UK GDPR update: Article 89 now 84A–84C for research

Here’s the short version. The government has laid regulations to align lots of UK rules with the Data (Use and Access) Act 2025. If you work with electoral registers, run a library or archive, or use person‑level data for research or statistics, you’ll start seeing references to Articles 84A–84C of the UK GDPR instead of the old Article 89. The instrument was made on 15 December 2025 and laid before Parliament on 17 December 2025, and it also updates which data protection offences are treated as "recordable" by police.

So what are Articles 84A–84C? Parliament has created a new Chapter 8A in the UK GDPR for research, archives and statistics. Article 84A sets the scope, Article 84B sets the extra conditions for using personal data for those purposes, and Article 84C says that processing must be subject to appropriate safeguards for people’s rights. You’ll sometimes see these called the "RAS purposes" in official notes. These changes come from the Data (Use and Access) Act 2025 and now sit in the UK GDPR text on legislation.gov.uk.

Why the switch from Article 89? The Act removed Article 89 and moved its ideas into the new Articles 84A–84C. It also repealed section 19 of the Data Protection Act 2018, which used to add UK‑specific safeguards. Without this tidy‑up, older election and library laws would be pointing at provisions that no longer exist. These regulations are the clean‑up job to keep everything consistent.

What this means where elections meet libraries. When electoral registration officers supply copies of the full register to the British Library, national libraries and local public libraries or archives, the permitted uses remain tightly defined: archiving in the public interest, scientific or historical research, or statistical work. The legal signpost that used to say "Article 89" now says "Article 84A", and any processing must meet the "appropriate safeguards" requirement via Article 84B read with Article 84C. The reading‑room rules you know still apply; the label in the law is what’s changing, not the everyday practice.

Safeguards in plain English. Article 84C doesn’t hand you a single checklist, but it does expect real protection: limit access, collect only what you need, de‑identify data where you can, set clear retention periods, and keep auditable logs of who saw what and why. That’s the standard we should all be able to evidence if asked by a registrar, funder or the ICO.

If you’re a researcher, the door remains open-but with conditions. Article 84B says processing for RAS purposes should either be collection, or conversion into information that can be handled without identifying people, or, if neither covers it, you must show the work cannot happen without using identifiable data. In every case, the safeguards still apply. This is designed to support legitimate research while protecting individuals.

For voters and everyday library users, your experience doesn’t change. You still register, vote and use libraries in the usual way. The open register rules and the long‑standing limits on using electoral documents for marketing or direct contact remain in place. What changes is the underlying clause that staff rely on when they check whether a proposed use is allowed.

There’s also a police records update. The regulations move a list of data protection offences into the National Police Records framework so they’re explicitly "recordable". That list includes existing offences like unlawfully obtaining personal data or re‑identifying de‑identified data, and it now also covers section 148C of the Data Protection Act 2018-making false statements to the ICO in response to an interview notice. This doesn’t invent new crimes; it clarifies what gets recorded.

Timing matters, so here’s the calendar. Because the regulations were laid on 17 December 2025, the housekeeping bits (the citation and commencement provisions) start on 7 January 2026. The cross‑references to Articles 84A–84C will switch on when section 86 of the Data (Use and Access) Act is fully commenced, and the police‑records changes will switch on when section 100 (the interview‑notice chapter that creates section 148C) is fully commenced. DSIT has said commencement is being staged across 2025–26, with timings confirmed by separate commencement regulations.

If you work with company filings or credit reference checks, note a quiet tweak. Several Companies House‑related rules are updated so that references to offences now also include the new section 148C. In practice this helps officials and credit reference agencies understand when protected address or date‑of‑birth details can be disclosed to support an ICO investigation, without widening routine access.

Media‑literacy moment: this is a classic "consequential amendments" exercise. Parliament often passes a big Act and then follows up with tidy‑up regulations so older laws match the new wording. Here, the power to do that sits in section 139 of the Data (Use and Access) Act. It keeps the legal plumbing joined up rather than changing your rights overnight.

What you can do now. If you manage electoral data, refresh templates and privacy notices so they reference Articles 84A–84C, and be ready to describe your safeguards. If you run a library or archive, keep your reader rules and audit trails in good order and note the new terminology. If you’re a researcher, check with your data protection lead that your project clearly falls under "RAS purposes" and that you’re de‑identifying as early as you reasonably can. The ICO is publishing guidance on the Act’s changes and consulting on new materials, which is worth following for practical examples.