The Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025
These Regulations, made by the Secretary of State under the Data Protection Act 2018 (DPA), specify which public bodies qualify as 'qualifying competent authorities' to engage in joint processing of personal data with intelligence services under Part 4 of the DPA, a power enabled by the Data (Use and Access) Act to assist in safeguarding national security; the instrument lists various government departments, police forces, customs, and judicial/monitoring bodies as qualifying authorities, citing consultation with the Information Commissioner and Parliamentary approval, and stipulates that the regulations come into force twenty-one days after being made and extend across the UK.
Arguments For
Empowers specific public bodies, identified as 'qualifying competent authorities,' to engage in joint processing of personal data with intelligence services under the Data Protection Act 2018 (DPA) Part 4.
Provides necessary legal clarity and mechanism (designation notices) for these authorities to operate within a unified data processing regime when safeguarding national security, thereby streamlining essential security functions.
Implements legislative intent derived from the Data (Use and Access) Act (DUAA), ensuring that controls and safeguards under DPA Part 4 apply across all newly included joint processing activities.
Establishes the specific composition of these qualifying authorities, directly aligning the regulations with existing structures within UK law enforcement, government departments, and policing bodies.
Arguments Against
Concentrating data processing powers for national security under a single, shared regime (DPA Part 4) for a broad range of bodies might increase the risk profile associated with large-scale data handling.
The inclusion of numerous police forces, military police, and specific national agencies broadens the scope of potentially sensitive data processing activities that fall under national security designations, raising concerns about oversight proportionality.
The regulations are made because no significant impact on the private or voluntary sector is foreseen, which may underestimate potential indirect data handling implications when these designated authorities interact with external entities.
Defining 'qualifying competent authorities' through regulation, rather than primary legislation, allows for easier expansion or contraction of the list by the Secretary of State, potentially reducing parliamentary scrutiny over which bodies gain these specific access rights.
The Secretary of State makes these Regulations in exercise of the powers conferred by section 82(2A) of the Data Protection Act 2018.
The Secretary of State created these rules using the authority granted by section 82(2A) of the Data Protection Act 2018.
In accordance with section 182(2) of that Act, the Secretary of State has consulted the Commissioner and such other persons as the Secretary of State considers appropriate.
Following section 182(2) of the Act, the Secretary of State sought advice from the Information Commissioner and any other necessary individuals before enacting these rules.
In accordance with sections 82(4) and 182(7) of that Act, a draft of the Regulations has been laid before Parliament and approved by a resolution of each House of Parliament.
As required by sections 82(4) and 182(7) of the Act, a preliminary version of these Regulations was presented to, and formally accepted by, both the House of Commons and the House of Lords.
Citation, commencement and extent
- (1) These Regulations may be cited as the Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025.
Regulation 1 outlines the official title of the legislation, which is the Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025.
(2) These Regulations come into force on the twenty-first day after the day on which they are made.
The rules take legal effect twenty-one days following the date they are officially established.
(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
The geographic scope of these Regulations covers England, Wales, Scotland, and Northern Ireland.
Qualifying competent authorities 2. The following competent authorities are qualifying competent authorities for the purposes of the Data Protection Act 2018—
Regulation 2 identifies the specific public bodies that are designated as 'qualifying competent authorities' for the purposes of the Data Protection Act 2018.
(a) any United Kingdom government department other than a non-ministerial government department;
This includes any UK government department, but specifically excludes those that operate independently of ministerial control (non-ministerial departments).
(b) the chief constable of a police force maintained under section 2 of the Police Act 1996;
The chief constable of any police force established under section 2 of the Police Act 1996 is included in this designation.
(c) the Commissioner of Police of the Metropolis;
The Commissioner overseeing the Metropolitan Police Service qualifies as a designated authority.
(d) the Commissioner of Police for the City of London;
The Commissioner responsible for the City of London Police is listed as a qualifying authority.
(e) the Chief Constable of the Police Service of Northern Ireland;
The leadership of the Police Service of Northern Ireland is recognized under this regulation.
(f) the chief constable of the Police Service of Scotland;
The chief constable leading the Police Service of Scotland is designated as a qualifying authority.
(g) the chief constable of the British Transport Police;
Authority is granted to the chief constable of the British Transport Police.
(h) the chief constable of the Civil Nuclear Constabulary;
The chief constable of the Civil Nuclear Constabulary is named as a qualifying competent authority.
(i) the chief constable of the Ministry of Defence Police;
The effectiveness of this regulation extends to the chief constable of the Ministry of Defence Police.
(j) the Provost Marshal of the Royal Navy Police;
The Provost Marshal responsible for the Royal Navy Police is included in the list.
