法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·UK legislation / curated by LawPlayer from legislation.gov.uk

Act of Parliament

Data (Use and Access) Act 2025

Citation
2025 c. 18
As at
Sections
360
Section 1Customer data and business data

(1) This Part confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data.

(2) In this Part—

“ business data ”, in relation to a trader, means—

information about goods, services and digital content supplied or provided by the trader,

information relating to the supply or provision of goods, services and digital content by the trader (such as, for example, information about—

where goods, services or digital content are supplied or provided,

prices or other terms on which they are supplied or provided,

how they are used, or

their performance or quality),

information relating to feedback about the goods, services or digital content (or their supply or provision), and

information relating to the provision of information described in paragraphs (a) to (c) to a person in accordance with data regulations;

“ customer data ” means information relating to a customer of a trader, including—

information relating to goods, services and digital content supplied or provided by the trader to the customer or to another person at the customer’s request (such as, for example, information about—

prices or other terms on which goods, services or digital content are supplied or provided to the customer or the other person,

how they are used by the customer or the other person, or

their performance or quality when used by the customer or the other person), and

information relating to the provision of information described in paragraph (a), or of other information relating to a customer of a trader, to a person in accordance with data regulations;

“ data holder ”, in relation to customer data or business data of a trader, means—

the trader, or

a person who, in the course of a business, processes the data;

“ data regulations ” means regulations under section 2 or 4 (and see section 23);

“ trader ” means a person who supplies or provides goods, services or digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.

(3) For the purposes of this Part, a person (“ C ”) is a customer of a trader (“ T ”) if C has at any time—

(a) purchased goods, services or digital content supplied or provided by T (whether for use by C or another person),

(b) been supplied or provided by T with goods, services or digital content purchased from T by another person, or

(c) otherwise received goods, services or digital content free of charge from T.

(4) In subsection (3), the references to purchase, supply, provision or receipt of goods, services or digital content at any time include purchase, supply, provision or receipt before this section comes into force.

(5) In subsections (3) and (4), references to purchasing goods, services or digital content include entering into an agreement to do so.

(6) In this Part—

(a) a reference to providing customer data or business data to a person (however expressed) includes a reference to providing the person with access to such data or with the ability to provide other persons with access to such data, and

(b) a reference to a person receiving customer data or business data (however expressed) includes a reference to a person obtaining access to such data or the ability to provide other persons with access to such data.

Section 2Power to make provision in connection with customer data

(1) The Secretary of State or the Treasury may by regulations make provision requiring a data holder to provide customer data—

(a) to the customer, at the customer’s request, or

(b) to a person of a specified description who is authorised by the customer to receive the data (an “authorised person”), at the customer’s request or at the authorised person’s request.

(2) In this Part, in relation to customer data, “ third party recipient ” means a person of a description specified by provision made under subsection (1)(b) (and see section 25(1)).

(3) The Secretary of State or the Treasury may by regulations make provision enabling or requiring a data holder—

(a) to produce, collect or retain, or arrange for the production, collection or retention of, customer data;

(b) to make changes to customer data, including to require rectification of inaccurate customer data, at the request of a customer or authorised person.

(4) The Secretary of State or the Treasury may by regulations make provision for a person who is an authorised person in relation to customer data to take, on the customer’s behalf, action that the customer could take in relation to goods, services or digital content supplied or provided by a person who is, or has been, a data holder in relation to the customer data.

(5) In deciding whether to make regulations under this section, the Secretary of State or the Treasury must have regard to (among other things)—

(a) the likely effects for existing and future customers,

(b) the likely effects for data holders,

(c) the likely effect on small businesses and micro businesses,

(d) the likely effect on innovation in the supply or provision of goods, services and digital content affected by the regulations or other goods, services and digital content, and

(e) the likely effect on competition in markets for goods, services and digital content affected by the regulations or other markets.

Section 3Customer data: supplementary

(1) This section is about provision that regulations under section 2 may (among other things) contain.

(2) The regulations may include—

(a) provision about the procedure by which customers authorise persons to receive customer data or to do other things;

(b) provision restricting the persons that may be authorised to persons that comply with specified conditions;

(c) provision for a specified person to decide whether a person satisfies the conditions for authorisation (and see section 6 for further provision about decision-makers).

(3) The regulations may make provision about requests relating to customer data, including provision about the circumstances in which a data holder may or must refuse to act on a request.

(4) The regulations may make provision about the providing of customer data and the taking of action described in section 2(4), including—

(a) provision requiring a data holder to provide customer data on one or more occasions, for a specified period or at specified intervals;

(b) provision requiring a data holder, customer or third party recipient to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;

(c) provision requiring a data holder or third party recipient to comply with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(d) provision requiring a data holder or third party recipient to provide, or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(e) provision about interface bodies (see section 7).

(5) The regulations may include—

(a) provision enabling or requiring a data holder to produce, collect or retain, or arrange for the production, collection or retention of, records of customer data provided in accordance with the regulations;

(b) provision enabling or requiring a third party recipient to produce or retain, or arrange for the production or retention of, records of customer data received in accordance with the regulations.

(6) The regulations may make provision requiring a person who, in the course of a business, processes customer data of a trader to assist, or take specified steps to assist, the trader in complying with regulations under this Part.

(7) The regulations may make provision about the processing of customer data provided to a third party recipient in accordance with the regulations, including—

(a) provision requiring a third party recipient to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;

(b) provision requiring a third party recipient to comply with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(c) provision requiring a third party recipient to provide, or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(d) provision about interface bodies (see section 7);

(e) provision about further disclosure of the data, including provision for a person to whom customer data is further disclosed to be subject to—

(i) some or all of the obligations imposed on a third party recipient by the regulations in relation to the customer data;

(ii) conditions imposed by the third party recipient.

(8) The regulations may make provision enabling or requiring a data holder or a third party recipient to publish specified information relating to the rights and obligations of persons under the regulations, including—

(a) information about the rights of customers in relation to customer data processed by the data holder or a third party recipient;

(b) information about the activities carried out by the data holder or a third party recipient in performance of their obligations under the regulations.

(9) The regulations may make provision about complaints, including provision requiring data holders or third party recipients to implement procedures for the handling of complaints.

(10) The regulations may make provision about procedures for the resolution of disputes, including—

(a) provision appointing, or providing for the appointment of, a person to determine disputes;

(b) provision about the person’s powers when determining disputes;

(c) provision about the effect of decisions relating to disputes;

(d) provision about the review of decisions relating to disputes;

(e) provision about appeals to a court or tribunal.

(11) In subsections (4)(d) and (7)(c), references to assistance include actual or contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).

Section 4Power to make provision in connection with business data

(1) The Secretary of State or the Treasury may by regulations make provision requiring a data holder to publish business data or to provide business data—

(a) to a customer of the trader to whom the business data relates, or

(b) to another person of a specified description.

(2) In this Part, in relation to business data, “ third party recipient ” means a person of a description specified by provision made under subsection (1)(b) (and see section 25(1)).

(3) The Secretary of State or the Treasury may by regulations make provision enabling or requiring a data holder to produce, collect or retain, or arrange for the production, collection or retention of, business data.

(4) The Secretary of State or the Treasury may by regulations—

(a) make provision requiring a public authority that is a third party recipient in relation to business data (whether by virtue of those regulations or other data regulations), or a person appointed by such a public authority to do something with the business data, to publish business data or to provide business data—

(i) to a customer of the trader to whom the business data relates, or

(ii) to another person of a specified description,

(b) make provision requiring a person who is a third party recipient in relation to business data (whether by virtue of those regulations or other data regulations), and who is appointed by a public authority to do something with the business data, to publish or provide business data as described in paragraph (a)(i) or (ii),

(c) in relation to the public authority, or the appointed person referred to in paragraph (a) or (b), make any provision that could be made in relation to a data holder, in connection with business data, in reliance on subsection (3) or sections 5 to 21, other than provision imposing a levy on the public authority or person, and

(d) in relation to a person to whom the public authority or appointed person is required to provide business data by virtue of provision made under paragraph (a) or (b), other than a customer described in paragraph (a)(i), make any provision that could be made in relation to a third party recipient in reliance on sections 5 to 21.

(5) In deciding whether to make regulations under this section, the Secretary of State or the Treasury must have regard to (among other things)—

(a) the likely effects for existing and future customers,

(b) the likely effects for data holders,

(c) the likely effect on small businesses and micro businesses,

(d) the likely effect on innovation in the supply or provision of goods, services and digital content affected by the regulations or other goods, services and digital content, and

(e) the likely effect on competition in markets for goods, services and digital content affected by the regulations or other markets.

Section 5Business data: supplementary

(1) This section is about provision that regulations under section 4 may (among other things) contain.

(2) The regulations may require business data to be provided on request and make provision about requests, including—

(a) provision for requests to be made by a customer, a third party recipient or another person;

(b) provision about the circumstances in which a data holder may or must refuse to act on a request.

