New UK regulations made on 15 December and laid before Parliament on 17 December 2025 refresh data offences and research safeguards across multiple statutes. Signed by Ian Murray at the Department for Science, Innovation and Technology, the instrument is published on legislation.gov.uk.

Giving false information to the Information Commissioner in response to an interview notice-created as section 148C of the Data Protection Act 2018-will become a recordable offence once the relevant provisions commence. That matters because entries on the Police National Computer can surface in vetting and some Disclosure and Barring Service checks, lifting the compliance risk around ICO interviews.

The instrument also repeals section 199(1) of the DPA 2018 and inserts specific data offences into the National Police Records (Recordable Offences) Regulations 2000. The practical effect is continuity: offences such as unlawfully obtaining personal data and re‑identifying de‑identified data remain recordable, but their status is now spelled out directly in police regulations.

Companies legislation is updated to reflect the new offence. The Companies (Disclosure of Address) Regulations 2009, the Overseas Companies Regulations 2009, the Companies (Disclosure of Date of Birth Information) Regulations 2015 and the People with Significant Control rules now name section 148C alongside existing evidence‑related offences when allowing disclosures to credit reference agencies in defined circumstances.

For credit reference agencies and lenders, the gateways are not widened, but the list of relevant offences they can rely on is refreshed. Compliance teams should tighten procedures and data‑sharing agreements so references point to the correct provisions before responding to requests or audits.

Across electoral and local government rules in England, Scotland, Wales and Northern Ireland, cross‑references to UK GDPR Article 89 move to Articles 84A, 84B and 84C. This preserves long‑standing permissions for archiving, research and statistics while underlining the requirement that appropriate safeguards apply to any personal data processed for those purposes.

The changes touch the British Library, the National Libraries of Scotland and Wales, the Office for National Statistics, public libraries and archives, and the supply and inspection of absent voter records. For organisations accessing full registers via statutory routes, this is largely a documentation update rather than a change to what can be processed.

Only the administrative provisions start automatically-regulations 1 and 2 begin 21 days after laying, which is 7 January 2026. Substantive changes, including the recordable‑offence designations and GDPR cross‑reference updates, switch on when section 100 and section 86 of the Data (Use and Access) Act 2025 are brought fully into force.

Boards should treat ICO interviews with the same care as formal notices and warrants. Legal, security and data protection leads will want a standard protocol for interview notices, staff briefings on truthful responses, and an audit trail for information provided; knowingly giving a false account could now carry policing consequences.

DSIT notes no significant impact assessment is required; this is mainly a tidy‑up with sharper enforcement edges. In our view, the practical effect is a modest uplift in enforcement risk. Watch for commencement orders and any operational guidance that follows; rights, lawful bases and marketing rules are unchanged here.