;
- (b) information about the activities carried out by the data holder or a third party recipient in performance of their obligations under the regulations.
- (9) The regulations may make provision about complaints, including provision requiring data holders or third party recipients to implement procedures for the handling of complaints.
- (10) The regulations may make provision about procedures for the resolution of disputes, including—
- (a) provision appointing, or providing for the appointment of, a person to determine disputes;
- (b) provision about the person’s powers when determining disputes;
- (c) provision about the effect of decisions relating to disputes;
- (d) provision about the review of decisions relating to disputes;
- (e) provision about appeals to a court or tribunal.
- (11) In subsections (4)(d) and (7)(c), references to assistance include actual or contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).
Power to make provision in connection with business data
4
- (1) The Secretary of State or the Treasury may by regulations make provision requiring a data holder to publish business data or to provide business data—
- (a) to a customer of the trader to whom the business data relates, or
- (b) to another person of a specified description.
- (2) In this Part, in relation to business data, “third party recipient” means a person of a description specified by provision made under subsection (1)(b) (and see section 25(1)).
- (3) The Secretary of State or the Treasury may by regulations make provision enabling or requiring a data holder to produce, collect or retain, or arrange for the production, collection or retention of, business data.
- (4) The Secretary of State or the Treasury may by regulations—
- (a) make provision requiring a public authority that is a third party recipient in relation to business data (whether by virtue of those regulations or other data regulations), or a person appointed by such a public authority to do something with the business data, to publish business data or to provide business data—
- (i) to a customer of the trader to whom the business data relates, or
- (ii) to another person of a specified description,
- (b) make provision requiring a person who is a third party recipient in relation to business data (whether by virtue of those regulations or other data regulations), and who is appointed by a public authority to do something with the business data, to publish or provide business data as described in paragraph (a)(i) or (ii),
- (c) in relation to the public authority, or the appointed person referred to in paragraph (a) or (b), make any provision that could be made in relation to a data holder, in connection with business data, in reliance on subsection (3) or sections 5 to 21, other than provision imposing a levy on the public authority or person, and
- (d) in relation to a person to whom the public authority or appointed person is required to provide business data by virtue of provision made under paragraph (a) or (b), other than a customer described in paragraph (a)(i), make any provision that could be made in relation to a third party recipient in reliance on sections 5 to 21.
- (5) In deciding whether to make regulations under this section, the Secretary of State or the Treasury must have regard to (among other things)—
- (a) the likely effects for existing and future customers,
- (b) the likely effects for data holders,
- (c) the likely effect on small businesses and micro businesses,
- (d) the likely effect on innovation in the supply or provision of goods, services and digital content affected by the regulations or other goods, services and digital content, and
- (e) the likely effect on competition in markets for goods, services and digital content affected by the regulations or other markets.
Business data: supplementary
5
- (1) This section is about provision that regulations under section 4 may (among other things) contain.
- (2) The regulations may require business data to be provided on request and make provision about requests, including—
- (a) provision for requests to be made by a customer, a third party recipient or another person;
- (b) provision about the circumstances in which a data holder may or must refuse to act on a request.
- (3) The regulations may make provision requiring business data to be provided to customers, or third party recipients, who are approved to receive it, including—
- (a) provision restricting the persons that may be approved to persons that comply with specified conditions;
- (b) provision for a specified person to decide whether a person satisfies the conditions for approval (and see section 6 for further provision about decision-makers).
- (4) The regulations may make provision about the providing or publishing of business data, including—
- (a) provision requiring a data holder to provide or publish business data on one or more occasions, for a specified period or at specified intervals;
- (b) provision requiring a data holder, customer or third party recipient to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;
- (c) provision requiring a data holder or third party recipient to comply with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;
- (d) provision requiring a data holder or third party recipient to provide, or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;
- (e) provision about interface bodies (see section 7).
- (5) The regulations may include—
- (a) provision enabling or requiring a data holder to produce, collect or retain, or arrange for the production, collection or retention of, records of business data provided in accordance with the regulations;
- (b) provision enabling or requiring a third party recipient to produce or retain, or arrange for the production or retention of, records of business data received in accordance with the regulations.
- (6) The regulations may make provision requiring a person who, in the course of a business, processes business data of a trader to assist, or take specified steps to assist, the trader in complying with regulations under this Part.
- (7) The regulations may make provision about the processing of business data provided to a third party recipient in accordance with the regulations, including—
- (a) provision requiring a third party recipient to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;
- (b) provision requiring a third party recipient to comply with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;
- (c) provision requiring a third party recipient to provide, or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;
- (d) provision about interface bodies (see section 7);
- (e) provision about further disclosure of the data, including provision for a person to whom business data is further disclosed to be subject to some or all of the obligations imposed on customers or third party recipients by the regulations in relation to the business data.
- (8) The regulations may make provision enabling or requiring a data holder or a third party recipient to publish specified information relating to the rights and obligations of persons under the regulations, including information about the activities carried out by the data holder or third party recipient in performance of their obligations under the regulations.
- (9) The regulations may make provision about complaints, including provision requiring data holders or third party recipients to implement procedures for the handling of complaints.
- (10) The regulations may make provision about procedures for the resolution of disputes, including—
- (a) provision appointing, or providing for the appointment of, a person to determine disputes;
- (b) provision about the person’s powers when determining disputes;
- (c) provision about the effect of decisions relating to disputes;
- (d) provision about the review of decisions relating to disputes;
Reading this document does not replace reading the official text published on legislation.gov.uk. Contains public sector information licensed under the Open Government Licence v3.0. We assume no responsibility for any inaccuracies arising from the conversion of the original CLML XML to this format.