(3) The regulations may make provision requiring business data to be provided to customers, or third party recipients, who are approved to receive it, including—

(a) provision restricting the persons that may be approved to persons that comply with specified conditions;

(b) provision for a specified person to decide whether a person satisfies the conditions for approval (and see section 6 for further provision about decision-makers).

(4) The regulations may make provision about the providing or publishing of business data, including—

(a) provision requiring a data holder to provide or publish business data on one or more occasions, for a specified period or at specified intervals;

(b) provision requiring a data holder, customer or third party recipient to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;

(c) provision requiring a data holder or third party recipient to comply with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(d) provision requiring a data holder or third party recipient to provide, or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(e) provision about interface bodies (see section 7).

(5) The regulations may include—

(a) provision enabling or requiring a data holder to produce, collect or retain, or arrange for the production, collection or retention of, records of business data provided in accordance with the regulations;

(b) provision enabling or requiring a third party recipient to produce or retain, or arrange for the production or retention of, records of business data received in accordance with the regulations.

(6) The regulations may make provision requiring a person who, in the course of a business, processes business data of a trader to assist, or take specified steps to assist, the trader in complying with regulations under this Part.

(7) The regulations may make provision about the processing of business data provided to a third party recipient in accordance with the regulations, including—

(a) provision requiring a third party recipient to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;

(b) provision requiring a third party recipient to comply with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(c) provision requiring a third party recipient to provide, or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(d) provision about interface bodies (see section 7);

(e) provision about further disclosure of the data, including provision for a person to whom business data is further disclosed to be subject to some or all of the obligations imposed on customers or third party recipients by the regulations in relation to the business data.

(8) The regulations may make provision enabling or requiring a data holder or a third party recipient to publish specified information relating to the rights and obligations of persons under the regulations, including information about the activities carried out by the data holder or third party recipient in performance of their obligations under the regulations.

(9) The regulations may make provision about complaints, including provision requiring data holders or third party recipients to implement procedures for the handling of complaints.

(10) The regulations may make provision about procedures for the resolution of disputes, including—

(a) provision appointing, or providing for the appointment of, a person to determine disputes;

(b) provision about the person’s powers when determining disputes;

(c) provision about the effect of decisions relating to disputes;

(d) provision about the review of decisions relating to disputes;

(e) provision about appeals to a court or tribunal.

(11) In subsections (4)(d) and (7)(c), references to assistance include actual or contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).

Section 6Decision-makers

(1) This section is about the provision about decision-makers that regulations under section 2 or 4 may or must (among other things) contain.

(2) In this Part, “ decision-maker ” means a person who is authorised or required to take a decision described in section 3(2)(c) (authorisation) or 5(3)(b) (approval).

(3) The regulations may make provision about the appointment of a decision-maker.

(4) The regulations may make provision enabling or requiring a decision-maker to suspend or revoke a decision.

(5) The regulations may confer powers on a decision-maker for the purpose of monitoring compliance with conditions for authorisation or approval (“monitoring powers”) (and see section 8 for provision about enforcement of requirements imposed in exercise of those powers).

(6) The monitoring powers that may be conferred on a decision-maker include powers to require the provision of documents or information (but such powers are subject to the restrictions in section 9 as well as any restrictions included in the regulations).

(7) The regulations must make provision about the rights of persons affected by the exercise of a decision-maker’s functions under the regulations and such provision may include (among other things)—

(a) provision about the review of decision-makers’ decisions;

(b) provision about appeals to a court or tribunal.

(8) The regulations may make provision about complaints, including provision requiring a decision-maker to implement procedures for the handling of complaints.

(9) The regulations may make provision enabling or requiring a decision-maker to publish, or provide to a specified person, specified documents or information relating to the exercise of the decision-maker’s functions.

(10) The regulations may make provision for a decision-maker to arrange for its monitoring powers to be exercised by another person.

(11) The regulations may—

(a) provide for functions under the regulations to be exercisable by more than one decision-maker (whether jointly or concurrently);

(b) where functions of decision-makers are exercisable concurrently—

(i) provide for one of the decision-makers to be the lead decision-maker;

(ii) require the other decision-makers to consult the lead decision-maker before exercising the functions in a particular case;

(iii) provide for the lead decision-maker to give directions as to which decision-maker is to exercise a function in a particular case.

(12) The regulations may make provision enabling or requiring a decision-maker—

(a) to produce guidance about how it proposes to exercise its functions under the regulations (including provision enabling or requiring decision-makers with functions exercisable jointly or concurrently to produce joint guidance),

(b) to publish the guidance, and

(c) to provide copies to specified persons.

Section 7Interface bodies

(1) This section is about the provision that regulations under section 2 or 4 may (among other things) contain about bodies with one or more of the following tasks—

(a) establishing a facility or service used, or capable of being used, for providing, publishing or otherwise processing customer data or business data or for taking action described in section 2(4) (referred to in this Part as an “ interface ”);

(b) setting standards, or making other arrangements, relating to, or to the use of, an interface (referred to in this Part as “ interface standards ” and “interface arrangements”);

(c) maintaining or managing an interface, interface standards or interface arrangements.

(2) Such bodies are referred to in this Part as “ interface bodies ”.

(3) The regulations may—

(a) require a data holder or a third party recipient to set up an interface body;

(b) make provision about the type of body to be set up.

(4) In relation to an interface body (whether or not it is required to be set up by regulations under section 2 or 4), the regulations may—

(a) make provision about the body’s composition and governance;

(b) make provision requiring a data holder or a third party recipient to provide, or arrange for, assistance for the body;

(c) impose other requirements relating to the body on a person who is required to set it up or to provide, or arrange for, assistance for the body;

(d) make provision requiring the body to carry on all or part of a task described in subsection (1);

(e) make provision requiring the body to do other things in connection with its interface, interface standards or interface arrangements;

(f) make provision about how the body carries out its functions (such as, for example, provision about the body’s objectives or matters to be taken into account by the body);

(g) confer powers on the body for the purpose of monitoring use of its interface, interface standards or interface arrangements (“monitoring powers”) (and see section 8 for provision about enforcement of requirements imposed in exercise of those powers);

(h) make provision for the body to arrange for its monitoring powers to be exercised by another person;

(i) make provision about the rights of persons affected by the exercise of the body’s functions under the regulations, including (among other things)—

(i) provision about the review of decisions made in exercise of those functions;

(ii) provision about appeals to a court or tribunal;

(j) make provision about complaints, including provision requiring the body to implement procedures for the handling of complaints;

(k) make provision enabling or requiring the body to publish, or provide to a specified person, specified documents or information relating to its interface, interface standards or interface arrangements;

(l) make provision enabling or requiring the body to produce guidance about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.

(5) The monitoring powers that may be conferred on an interface body include power to require the provision of documents or information (but such powers are subject to the restrictions in section 9 as well as any restrictions included in the regulations).

(6) Examples of facilities or services referred to in subsection (1) include dashboard services, other electronic communications services and application programming interfaces.

(7) In subsection (4)(b) and (c), the references to assistance include actual or contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).

Section 8Enforcement of regulations under this Part

(1) The Secretary of State or the Treasury may by regulations make provision—

(a) for the purpose of monitoring compliance with regulations under this Part or requirements imposed in exercise of a power conferred by such regulations, and

(b) for the enforcement of such regulations or requirements,

including provision for monitoring or enforcement by a specified public authority.

(2) In this Part, “ enforcer ” means a public authority that is authorised or required to carry out monitoring or enforcement described in subsection (1).

(3) The following subsections make provision about what regulations under subsection (1) may or must (among other things) contain (and see sections 9 and 10).

(4) The regulations may confer powers of investigation on an enforcer, including—

(a) powers to require the provision of documents or information,

(b) powers to require an individual to attend at a place and answer questions, and

(c) powers of entry, inspection, search and seizure,

but such powers are subject to the restrictions in section 9 (as well as any restrictions included in the regulations).

(5) The regulations may—

(a) make provision enabling an enforcer to issue a notice (“ a compliance notice ”) requiring compliance with—

(i) regulations under this Part;

(ii) a condition for authorisation or approval (referred to in sections 3(2) and 5(3));

(iii) any other requirement imposed in exercise of a power conferred by regulations under this Part;

(b) make provision for the enforcement of compliance notices, including provision for their enforcement as if they were orders of a court or tribunal;

(c) make provision enabling an enforcer to publish a statement to the effect that the enforcer considers that a person is not complying with—

(i) a requirement imposed by regulations under this Part,

(ii) a requirement imposed by a compliance notice, or

(iii) any other requirement imposed in exercise of a power conferred by regulations under this Part.

(6) The regulations may make provision creating offences punishable with an unlimited fine, or a fine not exceeding a specified amount, in respect of—

(a) the provision of false or misleading information in response to a request made in accordance with regulations under this Part;

(b) an act or omission (including falsification) which prevents an enforcer, an interface body or a decision-maker from accessing information, documents, equipment or other material.

