The Information Commissioner’s Office has launched a public consultation on proposed updates to its draft guidance covering the Research, Archiving and Statistics (RAS) provisions, following legislative changes introduced by the Data (Use and Access) Act 2025.
The ICO is seeking views on revisions made to the guidance - which covers how public authorities justify, govern and communicate the reuse of personal data for research and statistical purposes - after receiving requests for greater clarity and is “particularly” interested in feedback on its updated criteria for scientific research.
The regulator has also invited comments on its position regarding the Act’s new “disproportionate effort exemption”, under section 77 of the Act and affects when organisations must inform individuals about the reuse of previously collected data for research purposes.
The ICO said the updates are intended to ensure the final guidance provides “any further clarity needed”, and it has structured the consultation survey around five areas: information about respondents, organisational context, views on the draft guidance, views on its impact, and final comments.
The consultation will run until 27 April 2026. Submissions can be made via the ICO’s Citizen Space survey or by contacting the office directly at
The proposed changes are expected to have implications across the public sector, particularly for bodies that rely on the RAS provisions to support research, long‑term archiving and statistical analysis.
The ICO’s revisions follow the introduction of new statutory mechanisms for data reuse under the Data (Use and Access) Act 2025, which has prompted some organisations to seek greater clarity on how the updated legal framework interacts with existing data protection obligations.
Many public bodies rely on the RAS for the lawful use of personal data for policy evaluation, social research and economic modelling, clinical research, epidemiological studies and community safety research. The guidance seeks to define when public bodies can rely on the RAS to use personal data without additional safeguards being put into place.
