Introduction: Reframing the Role of Public Sector Data
The governance of public sector data has long presented a regulatory dilemma: how to reconcile individual privacy with the broader societal value of data driven research and innovation. In the United Kingdom, this challenge was historically addressed through the General Data Protection Regulation1 (UK GDPR), the Data Protection Act, 20182 (DPA), and sector specific instruments such as the Digital Economy Act, 20173. While these frameworks offered strong individual safeguards, they often created operational barriers to data sharing, particularly for academic, healthcare, and policy related research.
To address this, the United Kingdom introduced the Data (Use and Access) Act, 20254 (DUAA). This legislation marks a paradigm shift in data governance. It seeks to enable secure and ethical access to public sector data for accredited researchers and institutions while maintaining high standards of accountability and privacy. The Act reflects a broader global trend towards data stewardship – an approach that goes beyond data protection in isolation to emphasise responsible and regulated data use for public interest objectives.
Key Features of the Data (Use and Access) Act, 2025
The DUAA creates a comprehensive legal framework that facilitates controlled access to sensitive datasets held by public sector bodies. Its most significant contribution is the formalisation of Trusted Research Environments (TREs), which are secure digital infrastructures where approved researchers can access data without extracting or replicating it.
The Act's salient features include:
(i) Accreditation Requirements: Only individuals and institutions meeting prescribed ethical and technical standards are permitted access to designated datasets.
(ii) Trusted Research Environments: TREs must meet legally mandated technical and governance standards to ensure secure handling of sensitive data.
(iii) Regulatory Oversight: A central regulatory authority is empowered to accredit researchers, monitor TREs, and ensure compliance with usage restrictions.
(iv) Focus on Public Interest: The Act shifts from a risk avoidance mindset to a public interest model, enabling data access for defined purposes such as scientific research, policy analysis, and innovation, while embedding accountability at every stage.
India's Data Governance Regime: Opportunities and Gaps
India's regulatory trajectory in data protection has been marked by the recent enactment of the Digital Personal Data Protection Act, 20235 (DPDPA). The DPDPA provides a consent centric framework governing the collection and processing of personal data by both public and private entities. However, it does not address the broader question of public sector data access for research or innovation.
To bridge this gap, the Government of India introduced the National Data Governance Framework Policy (NDGFP) in 20226. This policy builds on earlier initiatives such as the National Data Sharing and Accessibility Policy, 20127 and the Open Government Data Platform8. However, those earlier frameworks lacked standardisation and enforceability.
The NDGFP proposes the creation of an Indian Data Management Office (IDMO) to develop standards, oversee repositories, and facilitate access to anonymised non-personal data. It envisions tiered access levels, data anonymisation protocols, and support for research, particularly by Indian startups and academic institutions. Yet, it remains a policy document rather than a binding statute. There is currently no legal obligation for departments to share data through secure platforms, nor is there a national accreditation framework for researchers or data infrastructure comparable to the United Kingdom's TREs.
Comparative Assessment: United Kingdom and India
Key distinctions between the two jurisdictions include:
(i) Legal basis for research access: The DUAA provides a statutory framework with binding obligations, while India lacks direct legislative provisions to enable such access.
(ii) Data access infrastructure: The United Kingdom mandates Trusted Research Environments. In India, similar mechanisms are proposed under the NDGFP but have not yet been implemented.
(iii) Researcher accreditation: The DUAA requires centralised accreditation. India does not yet have a corresponding framework.
(iv) Consent mechanism: The DUAA permits limited exceptions for public interest use. Under the DPDPA, consent is mandatory unless data is anonymised.
(v) Regulatory oversight: The United Kingdom has a designated regulatory authority. India proposes the IDMO under the NDGFP, but it remains non-operational.
Implications and Lessons for India
The DUAA is poised to transform public interest research in the United Kingdom by providing secure access to data in fields such as healthcare, urban planning, and artificial intelligence. At the same time, it raises potential concerns about regulatory overreach, the adequacy of anonymisation, and the risks of mission creep—particularly in sensitive domains.
For India, the DUAA offers valuable policy and institutional lessons:
(i) Privacy safeguards must be embedded in infrastructure, not merely policy.
(ii) Accredited and standards-based research environments can ensure both utility and accountability.
(iii) Institutional trust frameworks involving academic institutions, independent regulators, and civil society are critical to maintaining transparency and preventing misuse.
International Compatibility and Cross-Border Data Flow
A significant consideration for the United Kingdom post-Brexit has been the need to maintain adequacy status under the GDPR, which is crucial for continued data exchange with the European Union (European Commission, 'Adequacy decision for the UK under the GDPR', 2021). The DUAA has been designed to align with GDPR principles, particularly in its safeguards for purpose limitation, access controls, and auditability within TREs.
For India, such considerations will become increasingly relevant as the country navigates cross-border data flows, digital trade agreements, and potential adequacy discussions with other jurisdictions. The development of accountable, rights-compatible frameworks like the DUAA may serve as a reference point for India's future efforts in this direction.
Conclusion: From Data Protection to Data Empowerment
The DUAA represents a significant evolution in data governance – moving from a restrictive approach to one that enables regulated, transparent, and purpose-bound data use. Its structured architecture, built around secure access and regulatory oversight, provides a strong model for balancing innovation with individual rights.
India stands at a similar inflection point. The DPDPA lays the groundwork for robust privacy protections, and the NDGFP signals a willingness to explore public sector data use. However, much remains to be done to create institutional mechanisms, statutory clarity, and federated structures that support ethical data access.
As democracies continue to grapple with the dual imperatives of protection and utility, the choices they make today will define the trust, transparency, and equity of tomorrow's digital societies.
Footnotes
4 Data (Use and Access) Act 2025
5 Digital Personal Data Protection Act 2022/23
6 meity.gov.in/content/draft-national-data-governance-framework-policy-0
7 National Data Sharing and Accessibility Policy | Department Of Science & Technology
8 Home | Open Government Data (OGD) Platform India
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.