(7) The regulations may make provision enabling a financial penalty to be imposed by an enforcer in respect of—

(a) the provision of false or misleading information in response to a request made in accordance with regulations under this Part;

(b) a failure to comply with a requirement imposed by regulations under this Part;

(c) a failure to comply with a requirement imposed by a compliance notice;

(d) a failure to comply with any other requirement imposed in exercise of a power conferred by regulations under this Part;

and see section 10 for further provision about financial penalties.

(8) The regulations may make provision about the rights of persons affected by the exercise of an enforcer’s functions under the regulations, including—

(a) provision about the review of a decision made in exercise of those functions;

(b) provision about appeals to a court or tribunal.

(9) The regulations may make provision about complaints, including provision requiring an enforcer to implement procedures for the handling of complaints.

(10) The regulations may make provision enabling or requiring an enforcer to publish, or to provide to a specified person, specified documents or information relating to monitoring or enforcement described in subsection (1), including—

(a) documents or information relating to the exercise of the enforcer’s functions, and

(b) documents or information relating to convictions for offences.

(11) The regulations may make provision for an enforcer to arrange for its powers of investigation under the regulations to be exercised by another person.

(12) The regulations may—

(a) provide for functions under the regulations to be exercisable by more than one enforcer (whether jointly or concurrently);

(b) where functions of enforcers are exercisable concurrently—

(i) provide for one of the enforcers to be the lead enforcer;

(ii) require the other enforcers to consult the lead enforcer before exercising the functions in a particular case;

(iii) provide for the lead enforcer to give directions as to which enforcer is to exercise a function in a particular case.

(13) The regulations may make provision enabling or requiring an enforcer—

(a) to produce guidance about how it proposes to exercise its functions under the regulations (including provision enabling or requiring enforcers with functions exercisable jointly or concurrently to produce joint guidance),

(b) to publish the guidance, and

(c) to provide copies to specified persons.

Section 9Restrictions on powers of investigation etc

(1) Regulations under this Part may not—

(a) authorise entry to a private dwelling without a warrant issued by a justice, or

(b) require a person to provide information within subsections (2) to (7) to a decision-maker, an interface body or an enforcer.

(2) Information is within this subsection if requiring a person to provide the information would involve an infringement of the privileges of either House of Parliament.

(3) Information is within this subsection if it is information in respect of a communication which is made—

(a) between a professional legal adviser and the adviser’s client, and

(b) in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights imposed or conferred by or under regulations made under this Part.

(4) Information is within this subsection if it is information in respect of a communication which is made—

(a) between a professional legal adviser and the adviser’s client or between such an adviser or client and another person,

(b) in connection with, or in contemplation of, proceedings under or arising out of regulations made under this Part (including proceedings arising out of the exercise of powers conferred by such regulations), and

(c) for the purposes of such proceedings.

(5) In subsections (3) and (4), references to the client of a professional legal adviser include references to a person acting on behalf of the client.

(6) Information is within this subsection if requiring a person to provide the information would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.

(7) The reference to an offence in subsection (6) does not include an offence under—

(a) regulations made under this Part;

(b) section 5 of the Perjury Act 1911 (false statements made otherwise than on oath);

(c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath);

(d) Article 10 of the Perjury (Northern Ireland) Order 1979 ( S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

(8) An oral or written statement provided by a person in response to a request for information made by a decision-maker, an interface body or an enforcer in accordance with regulations under this Part may not be used in evidence against that person on a prosecution for an offence (other than an offence under regulations made under this Part) unless in the proceedings—

(a) in giving evidence the person provides information inconsistent with the statement, and

(b) evidence relating to the statement is adduced, or a question relating to it is asked, by that person or on that person’s behalf.

(9) In this section, “ justice ” means—

(a) in England and Wales, a justice of the peace,

(b) in Scotland, a sheriff or summary sheriff, and

(c) in Northern Ireland, a lay magistrate.

Section 10Financial penalties

(1) This section is about provision that regulations under this Part conferring power on an enforcer to impose a financial penalty may or must (among other things) contain.

(2) The regulations must provide for the amount of a financial penalty to be—

(a) a specified amount or an amount determined in accordance with the regulations, or

(b) an amount not exceeding such an amount,

unless section 16 confers power to provide otherwise.

(3) The regulations must include provision—

(a) requiring an enforcer to produce guidance about how the enforcer proposes to exercise any discretion to determine the amount of a financial penalty and to have regard to such guidance in exercising its discretion;

(b) requiring an enforcer to publish the guidance;

(c) requiring an enforcer, before imposing a financial penalty on a person, to give the person written notice (a “notice of intent”) of the proposed financial penalty;

(d) ensuring that the person is given an opportunity to make representations about the proposed financial penalty;

(e) requiring the enforcer, after the period for making representations, to decide whether to impose the financial penalty;

(f) requiring the enforcer, if they decide to impose the financial penalty, to give the person notice in writing (a “final notice”) imposing the penalty;

(g) enabling a person on whom a financial penalty is imposed to appeal to a court or tribunal in accordance with the regulations;

(h) as to the powers of the court or tribunal on such an appeal.

(4) The regulations may include provision—

(a) requiring or enabling an enforcer to provide copies of guidance described in subsection (3)(a) to specified persons;

(b) enabling a notice of intent or final notice to be withdrawn or amended;

(c) requiring an enforcer to withdraw a final notice in specified circumstances;

(d) for a financial penalty to be increased in the event of late payment by—

(i) a specified amount or an amount determined in accordance with the regulations, or

(ii) an amount not exceeding such an amount;

(e) as to how financial penalties are recoverable;

(f) about what must or may be done with amounts paid as penalties.

Section 11Fees

(1) The Secretary of State or the Treasury may by regulations—

(a) make provision enabling a person listed in subsection (2), or a person acting on their behalf, to require other persons to pay fees in connection with activities described in subsection (3), and

(b) make provision about what must or may be done with amounts paid as fees.

(2) Those persons are—

(a) data holders;

(b) decision-makers;

(c) interface bodies;

(d) enforcers;

(e) other persons on whom duties are imposed, or powers are conferred, by or under regulations made under this Part.

(3) Those activities are performing duties, or exercising powers, imposed or conferred on the person listed in subsection (2) by or under regulations made under this Part.

(4) Regulations under subsection (1)—

(a) may only provide for a fee to be payable by persons that appear to the Secretary of State or the Treasury to be capable of being directly affected by the performance of duties, or the exercise of powers, imposed or conferred by or under regulations made under this Part;

(b) may provide for the amount of a fee to be an amount which is intended to exceed the cost of the things in connection with which the fee is charged (and for the total amount of fees payable in connection with things to exceed the total cost).

(5) Regulations under subsection (1) must provide for the amount of a fee to be—

(a) a specified amount or an amount determined in accordance with the regulations, or

(b) an amount not exceeding such an amount,

unless section 15 confers power to provide otherwise.

(6) Regulations under subsection (1) may provide for the amount, or maximum amount, of a fee to increase at specified times and by—

(a) a specified amount or an amount determined in accordance with the regulations, or

(b) an amount not exceeding such an amount.

(7) Regulations under subsection (1) enabling a person to determine the amount of a fee must require the person to publish information about the amount and how it is determined.

(8) Regulations under subsection (1) may (among other things) make provision about—

(a) interest on any unpaid amounts;

(b) the recovery of unpaid amounts.

(9) The Secretary of State or the Treasury may by regulations make provision about whether a person listed in subsection (2), or a person acting on their behalf, who could require payment in connection with an activity described in subsection (3) otherwise than in reliance on regulations under subsection (1) may do so.

(10) Where duties or powers are imposed or conferred—

(a) on a person in their capacity as a third party recipient by or under regulations made under this Part, other than regulations made in reliance on section 4(4)(a), (b) or (c), or

(b) on a person in their capacity as a person described in section 4(4)(d) by or under regulations made under this Part,

nothing in this section, or in regulations under subsection (1) or (9), prevents the person, or a person acting on their behalf, from requiring payment in connection with the performance or exercise of those duties or powers, or restricts their ability to do so, where the person could do so otherwise than in reliance on regulations under subsection (1).

(11) Examples of requiring payment otherwise than in reliance on regulations under subsection (1) include doing so in reliance on other legislation or a contract or other arrangement (whenever entered into).

Section 12Levy

(1) The Secretary of State or the Treasury may by regulations—

(a) impose, or provide for a specified public authority to impose, a levy on data holders or third party recipients for the purpose of meeting expenses described in subsection (2), and

(b) make provision about what must or may be done with funds raised by means of the levy.

(2) Those expenses are expenses incurred, or to be incurred, during a period by a person listed in subsection (3), or a person acting on their behalf, in performing duties, or exercising powers, imposed or conferred on the person listed in subsection (3) by or under regulations made under this Part.

(3) Those persons are—

(a) decision-makers;

(b) interface bodies;

(c) enforcers;

(d) public authorities subject to requirements imposed by regulations made in reliance on section 4(4).

(4) Regulations under subsection (1) may only provide for a levy in respect of expenses of a person to be imposed on data holders or third party recipients that appear to the Secretary of State or the Treasury to be capable of being directly affected by the exercise of some or all of the functions conferred on the person by or under regulations made under this Part.

