Changeflow GovPing Government & Legislation AI Code of Practice Regulations Mandate Informa...
Priority review Rule Added Final

AI Code of Practice Regulations Mandate Information Commissioner to Issue Guidance on Data Processing

Favicon for www.legislation.gov.uk UK New Legislation
Published
Detected
Email

Summary

The Secretary of State has made the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 (SI 2026/425), requiring the Information Commissioner to prepare a code of practice on AI and automated decision-making under the UK GDPR and Data Protection Act 2018. The code must include guidance on processing children's personal data. A new subsection (7A) is inserted into section 124B of the 2018 Act, excluding national security aspects from the panel's remit. The Regulations come into force on 12 May 2026.

Why this matters

Organisations currently using or developing AI systems that involve automated decision-making should begin reviewing their data processing activities in preparation for the Information Commissioner's forthcoming code of practice. The explicit requirement for guidance on children's personal data in AI contexts signals heightened compliance expectations for entities operating in this space. The national security exclusion from the panel's remit means the code may not address all AI deployment scenarios relevant to government contractors or critical infrastructure operators.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by UK Parliament on legislation.gov.uk . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .
View original document View source feed page

What changed

These Regulations require the Information Commissioner to prepare an entirely new code of practice providing guidance on good practice in processing personal data in relation to developing and using artificial intelligence and automated decision-making. The code must specifically address processing children's personal data and covers both Article 22C of the UK GDPR and section 50C of the 2018 Act. Regulation 3 modifies the panel requirements under section 124B by inserting a new subsection prohibiting the panel from considering or reporting on any aspect of the code relating to national security.

Affected organisations developing or deploying AI systems and automated decision-making processes should monitor for the Information Commissioner's subsequent code of practice, which will establish industry guidance on compliance with UK data protection law in this domain. Organisations processing children's data in AI contexts should review their current practices in anticipation of forthcoming guidance. The national security carve-out in the panel requirements may limit the scope of the code on national security-related AI applications.

Archived snapshot

Apr 21, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Status:

This is the original version (as it was originally made). This item of legislation is currently only available in its original format.

Statutory Instruments

2026 No. 425

DATA PROTECTION

The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026

Made

16th April 2026

Laid before Parliament

21st April 2026

Coming into force

12th May 2026

The Secretary of State makes these Regulations in exercise of the powers conferred by section 124A(1) and (2) and section 124B(11) of the Data Protection Act 2018(). In accordance with section 182(2) of that Act, the Secretary of State has consulted the Commissioner and such other persons as the Secretary of State considers appropriate.

Citation, commencement, extent and interpretation

  1. —(1) These Regulations may be cited as The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026.

(2) These Regulations come into force 21 days after the day on which they are laid.

(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.

(4) In these Regulations, “ the 2018 Act ” means the Data Protection Act 2018.

The code of practice

  1. —(1) The Commissioner must prepare an appropriate code of practice giving guidance as to good practice in the processing of personal data() under the relevant data protection legislation in relation to—

(a) developing and using artificial intelligence, and

(b) automated decision-making.

(2) The code of practice must include guidance as to good practice in the processing of children’s personal data.

(3) In this regulation—

“ automated decision-making ” means—

(a) decision-making to which Article 22C(1) of the UK GDPR() applies, or

(b) decision-making to which section 50C(1) of the 2018 Act() applies.

“ relevant data protection legislation ” means—

(a) the UK GDPR, and

(b) the 2018 Act, except Part 4 of that Act.

Modification to panel requirements

  1. Section 124B of the 2018 Act applies to the preparation or amendment of the code of practice required under regulation 2 as if after subsection (7) there were inserted—

“ (7A) The panel must not consider or report on any aspect of the code relating to national security. ”.

Ian Murray

Minister of State

Department for Science, Innovation and Technology

16th April 2026

Explanatory Note

(This note is not part of the Regulations)

These Regulations require the Information Commissioner (“ the Commissioner ”) to prepare a code of practice on the processing of personal data under relevant data protection legislation in relation to developing and using artificial intelligence and automated decision-making. Relevant data protection legislation is defined in regulation 2 as the UK GDPR and the Data Protection Act 2018 (“ the 2018 Act ”), except Part 4 (intelligence services processing).

Regulation 3 modifies the requirements under section 124B of the 2018 Act for the Commissioner to establish a panel of individuals to consider the code of practice by providing that the panel must not consider or report on any aspect of the code of practice relating to national security.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen as a result of the instrument itself. The Commissioner is required to produce an impact assessment when preparing the code of practice under these Regulations.

(1) 2018 c. 12. Sections 124A and 124B were inserted by sections 92(2) and 93, respectively, of the Data (Use and Access) Act 2025 (c. 18). Commissioner is defined in section 3(8) of the Data Protection Act 2018 as the Information Commissioner.

(2) See section 124A(7) of the Data Protection Act 2018 for the meaning of “good practice in the processing of personal data”.

(3) Article 22C was inserted by section 80 of the Data (Use and Access) Act 2025. See section 3(10) of the Data Protection Act 2018 for the meaning of “the UK GDPR”.

(4) Section 50C was inserted by section 80 of the Data (Use and Access) Act 2025.

  • Previous
  • Next

Named provisions

Citation, commencement, extent and interpretation The code of practice Modification to panel requirements

Related changes

Favicon for www.gov.uk UK GDPR and Data Protection Act 2018 Overview
Routine Apr 20, 2026 UK Information Commissioner S Office Government & Legislation
Favicon for www.legislation.gov.uk Nutrition Regulations 2026 Amendment, EU Exit
Routine Apr 21, 2026 UK New Legislation Government & Legislation
Favicon for www.judiciary.uk RTM v Bonne Terre Limited - Data Protection Appeal
Priority review Apr 21, 2026 UK Judiciary Judgments Courts & Legal

Get daily alerts for UK New Legislation

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.legislation.gov.uk
UK New Legislation legislation.gov.uk/new/data.feed
Government & Legislation

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from UK Parliament.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
UK Parliament
Published
April 16th, 2026
Instrument
Rule
Branch
Executive
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Government agencies
Industry sector
5112 Software & Technology
Activity scope
AI development Automated decision-making Data processing governance
Geographic scope
United Kingdom GB

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Compliance frameworks
GDPR
Topics
Artificial Intelligence Consumer Protection

Browse Categories

Agriculture & Food Safety 73 AI Regulation 3 Banking & Finance 414 Consumer Protection 89 Courts & Legal 411 Data Privacy & Cybersecurity 90 Defense & National Security 53 Education 55 Energy 100 Environment 152 Gaming 2 Government & Legislation 431 Healthcare 15 Healthcare & Life Sciences 375 Immigration 10 Insurance 76 Labor & Employment 138 Pharma & Drug Safety 21 Professional Licensing 8 Real Estate & Housing 78 Securities & Markets 154 Tax 78 Telecom & Technology 47 Trade & Sanctions 141 Transportation 91

Get alerts for this source

We'll email you when UK New Legislation publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!