DPA 2018: UK names qualifying authorities for Part 4
If you want the plain‑English headline for your lesson plan, it is this - the Home Office has signed regulations that list which public bodies may apply, alongside the intelligence services, to run joint personal data projects under Part 4 of the Data Protection Act 2018. The instrument was made on Monday 27 October 2025 and takes effect on Monday 17 November 2025, 21 days later, as set out on legislation.gov.uk.
Why does this matter? Until now, policing bodies and the intelligence services worked under two different legal rulebooks for personal data: Part 3 (law enforcement) and Part 4 (intelligence services). The Data (Use and Access) Act 2025 changes that by creating a route for joint processing under Part 4 via a new “designation notice”. It does this by inserting sections 82A–82E into the DPA 2018.
Those new provisions are already live. GOV.UK confirms that the September 2025 commencement regulations brought sections 89 and 90 of the Data (Use and Access) Act into force, enabling the joint‑processing framework to operate. If you teach policy or IT law, that timing explains why these regulations follow now.
So who is eligible to apply? According to the Statutory Instrument on legislation.gov.uk, the list includes any UK government department other than a non‑ministerial department; all territorial police forces plus the Met and City of London Police; the Police Service of Scotland and Northern Ireland; British Transport Police; the Civil Nuclear Constabulary; the Ministry of Defence Police; the Provost Marshals for the Royal Navy, Army, RAF and for serious crime; harbour and port constabularies; bodies created under Police Act 1996 collaboration agreements; HM Revenue & Customs; the Director General of the National Crime Agency; HM Land Registry; the Parole Board for England and Wales, the Parole Board for Scotland and the Parole Commissioners for Northern Ireland; the Probation Board for Northern Ireland; and any provider legally responsible for electronic monitoring tags. HMRC appears separately because most non‑ministerial departments are not generally covered by the first category.
What a designation notice actually does is important for learners to grasp. It allows a named “qualifying competent authority” and one or more intelligence services (MI5, SIS or GCHQ) to act as joint controllers for a specific, described piece of processing. The Home Secretary may give a notice only if it is required to safeguard national security, and the application must be made jointly by the public body and the intelligence service. A notice cannot be used to authorise international transfers outside the UK or to an international organisation.
How long can a notice run and how visible is it? A notice must state when it starts and it lapses after at most five years unless withdrawn sooner. People directly affected can appeal to the Tribunal. The Information Commissioner must publish a public record of each notice (with limited redactions if publication would harm national security, the public interest or someone’s safety).
Safeguards still apply, and you should teach them. Part 4 has six principles: lawful, fair and transparent processing; purpose limitation; data minimisation (adequate, relevant, not excessive); accuracy; storage limitation; and security. Controllers must be able to demonstrate compliance and report serious breaches to the ICO. These points come from the ICO’s Guide to Intelligence Services Processing.
What stays outside this new route? If there is no designation notice, a policing body continues under Part 3 (law enforcement) or the UK GDPR, depending on purpose. The legislation also states that Part 3 does not apply where processing falls under Part 4 because of a designation notice - so only one regime governs the joint work.
Let’s make it concrete for students. Imagine a counter‑terrorism operation where a police unit and an intelligence service need to ingest, match and risk‑assess several data sources for a defined period. With a designation notice in place, that specific project would run under Part 4’s rules, including strict purpose and retention controls. Everything else those organisations do remains under their usual regimes.
Key terms you’ll meet in lessons and staff briefings. A “competent authority” is a public body with law enforcement powers; a “qualifying competent authority” is one of those bodies named in these regulations and therefore able to seek a designation notice; a “joint controller” means shared responsibility for compliance and for enabling people to exercise their rights. If you can explain those three, the rest will click.
Dates to note for policy updates and coursework: the regulations were signed by the Minister of State, Sarah Jones, on Monday 27 October 2025 and come into force on Monday 17 November 2025. Use the gap to refresh internal records, agree who does what in any potential joint‑controller arrangement, and brief your teams on the safeguards.
Finally, keep an eye on transparency. The ICO’s public record of designation notices should show when a notice is given and when it ends. That record will be a useful resource for classes and for accountability - a way for all of us to see how often these powers are used and how tightly they are scoped.