(5) Regulations under subsection (1) providing for a specified public authority to impose a levy must—

(a) make provision about how the rate of the levy is to be determined;

(b) make provision about how the period in respect of which the levy is payable is to be determined;

(c) require the public authority to publish information about the rate, the period and how they are determined.

(6) Regulations under subsection (1) may (among other things) make provision about—

(a) interest on any unpaid amounts payable by way of a levy;

(b) the recovery of such unpaid amounts.

Section 13Financial assistance

(1) The Secretary of State or the Treasury may give financial assistance to a person for the purpose of—

(a) meeting expenses incurred, or to be incurred, by the person in performing duties, or exercising powers, imposed or conferred by or under regulations made under this Part, or

(b) exercising other functions in connection with such regulations.

(2) But subsection (1) does not enable financial assistance to be provided to a person listed in subsection (3) or to a person acting on their behalf.

(3) Those persons are—

(a) data holders,

(b) customers, or

(c) third party recipients, other than a third party recipient that is a public authority subject to requirements imposed by regulations made in reliance on section 4(4).

(4) The financial assistance may be given on such terms and conditions as the Secretary of State or the Treasury considers appropriate.

(5) In this section, “ financial assistance ” means any kind of financial assistance whether actual or contingent, including a grant, loan, guarantee or indemnity, but does not include buying a company’s share capital.

Section 14The FCA and financial services interfaces

(1) The Treasury may by regulations make provision enabling or requiring the Financial Conduct Authority (referred to in this Part as “ the FCA ”) to make rules—

(a) requiring financial services providers described in the regulations to use a prescribed interface, comply with prescribed interface standards or participate in prescribed interface arrangements, when providing or receiving customer data or business data which is required to be provided by or to the financial services provider by data regulations;

(b) requiring persons described in the regulations to use a prescribed interface, comply with prescribed interface standards or participate in prescribed interface arrangements, when the person, in the course of a business, receives, from a financial services provider, customer data or business data which is required to be provided to the person by data regulations;

(c) requiring section 2(4) actors described in the regulations to use a prescribed interface, comply with prescribed interface standards or participate in prescribed interface arrangements when taking, facilitating or doing other things in connection with relevant financial services action;

(d) imposing interface-related requirements on a description of person falling within subsection (3).

(2) Such rules are referred to in this Part as “ FCA interface rules ”.

(3) The following persons fall within this subsection—

(a) an interface body linked to the financial services sector;

(b) a person required by regulations made in reliance on section 7 to set up an interface body linked to the financial services sector;

(c) a person who uses an interface, complies with interface standards or participates in interface arrangements linked to the financial services sector or who is required to do so by data regulations or rules made by virtue of regulations under subsection (1)(a), (b) or (c).

(4) For the purposes of this section, requirements are interface-related if they relate to—

(a) the composition, governance or activities of an interface body linked to the financial services sector,

(b) an interface, interface standards or interface arrangements linked to the financial services sector, or

(c) the use of such an interface, compliance with such interface standards or participation in such interface arrangements.

(5) For the purposes of this section—

(a) an interface body is linked to the financial services sector to the extent that its interface, interface standards or interface arrangements are linked to the financial services sector;

(b) interfaces, interface standards and interface arrangements are linked to the financial services sector to the extent that they are used, or intended to be used, by financial services providers (whether or not they are used, or intended to be used, by other persons).

(6) The Treasury may by regulations make provision enabling or requiring the FCA to impose requirements on a person to whom FCA interface rules apply (referred to in this Part as “ FCA additional requirements ”) where the FCA considers it appropriate to impose the requirement—

(a) in response to a failure, or likely failure, by the person to comply with an FCA interface rule or FCA additional requirement, or

(b) in order to advance a purpose which the FCA is required to advance when exercising functions conferred by regulations under this section (see section 15(3)(a)).

(7) Regulations under subsection (6) may, for example, provide for the FCA to impose requirements by giving a notice or direction.

(8) The restrictions in section 9 apply in connection with FCA interface rules and FCA additional requirements as they apply in connection with regulations under this Part.

(9) In section 9 as so applied—

(a) the references in subsections (1)(b) and (8) to an enforcer include the FCA, and

(b) the references in subsections (3) and (4) to regulations made under this Part include FCA interface rules and FCA additional requirements.

(10) In this section—

“ financial services provider ” means a person providing financial services;

“ prescribed ” means prescribed in FCA interface rules;

“ relevant financial services action ” means action described in section 2(4) taken in relation to services or digital content provided or supplied by a financial services provider;

“ section 2(4) actor ” means—

a person who, in reliance on regulations under subsection (4) of section 2, takes action described in that subsection;

a data holder or other person who facilitates or does other things in connection with such action.

Section 15The FCA and financial services interfaces: supplementary

(1) This section is about provision that regulations under section 14 may or must (among other things) contain.

(2) The regulations—

(a) may require or enable the FCA to impose interface-related requirements that could be imposed by regulations made in reliance on section 7(4) or (5), but

(b) may not require or enable the FCA to require a person to set up an interface body.

(3) The regulations must—

(a) require the FCA, so far as is reasonably possible, to exercise functions conferred by the regulations in a manner which is compatible with, or which advances, one or more specified purposes;

(b) specify one or more matters to which the FCA must have regard when exercising functions conferred by the regulations;

(c) if they require or enable the FCA to make rules, make provision about the procedure for making rules, including provision requiring such consultation with persons likely to be affected by the rules or representatives of such persons as the FCA considers appropriate.

(4) The regulations may—

(a) require the FCA to carry out an analysis of the costs and benefits that will arise if proposed rules are made or proposed changes are made to rules and make provision about what the analysis must include;

(b) require the FCA to publish rules or changes to rules and to provide copies to specified persons;

(c) make provision about the effect of rules, including provision about circumstances in which rules are void and circumstances in which a person is not to be taken to have contravened a rule;

(d) make provision enabling or requiring the FCA to modify or waive rules as they apply to a particular case;

(e) make provision about the procedure for imposing FCA additional requirements;

(f) make provision enabling or requiring the FCA to produce guidance about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.

(5) The regulations may require or enable the FCA to impose the following types of requirement on a person as FCA additional requirements—

(a) a requirement to review the person’s conduct;

(b) a requirement to take remedial action;

(c) a requirement to make redress for loss or damage suffered by others as a result of the person’s conduct.

(6) The regulations may require or enable FCA interface rules to require a person listed in subsection (7) to pay fees to an interface body or another person listed in that subsection, or to a person acting on behalf of such a body or person, in connection with activities described in subsection (8).

(7) Those persons are—

(a) persons falling within section 14(3)(b) or (c);

(b) financial services providers.

(8) Those activities are performing or exercising—

(a) duties or powers imposed or conferred on the interface body or person listed in subsection (7) by FCA interface rules, and

(b) other duties or powers imposed or conferred on that body or person by or under regulations made under this Part.

(9) Regulations made in reliance on subsection (6)—

(a) may enable rules to provide for the amount of a fee to be an amount which is intended to exceed the cost of the things in connection with which the fee is charged (and for the total amount of fees payable in connection with things to exceed the total cost);

(b) may require or enable rules to make provision about the amount, or maximum amount, of a fee, including provision about how a fee is to be determined;

(c) may require or enable rules to make provision about the amount, or maximum amount, by which the amount, or maximum amount, of a fee must or may increase and the times at which it must or may increase;

(d) must require rules, where relevant, to require a person who determines an amount referred to in paragraph (b) or (c) to publish information about the amount and how it is determined;

(e) may require or enable rules to make provision about what must or may be done with amounts paid as fees;

(f) may require or enable rules to make provision about—

(i) interest on any unpaid amounts;

(ii) the recovery of unpaid amounts.

(10) Regulations under section 14 may enable FCA interface rules to make provision about whether an interface body or a person listed in subsection (7), or a person acting on behalf of such a body or person, who could require payment in connection with an activity described in subsection (8) otherwise than in reliance on FCA interface rules may do so.

(11) Examples of requiring payment otherwise than in reliance on FCA interface rules include doing so in reliance on other legislation or a contract or other arrangement (whenever entered into).

(12) Regulations under section 14 may provide that powers to make FCA interface rules include powers to do things described in section 21(1)(a) to (h) (supplementary powers) (ignoring the restriction in relation to fees in section 21(3)).

(13) In this section, “financial services provider” and “ interface-related ” have the meaning given in section 14.

(14) The reference in subsection (5)(c) to making redress includes—

(a) paying interest, and

(b) providing redress in the form of a remedy or relief which could not be awarded in legal proceedings.

Section 16The FCA and financial services interfaces: penalties and levies

(1) Subsections (2) and (3) are about the provision that regulations made by the Treasury under this Part providing for the FCA to enforce requirements under FCA interface rules may (among other things) contain in relation to financial penalties.

(2) The regulations may require or enable the FCA—

(a) to set the amount or maximum amount of, or of an increase in, a penalty imposed in respect of failure to comply with a requirement imposed by the FCA in exercise of a power conferred by regulations under section 14 (whether imposed by means of FCA interface rules or an FCA additional requirement), or

(b) to set the method for determining such an amount.