(k) the Provost Marshal of the Royal Military Police;
The Provost Marshal overseeing the Royal Military Police is designated as a qualifying body.
(l) the Provost Marshal of the Royal Air Force Police;
The Provost Marshal for the Royal Air Force Police is designated under these regulations.
(m) the Provost Marshal for serious crime;
The Provost Marshal specifically handling serious crime matters is designated.
(n) the chief officer of— (i) a body of constables appointed under provision incorporating section 79 of the Harbours, Docks and Piers Clauses Act 1847; (ii) a body of constables appointed under an order made under section 14 of the Harbours Act 1964; (iii) the body of constables appointed under section 154 of the Port of London Act 1968;
This covers the chief officer of constables appointed under specific legislation related to harbours, docks, piers (1847 Act, 1964 Act) and the Port of London (1968 Act).
(o) a body established in accordance with a collaboration agreement under section 22A of the Police Act 1996;
Compliance extends to bodies created through collaboration agreements involving police forces under section 22A of the Police Act 1996.
(p) the Commissioners for His Majesty’s Revenue and Customs;
The Commissioners for His Majesty’s Revenue and Customs (HMRC) are listed as qualifying authorities.
(q) the Director General of the National Crime Agency;
The Director General leading the National Crime Agency is designated under these rules.
(r) His Majesty’s Land Registry;
His Majesty’s Land Registry is designated as a qualifying competent authority.
(s) the Parole Board for England and Wales;
The Parole Board responsible for England and Wales is included in the list of qualifying authorities.
(t) the Parole Board for Scotland;
The Parole Board governing Scotland is also designated as a qualifying body.
(u) the Parole Commissioners for Northern Ireland;
The Parole Commissioners who operate in Northern Ireland qualify under this designation.
(v) the Probation Board for Northern Ireland;
The Probation Board for Northern Ireland is specified as a qualifying authority for the purpose of the DPA.
(w) a person who is, under or by virtue of any enactment, responsible for securing the electronic monitoring of an individual.
Any entity legally responsible for ensuring the electronic monitoring of an individual, as established by any statute, is counted among the qualifying authorities.
Explanatory Note (This note is not part of the Regulations) Sections 89 and 90 of the Data (Use and Access) Act (c. 18) (“the DUAA”) amend the Data Protection Act (c. 12) (“the DPA”) to enable joint processing between qualifying competent authorities and intelligence services, under Part 4 of the DPA. This enables the controllers, previously unable to process jointly, to process personal data within a single, common regime. The controls and safeguards under Part 4 of the DPA will apply to all such joint processing. Section 89(2) of the DUAA amends section 82 of the DPA, widening the scope of Part 4 of the DPA. Previously, Part 4 of the DPA only applied to processing by or on behalf of the intelligence services. As amended, section 82 also applies Part 4 of the DPA to the processing of personal data by a qualifying competent authority where the processing is the subject of a designation notice. Section 89(2) of the DUAA inserts new subsection (2A) into section 82 of the DPA, which grants a power to the Secretary of State to make regulations to specify and describe which competent authorities (as defined in section 30 of the DPA) are “qualifying competent authorities”, and so able to apply for or be issued with a designation notice.
The accompanying Explanatory Note clarifies that the Data (Use and Access) Act (DUAA) amended the Data Protection Act (DPA) to allow qualifying competent authorities and intelligence services to process data jointly under Part 4 of the DPA. This links previously separate controllers into a single data processing framework subject to Part 4 safeguards.
The DPA's scope in Part 4 broadened from only intelligence service processing to include that of qualifying competent authorities upon receiving a designation notice; these regulations fulfill the DPA's provision for the Secretary of State to define which authorities qualify to receive such notices.
These Regulations specify and describe which competent authorities are “qualifying competent authorities” for the purposes of the DPA. The qualifying competent authorities will be able to apply jointly with the intelligence services for a designation notice under section 82A of the DPA. The Secretary of State may give a notice designating processing of personal data by a qualifying competent authority where this is required for the purposes of safeguarding national security, and subject to compliance with application requirements in the DPA. Before making these Regulations, the Secretary of State consulted the Commissioner and such other persons as the Secretary of State considers appropriate.
These rules officially list the authorities that qualify to engage in joint processing under the DPA. These designated bodies can then jointly request a designation notice from the Secretary of State, under section 82A of the DPA, to process personal data if necessary for national security.
The Secretary of State issues this notice only after confirming compliance with DPA application requirements, and the power to make these regulations followed consultation with the Information Commissioner and other relevant parties.
A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen.
The government determined that a detailed impact assessment was unnecessary because they do not anticipate these regulations will cause any, or any significant, consequences for the private, voluntary, or public sectors.