(3) Regulations made in reliance on subsection (2)—

(a) must require the FCA to produce and publish a statement of its policy with respect to the amount of the penalties;

(b) may require the policy to include specified matters;

(c) may make provision about the procedure for producing the statement;

(d) may require copies of the statement to be provided to specified persons;

(e) may require the FCA to have regard to a statement published in accordance with the regulations.

(4) The Treasury may by regulations—

(a) impose, or provide for the FCA to impose, a levy on data holders or third party recipients for the purpose of meeting expenses incurred, or to be incurred, during a period by the FCA, or by a person acting on the FCA’s behalf, in performing duties, or exercising powers, imposed or conferred on the FCA by regulations under section 14, and

(b) make provision about what must or may be done with funds raised by means of the levy.

(5) Regulations under subsection (4) may only provide for a levy in respect of expenses of the FCA to be imposed on persons that appear to the Treasury to be capable of being directly affected by the exercise of some or all of the functions conferred on the FCA by regulations under section 14.

(6) Regulations under subsection (4) providing for the FCA to impose a levy must—

(a) make provision about how the rate of the levy is to be determined;

(b) make provision about how the period in respect of which the levy is payable is to be determined;

(c) require the FCA to publish information about the rate, the period and how they are determined.

(7) Regulations under subsection (4) may (among other things) make provision about—

(a) interest on any unpaid amounts payable by way of a levy;

(b) the recovery of such unpaid amounts.

Section 17The FCA and co-ordination with other regulators

The Treasury may by regulations amend section 98 of the Financial Services (Banking Reform) Act 2013 (payment systems: duty of the FCA and other regulators to ensure co-ordinated exercise of relevant functions) by—

(a) amending the definition of “relevant functions” so as to add or remove a function conferred on the FCA by regulations under this Part, and

(b) amending the definition of “objectives” so as to add or remove an objective of the FCA relevant to such a function.

Section 18Liability in damages

(1) The Secretary of State or the Treasury may by regulations provide that a person listed in subsection (2) is not liable in damages for anything done or omitted to be done in the exercise of functions conferred by or under regulations made under this Part.

(2) Those persons are—

(a) a public authority;

(b) a member, officer or member of staff of a public authority;

(c) a person who could be held vicariously liable for things done or omitted to be done by a public authority.

(3) Regulations under this section may not—

(a) make provision removing liability for an act or omission which is shown to have been in bad faith, or

(b) make provision so as to prevent an award of damages made in respect of an act or omission on the ground that the act or omission was unlawful as a result of section 6(1) of the Human Rights Act 1998.

Section 19Duty to review regulations

(1) The relevant person must, by regulations, provide for the review of provision made by the relevant person in exercise of powers to make regulations under other sections in this Part (“Part 1 provision”) (but see the exceptions in subsection (8)).

(2) In this section, “ the relevant person ” means—

(a) in relation to Part 1 provision made by the Secretary of State, the Secretary of State, and

(b) in relation to Part 1 provision made by the Treasury, the Treasury.

(3) Regulations under subsection (1) must require the relevant person—

(a) to review the Part 1 provision,

(b) to prepare and publish a report setting out the findings of each review, and

(c) to lay a copy of the report before Parliament.

(4) The regulations must require the relevant person—

(a) to publish the report setting out the findings of the first review of the Part 1 provision before the end of the period of 5 years beginning with the day on which the provision comes into force, and

(b) to publish reports setting out the findings of subsequent reviews at intervals of not more than 5 years.

(5) The regulations must require that, in carrying out a review, the relevant person must consider whether the Part 1 provision remains appropriate, having regard to (among other things)—

(a) the objectives it is intended to achieve, and

(b) to the extent that it is part of data regulations, the matters to which the relevant person was required to have regard in deciding whether to make the provision (see sections 2(5) and 4(5)).

(6) The regulations must provide that the relevant person may omit material from a report before publication if the relevant person thinks that the publication of that material might harm the commercial interests of any person.

(7) The regulations may (whether made by the Secretary of State or the Treasury) provide for the Secretary of State and the Treasury to carry out a joint review, and to produce a joint report, in respect of Part 1 provision made by the Secretary of State and Part 1 provision made by the Treasury.

(8) Subsection (1) does not apply in relation to—

(a) Part 1 provision that is required to be reviewed by the relevant person by virtue of existing regulations under this section, or

(b) Part 1 provision that makes, amends or revokes provision described in paragraph (a),

nor does it require the relevant person to provide for the review of Part 1 provision that has been revoked.

(9) Section 28 of the Small Business, Enterprise and Employment Act 2015 (duty to review regulatory provisions in secondary legislation) does not apply in relation to a power to make regulations under this Part.

Section 20Restrictions on processing and data protection

(1) Except as provided by subsection (2), regulations under this Part may provide for the processing of information in accordance with the regulations not to be in breach of—

(a) any obligation of confidence owed by the person processing the information, or

(b) any other restriction on the processing of information (however imposed).

(2) Regulations under this Part are not to be read as authorising or requiring processing of personal data that would contravene the data protection legislation (but in determining whether particular processing of data would do so, take into account the power conferred or duty imposed by the provision of the regulations in question).

(3) In this section—

“ the data protection legislation ” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act);

“ personal data ” has the same meaning as in that Act (see section 3(2) of that Act).

Section 21Regulations under this Part: supplementary

(1) Regulations under this Part may (among other things)—

(a) make provision generally or in relation to particular cases;

(b) make different provision for different purposes or areas;

(c) make provision about the form and manner in which things must or may be done;

(d) make provision about the content of requests, notices or other documents;

(e) make provision about the time by which, or period within which, things must or may be done;

(f) make provision by reference to standards, arrangements, specifications or technical requirements as published from time to time;

(g) confer functions on a person, including functions involving the exercise of a discretion, and make provision in connection with the procedure for exercising the functions;

(h) make consequential, supplementary, incidental, transitional, transitory or saving provision.

(2) Regulations under this Part may not require or enable a person to set the maximum amount of a fine for an offence, except that such regulations may make provision about the maximum amount referring to the standard scale, the statutory maximum or a similar amount.

(3) Regulations under this Part may not require or enable a person to set the amount or maximum amount of, or of an increase in, a penalty or fee or to set the method for determining such an amount, except as provided by subsection (4) and sections 11(9), 15 and 16.

(4) Regulations under this Part—

(a) may make provision about the amount or method described in subsection (3) referring to a published index, and

(b) may require or enable a person to make decisions, in accordance with a maximum amount or method set out in the regulations, about the amount of, or of an increase or reduction in, a penalty or fee payable in a particular case.

(5) Regulations under this Part making the following types of provision may amend, repeal or revoke primary legislation—

(a) provision about the handling of complaints;

(b) provision about the resolution of disputes;

(c) provision about appeals;

(d) provision described in subsection (1)(h).

Section 22Regulations under this Part: Parliamentary procedure and consultation

(1) The following regulations under this Part are subject to the affirmative resolution procedure—

(a) the first regulations under each of section 2(1), (3) and (4) making provision about a particular description of customer data,

(b) the first regulations under each of section 4(1), (3) and (4) making provision about a particular description of business data,

(c) regulations under section 2 or 4 which make the requirements of regulations under this Part more onerous for data holders or interface bodies,

(d) regulations under section 6(5), 7, 8, 11, 12, 14, 16, 17 or 18, and

(e) regulations described in section 21(5) which amend, repeal or revoke primary legislation.

(2) Other regulations under this Part are subject to the negative resolution procedure.

(3) Before making regulations described in subsection (1), the Secretary of State or the Treasury (as the case may be) must consult such of the following as the Secretary of State or the Treasury considers appropriate—

(a) persons likely to be affected by the regulations or representatives of such persons;

(b) sectoral regulators with functions in relation to data holders likely to be affected by the regulations.

(4) The requirement in subsection (3) may be satisfied by consultation undertaken before the day on which this Act is passed.

Section 23Related subordinate legislation

(1) This section is about cases in which subordinate legislation, other than regulations under this Part, contains provision described in section 2(1) to (4) or 4(1) to (4) (and such provision is referred to in this section as “ related subordinate legislation ”).

(2) The regulation-making powers under this Part may be exercised so as to make, in connection with the related subordinate legislation, any provision that they could be exercised to make as part of, or in connection with, provision made under section 2(1) to (4) or, as appropriate, section 4(1) to (4).

(3) In this Part, references to “data regulations” include regulations made in reliance on subsection (2) to the extent that they make provision described in sections 2 to 7.

(4) For the purposes of determining whether subordinate legislation contains provision described in sections 2(1) to (4) or 4(1) to (4), references in those sections to something specified are to be read as including something specified by or under any subordinate legislation.

(5) In this section, “ subordinate legislation ” has the same meaning as in the Interpretation Act 1978 (see section 21 of that Act).

Section 24Repeal of provisions relating to supply of customer data

Omit sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013 (supply of customer data).

Section 25Other defined terms

(1) In this Part—

“ application programming interface ” means a facility for allowing software to make use of facilities contained in other software;

“ dashboard service ” means an electronic communications service by means of which information may be requested by and provided to a person;

“ digital content ” means data which is produced and supplied in digital form;

“ electronic communications service ” has the meaning given by section 32 of the Communications Act 2003;

“ goods ” includes water, gas and electricity (however supplied);

“ micro business ” has the meaning given by section 33 of the Small Business, Enterprise and Employment Act 2015, read with any regulations under that section;

“ primary legislation ” means—

an Act of Parliament;

an Act of the Scottish Parliament;

a Measure or Act of Senedd Cymru;

Northern Ireland legislation;

“ processing ” has the same meaning as in the Data Protection Act 2018 (see section 3(4) of that Act) and related terms are to be interpreted accordingly;

“ public authority ” means a person whose functions—

are of a public nature, or

include functions of that nature;

“ small business ” has the meaning given by section 33 of the Small Business, Enterprise and Employment Act 2015, read with any regulations under that section;

“ specified ” means specified, or of a description specified, by regulations under this Part, or in exercise of a power conferred by such regulations, except to the extent otherwise provided in this Part;

“ third party recipient ” means—

in section 3, a third party in relation to customer data (see section 2(2)),

in sections 4 and 5, a third party recipient in relation to business data (see section 4(2)), and

in other sections, a third party recipient in relation to customer data or business data (see sections 2(2) and 4(2)).

(2) In this Part, references to doing something “in the course of a business” include doing something in the course of—

(a) a trade, craft or profession, or

(b) any other undertaking carried on for gain or reward.

(3) In this Part—

(a) references to making arrangements include producing model arrangements,

(b) references to managing a facility (or an interface that is a facility) include operating, or overseeing the operation, of a facility,

(c) references to managing a service (or an interface that is a service) include providing, or overseeing the provision of, a service, and

(d) references to managing standards or arrangements include assisting people to use them or overseeing how they are used.

(4) In this Part, references to regulations made under subsection (3) of section 4 or any of sections 5 to 21 (and references which include such regulations) include regulations made under section 4(4)(c) or (d) which make provision that could be made under the other subsection or section.

Section 26Index of defined terms for this Part

The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.

Section 27Introductory

(1) This Part contains provision to secure the reliability of digital verification services by means of—

(a) a trust framework (see section 28),

(b) supplementary codes (see section 29),

(c) a register (see section 32),

(d) an information gateway (see section 45), and

(e) a trust mark (see section 50).

(2) In this Part, “ digital verification services ” means verification services provided to any extent by means of the internet.

(3) In subsection (2), “ verification services ” means services that are provided at the request of an individual and consist in—

(a) ascertaining or verifying a fact about the individual from information provided otherwise than by the individual, and

(b) confirming to another person that the fact about the individual has been ascertained or verified from information so provided.

Section 28DVS trust framework

(1) The Secretary of State must prepare and publish a document (“the DVS trust framework”) setting out rules concerning the provision of digital verification services.

(2) Those rules may include (among other things) rules relating to, and to the conduct of, a person who provides such services; and references in this Part to a person providing services in accordance with the DVS trust framework (however expressed) include a person complying with such rules.

(3) In preparing the DVS trust framework, the Secretary of State must consult—

(a) the Information Commissioner, and

(b) such other persons as the Secretary of State considers appropriate.

(4) The requirement in subsection (3) may be satisfied by consultation undertaken before the coming into force of this section.

(5) The Secretary of State may revise and republish the DVS trust framework (whether following a review under section 31 or otherwise).

(6) The DVS trust framework, and any revised version of the framework, must specify the time it comes into force (which must not be a time earlier than the time it is published).

(7) The DVS trust framework, and any revised version of the framework, may—

(a) set out different rules for different digital verification services,

(b) specify that provisions come into force at different times for different purposes, and

(c) make transitional or saving provision.

(8) Where the Secretary of State revises and republishes the DVS trust framework, the DVS trust framework (as revised) may provide that from a date, or from the end of a period, specified in the framework a pre-revision certificate is required to be ignored for the purposes of sections 33(1)(a), 35(1)(c), 40(1)(c) and 42(1)(c).

(9) In subsection (8), a “ pre-revision certificate ” means a certificate which—

(a) certifies that digital verification services provided by the holder of the certificate are provided in accordance with the DVS trust framework, and

(b) was issued before the time the relevant revision to the DVS trust framework comes into force.

(10) Provision included in the DVS trust framework in reliance on subsection (8) may make different provision in relation to different descriptions of pre-revision certificate.

Section 29Supplementary codes

(1) The Secretary of State may prepare and publish one or more sets of rules concerning the provision of digital verification services which supplement the DVS trust framework.

(2) In this Part, a set of rules published under subsection (1) is referred to as a supplementary code.

(3) Those rules may include (among other things) rules relating to, and to the conduct of, a person who provides such services; and in this Part references to a person providing services in accordance with a supplementary code (however expressed) include a person complying with such rules.

(4) In preparing a set of rules, the Secretary of State must consult—

(a) the Information Commissioner, and

(b) such other persons as the Secretary of State considers appropriate.

(5) The requirement in subsection (4) may be satisfied by consultation undertaken before the coming into force of this section.

(6) The Secretary of State may revise and republish a supplementary code (whether following a review under section 31 or otherwise).

(7) A supplementary code, and any revised version of a supplementary code, must specify the time it comes into force (which must not be a time earlier than the time it is published).

(8) A supplementary code, and any revised version of a supplementary code, may—

(a) set out different rules for different digital verification services,

(b) specify that provisions come into force at different times for different purposes, and

(c) make transitional or saving provision.

(9) Where the Secretary of State revises and republishes a supplementary code, the supplementary code (as revised) may provide that from a date, or from the end of a period, specified in the code a pre-revision certificate is required to be ignored for the purposes of sections 36(1)(a), 37(1)(c), 43(1)(c)and 44(1)(c).

(10) In subsection (9), a “ pre-revision certificate ” means a certificate which—

(a) certifies that digital verification services provided by the holder of the certificate are provided in accordance with the supplementary code, and

(b) was issued before the time the relevant revision to the supplementary code comes into force.

(11) Provision included in a supplementary code in reliance on subsection (9) may make different provision in relation to different descriptions of pre-revision certificate.

Section 30Withdrawal of a supplementary code

(1) The Secretary of State may determine to withdraw a supplementary code.

(2) A determination must—

(a) be published, and

(b) specify when the code is withdrawn, which must be a time after the end of the period of 21 days beginning with the day on which the determination is published.

Section 31Review of DVS trust framework and supplementary codes

(1) At least every 12 months, the Secretary of State must—

(a) carry out a review of the DVS trust framework, and

(b) at the same time, carry out a review of each supplementary code which has not been withdrawn.

(2) In carrying out a review under subsection (1), the Secretary of State must consult—

(a) the Information Commissioner, and

(b) such other persons as the Secretary of State considers appropriate.

Section 32DVS register

(1) The Secretary of State must establish and maintain a register of persons providing digital verification services.

(2) The register is referred to in this Part as the DVS register.

(3) The Secretary of State must make the DVS register publicly available.

Section 33Registration in the DVS register

(1) The Secretary of State must register a person providing digital verification services in the DVS register if—

(a) the person holds a certificate from an accredited conformity assessment body certifying that digital verification services provided by the person are provided in accordance with the DVS trust framework,

(b) the person applies to be registered in the DVS register in respect of one or more of the digital verification services to which the certificate relates,

(c) the application complies with any requirements imposed by a determination under section 38, and

(d) the person complies with any regulations under section 39(1) requiring a fee to be paid.

(2) But subsection (1) is subject to—

(a) the power to refuse registration under section 34(1), and

(b) the duties to refuse registration under sections 34(10) and 41(10).

(3) If the conditions in paragraphs (a) to (d) of subsection (1) are not met, the Secretary of State may not register a person in the DVS register.

(4) The register must record the digital verification services in respect of which a person is, from time to time, registered.

(5) For the purposes of subsection (1)(a), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the DVS trust framework under section 28(8).

(6) In this Part, “ accredited conformity assessment body ” means a conformity assessment body that is accredited by the UK national accreditation body in accordance with Article 5 of the Accreditation Regulation as competent to carry out assessments of whether digital verification services are provided in accordance with the DVS trust framework.

(7) In subsection (6)—

“ the Accreditation Regulation ” means Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 ;

“ conformity assessment body ” has the same meaning as in the Accreditation Regulation (see Article 2(13) of that Regulation);

“ the UK national accreditation body ” means the UK national accreditation body for the purposes of Article 4(1) of the Accreditation Regulation.

Section 34Power to refuse registration in the DVS register

(1) The Secretary of State may refuse to register a person providing digital verification services in the DVS register if the Secretary of State—

(a) considers that it is necessary to do so in the interests of national security, or

(b) is satisfied that the person is failing to comply with the DVS trust framework in respect of one or more of the digital verification services in respect of which the person applies to be registered.

(2) Before refusing to register a person under this section the Secretary of State must, by written notice, inform the person that the Secretary of State intends to do so.

(3) The notice must—

(a) state the name and address of the person,

(b) state the reason why the Secretary of State—

(i) considers that it is necessary to refuse to register the person in the interests of national security, or

(ii) is satisfied that the person is failing as mentioned in subsection (1)(b),

(c) state whether the Secretary of State intends to specify a period in the notice under subsection (8) and, if so, what period is intended to be specified,

(d) state that the person may make written representations to the Secretary of State about—

(i) the Secretary of State’s intention to refuse to register the person in the DVS register, and

(ii) where relevant, the period the Secretary of State intends to specify in the notice under subsection (8), and

(e) specify the period within which such representations may be made.

(4) Where the Secretary of State intends to refuse to register a person in reliance on subsection (1)(a), the requirement in subsection (3)(b) does not apply if, or to the extent that, the Secretary of State considers that stating the reason described in subsection (3)(b)(i) would be contrary to the interests of national security.

(5) The period specified for making written representations must be a period of not less than 21 days beginning with the day on which the notice is given.

(6) If the Secretary of State considers that it is appropriate for the person to have an opportunity to make oral representations about the matters mentioned in subsection (3)(d), the notice must also—

(a) state that the person may make such representations, and

(b) specify the arrangements for making such representations and the time at which, or the period within which, they may be made.

(7) When deciding whether to refuse to register the person in the DVS register under this section, the Secretary of State must consider any oral or written representations made by the person in accordance with the notice.

(8) Where the Secretary of State refuses to register the person in the DVS register under this section, the Secretary of State must by written notice inform the person that the person’s application for registration has been refused.

(9) The Secretary of State may, in the notice given under subsection (8), state that any further application for registration made by the person during a period specified in the notice will be refused.

(10) If the person applies to be registered in the DVS register during the period specified in the notice in reliance on subsection (9), the Secretary of State must refuse the application.

(11) The period specified in the notice in reliance on subsection (9) must begin with the day on which the notice is given and must not exceed two years.

Section 35Registration of additional services

(1) Subsection (2) applies if—

(a) a person is registered in the DVS register,

(b) the person applies for their entry in the register to be amended to record additional digital verification services that the person provides in accordance with the DVS trust framework,

(c) the person holds a certificate from an accredited conformity assessment body certifying that the person provides the additional services in accordance with the DVS trust framework,

(d) the application complies with any requirements imposed by a determination under section 38, and

(e) the person complies with any regulations under section 39(1) requiring a fee to be paid.

(2) The Secretary of State must amend the DVS register to record that the person is also registered in respect of the additional services referred to in subsection (1).

(3) If the conditions in paragraphs (a) to (e) of subsection (1) are not met, the Secretary of State may not amend the DVS register as described in subsection (2).

(4) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the DVS trust framework under section 28(8).

Section 36Supplementary notes

(1) Subsection (2) applies if—

(a) a person holds a certificate from an accredited conformity assessment body certifying that digital verification services provided by the person are provided in accordance with a supplementary code,

(b) the person applies for a note about one or more of the services to which the certificate relates to be included in the entry relating to that person in the DVS register,

(c) the application complies with any requirements imposed by a determination under section 38, and

(d) the person complies with any regulations under section 39(1) requiring a fee to be paid.

(2) The Secretary of State must include a note in the entry relating to the person in the DVS register recording that the person provides, in accordance with the supplementary code referred to in subsection (1), the services in respect of which the person made the application referred to in that subsection.

(3) But subsection (2) does not apply if the supplementary code referred to in subsection (1) has been withdrawn.

(4) If the conditions in paragraphs (a) to (d) of subsection (1) are not met, the Secretary of State may not include a note described in subsection (2) in the DVS register.

(5) For the purposes of subsection (1)(a), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the supplementary code as a result of section 29(9).

(6) In this Part, a note included in the DVS register in accordance with subsection (2) is referred to as a supplementary note.

Section 37Addition of services to supplementary notes

(1) Subsection (2) applies if—

(a) a person has a supplementary note included in the DVS register relating to a supplementary code,

(b) the person applies for the note to be amended to record additional digital verification services that the person provides in accordance with that code,

(c) the person holds a certificate from an accredited conformity assessment body certifying that the person provides the additional services in accordance with that code,

(d) the application complies with any requirements imposed by a determination under section 38, and

(e) the person complies with any regulations under section 39(1) requiring a fee to be paid.

(2) The Secretary of State must amend the note to record that the person also provides the additional services referred to in subsection (1) in accordance with the supplementary code to which the note relates.

(3) But subsection (2) does not apply if the supplementary code to which the note relates has been withdrawn.

(4) If the conditions in paragraphs (a) to (e) of subsection (1) are not met, the Secretary of State may not amend the note as described in subsection (2).

(5) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the supplementary code as a result of section 29(9).

Section 38Applications for registration, supplementary notes, etc

(1) The Secretary of State may determine—

(a) the form of an application under section 33, 35, 36 or 37,

(b) the information to be contained in or provided with the application,

(c) the documents to be provided with the application, and

(d) the manner in which the application is to be submitted.

(2) A determination may make different provision for different purposes.

(3) The Secretary of State must publish a determination.

(4) The Secretary of State may revise a determination.

(5) If the Secretary of State revises a determination the Secretary of State must publish the determination as revised.

Section 39Fees for applications for registration, supplementary notes, etc

(1) The Secretary of State may by regulations make provision for or in connection with—

(a) the payment of fees for applications under sections 33, 35, 36 and 37, and

(b) the payment of fees in connection with continued registration in the DVS register.

(2) The regulations may not provide for payment of fees to anyone other than the Secretary of State.

(3) The regulations must—

(a) specify the amount, or the maximum amount of a fee, or

(b) provide for a fee, or the maximum amount of a fee, to be determined in accordance with regulations.

(4) The regulations may provide for the amount of a fee to exceed the administrative costs of determining the application or the administrative costs associated with the continued registration (as the case may be).

(5) Regulations under subsection (1) may (among other things) make provision about the following—

(a) when fees are to be paid;

(b) the manner in which fees are to be paid;

(c) the payment of discounted fees;

(d) exceptions to requirements to pay fees;

(e) the refund of fees (in whole or in part);

(f) interest on any unpaid amounts,

including provision conferring functions on the Secretary of State in relation to the matters in paragraphs (a) to (e).

(6) A fee payable under regulations made under subsection (1)(b), and any interest payable in respect of it, is recoverable summarily (or, in Scotland, recoverable) as a civil debt.

(7) The regulations may—

(a) make different provision for different purposes;

(b) make transitional, transitory or saving provision.

(8) Regulations under this section are subject to the negative resolution procedure.

Section 40Duty to remove person from the DVS register

(1) The Secretary of State must remove a person from the DVS register if the person—

(a) asks to be removed from the register,

(b) ceases to provide all of the digital verification services in respect of which the person is registered in the register, or

(c) no longer holds a certificate from an accredited conformity assessment body certifying that at least one of those digital verification services is provided in accordance with the DVS trust framework.

(2) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the DVS trust framework under section 28(8).

Section 41Power to remove person from the DVS register

(1) The Secretary of State may remove a person from the DVS register if—

(a) the Secretary of State is satisfied that the person is failing to comply with the DVS trust framework when providing one or more of the digital verification services in respect of which the person is registered,

(b) the person has a supplementary note included in the DVS register and the Secretary of State is satisfied that the person is failing to comply with the supplementary code to which the note relates when providing one or more of the digital verification services recorded in the note,

(c) the Secretary of State is satisfied that the person has failed to provide the Secretary of State with information in accordance with a notice under section 51, or

(d) the Secretary of State considers that it is necessary to do so in the interests of national security.

(2) Before removing a person from the DVS register under this section the Secretary of State must, by written notice, inform the person that the Secretary of State intends to do so.

(3) The notice must—

(a) state the name and address of the person,

(b) state the reason why the Secretary of State—

(i) is satisfied that the person is failing or has failed as mentioned in subsection (1)(a) to (c), or

(ii) considers that it is necessary to remove the person from the DVS register in the interests of national security,

(c) state whether the Secretary of State intends to specify a period in the notice under subsection (8) and, if so, what period is intended to be specified,

(d) state that the person may make written representations to the Secretary of State about—

(i) the Secretary of State’s intention to remove the person from the DVS register, and

(ii) where relevant, the period the Secretary of State intends to specify in the notice under subsection (8), and

(e) specify the period within which such representations may be made.

(4) The requirement in subsection (3)(b) does not apply if, or to the extent that, the Secretary of State considers that stating the reason described in subsection (3)(b)(ii) would be contrary to the interests of national security.

(5) The period specified for making written representations must be a period of not less than 21 days beginning with the day on which the notice is given.

(6) If the Secretary of State considers that it is appropriate for the person to have an opportunity to make oral representations about the matters mentioned in subsection (3)(d), the notice must also—

(a) state that the person may make such representations, and

(b) specify the arrangements for making such representations and the time at which, or the period within which, they may be made.

(7) When deciding whether to remove the person from the DVS register under this section, the Secretary of State must consider any oral or written representations made by the person in accordance with the notice.

(8) Where the Secretary of State removes the person from the DVS register under this section, the Secretary of State must by written notice inform the person of that.

(9) The Secretary of State may, in the notice given under subsection (8), state that any application for re-registration made by the person during a period specified in the notice will be refused.

(10) If the person applies to be re-registered during the period specified in the notice in reliance on subsection (9), the Secretary of State must refuse the application.

(11) The period specified in the notice in reliance on subsection (9) must begin with the day on which the notice is given and must not exceed two years.

Section 42Duty to remove services from the DVS register

(1) Where a person is registered in the DVS register in respect of digital verification services, subsection (2) applies if the person—

(a) asks for the register to be amended so that the person is no longer registered in respect of one or more of those services,

(b) ceases to provide one or more of those services (but not all of them), or

(c) no longer holds a certificate from an accredited conformity assessment body certifying that all of those services are provided in accordance with the DVS trust framework.

(2) The Secretary of State must amend the register to record that the person is no longer registered in respect of (as the case may be)—

(a) the service or services mentioned in a request described in subsection (1)(a),

(b) the service or services which the person has ceased to provide, or

(c) the service or services for which there is no longer a certificate as described in subsection (1)(c).

(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the DVS trust framework under section 28(8).

Section 43Duty to remove supplementary notes from the DVS register

(1) The Secretary of State must remove a supplementary note included in the entry in the DVS register relating to a person if—

(a) the person asks for the note to be removed,

(b) the person ceases to provide all of the digital verification services to which the note relates,

(c) the person no longer holds a certificate from an accredited conformity assessment body certifying that at least one of those digital verification services is provided in accordance with the supplementary code to which the note relates, or

(d) the supplementary code to which the note relates has been withdrawn.

(2) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the supplementary code as a result of section 29(9).

Section 44Duty to remove services from supplementary notes

(1) Where a person has a supplementary note included in their entry in the DVS register in respect of digital verification services, subsection (2) applies if the person—

(a) asks for the note to be amended so that it no longer records one or more of those services,

(b) ceases to provide one or more of the services recorded in the note (but not all of them), or

(c) no longer holds a certificate from an accredited conformity assessment body certifying that all of the services included in the note are provided in accordance with a supplementary code.

(2) The Secretary of State must amend the supplementary note so it no longer records (as the case may be)—

(a) the service or services mentioned in a request described in subsection (1)(a),

(b) the service or services which the person has ceased to provide, or

(c) the service or services for which there is no longer a certificate as described in subsection (1)(c).

(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the supplementary code as a result of section 29(9).

Section 45Power of public authority to disclose information to registered person

(1) This section applies where—

(a) a person is registered in the DVS register, and

(b) an individual makes a request to the person for the provision of digital verification services in respect of which the person is registered.

(2) A public authority may disclose to the person information relating to the individual for the purpose of enabling the person to provide the digital verification services for the individual.

(3) A disclosure of information under this section does not breach—

(a) any obligation of confidence owed by the public authority making the disclosure, or

(b) any other restriction on the disclosure of information (however imposed).

(4) But this section does not authorise a disclosure of information which—

(a) would contravene the data protection legislation (but in determining whether a disclosure would do so, the power conferred by this section is to be taken into account), or

(b) is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.

(5) This section does not authorise a public authority to disclose information obtained by the authority otherwise than in connection with the exercise by the authority of functions of a public nature.

(6) This section does not affect a power to disclose information that exists apart from this section.

(7) A public authority may charge a person fees in respect of the disclosure to the person of information under this section.

(8) In this section—

“ the data protection legislation ” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act);

“ public authority ” means a person whose functions—

are of a public nature, or

include functions of that nature.

Section 46Information disclosed by the Revenue and Customs

(1) This section applies where the Revenue and Customs disclose personal information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2) The person must not further disclose the information otherwise than for the purpose of providing digital verification services for the individual, except with the consent of the Commissioners for His Majesty’s Revenue and Customs.

(3) Any other person who receives the information, whether directly or indirectly from the person to whom the Revenue and Customs disclose the information, must not further disclose the information, except with the consent of the Commissioners for His Majesty’s Revenue and Customs.

(4) If a person discloses information in contravention of this section, section 19 of the Commissioners for Revenue and Customs Act 2005 (offence of wrongful disclosure) applies in relation to that disclosure as it applies in relation to a disclosure of information in contravention of section 20(9) of that Act.

(5) In this section—

“ personal information ” means information relating to a person whose identity—

is specified in the information, or

can be deduced from it;

“ the Revenue and Customs ” has the meaning given by section 17(3) of the Commissioners for Revenue and Customs Act 2005.

Section 47Information disclosed by the Welsh Revenue Authority

(1) This section applies where the Welsh Revenue Authority discloses personal information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2) The person must not further disclose the information otherwise than for the purpose of providing digital verification services for the individual, except with the consent of the Welsh Revenue Authority.

(3) Any other person who receives the information, whether directly or indirectly from the person to whom the Welsh Revenue Authority discloses the information, must not further disclose the information, except with the consent of the Welsh Revenue Authority.

(4) A person who discloses information in contravention of subsection (2) or (3) commits an offence.

(5) It is a defence for a person charged with an offence under subsection (4) to prove that the person reasonably believed—

(a) that the disclosure was lawful, or

(b) that the information had already lawfully been made available to the public.

(6) A person who commits an offence under subsection (4) is liable—

(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b) on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c) on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d) on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).

(7) In this section, “ personal information ” means information relating to a person whose identity—

(a) is specified in the information, or

(b) can be deduced from it.

Section 48Information disclosed by Revenue Scotland

(1) This section applies where Revenue Scotland discloses personal information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2) The person must not further disclose the information otherwise than for the purpose of providing digital verification services for the individual, except with the consent of Revenue Scotland.

(3) Any other person who receives the information, whether directly or indirectly from the person to whom Revenue Scotland discloses the information, must not further disclose the information, except with the consent of Revenue Scotland.

(4) A person who discloses information in contravention of subsection (2) or (3) commits an offence.

(5) It is a defence for a person charged with an offence under subsection (4) to prove that the person reasonably believed—

(a) that the disclosure was lawful, or

(b) that the information had already lawfully been made available to the public.

(6) A person who commits an offence under subsection (4) is liable—

(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b) on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c) on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d) on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).

(7) In this section, “ personal information ” means information relating to a person whose identity—

(a) is specified in the information, or

(b) can be deduced from it.

Section 49Code of practice about the disclosure of information

(1) The Secretary of State must prepare and publish a code of practice about the disclosure of information under section 45.

(2) The code of practice must be consistent with the code of practice prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act (as altered or replaced from time to time).

(3) A public authority must have regard to the code of practice in disclosing information under section 45.

(4) The Secretary of State may from time to time revise and republish the code of practice.

(5) In preparing or revising the code of practice, the Secretary of State must consult—

(a) the Information Commissioner,

(b) the Welsh Ministers,

(c) the Scottish Ministers,

(d) the Department of Finance in Northern Ireland, and

(e) such other persons as the Secretary of State considers appropriate.

(6) The requirement in subsection (5) may be satisfied by consultation undertaken before the coming into force of this section.

(7) The Secretary of State may not publish the first version of the code of practice unless a draft of the code has been laid before, and approved by a resolution of, each House of Parliament.

(8) The Secretary of State may not republish the code of practice following its revision unless—

(a) a draft of the code as revised has been laid before each House of Parliament, and

(b) the 40-day period has expired without either House of Parliament resolving not to approve the draft.

(9) “ The 40-day period ” means—

(a) the period of 40 days beginning with the day on which the draft is laid before Parliament, or

(b) if the draft is not laid before each House on the same day, the period of 40 days beginning with the later of the days on which it is laid before Parliament.

(10) In calculating the 40-day period, no account is to be taken of any whole days that fall within a period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.

(11) In this section, “ public authority ” means a person whose functions—

(a) are of a public nature, or

(b) include functions of that nature.

Section 50Trust mark for use by registered persons

(1) The Secretary of State may designate a mark for use in the course of providing, or offering to provide, digital verification services.

(2) A mark designated under this section must be published by the Secretary of State.

(3) A mark designated under this section may not be used by a person in the course of providing, or offering to provide, digital verification services unless the person is registered in the DVS register in respect of those digital verification services.

(4) The Secretary of State may enforce subsection (3) in civil proceedings for an injunction or, in Scotland, an interdict.

360 sections

Cite this legislation

Data (Use and Access) Act 2025 (legislation.gov.uk, OGL v3.0). Retrieved via LawPlayer, https://lawplayer.com/uk/act/ukpga-2025-18

Contains public sector information licensed under the Open Government Licence v3.0.

OGL-3

本頁資料來源:legislation.gov.uk (The National Archives)·整理提供:法律人 LawPlayer· lawplayer.com