UK Data (Use & Access) Bill: Key Proposals

The Government’s Data (Use & Access) Bill was introduced to Parliament and had its first reading in the House of Lords on 23 October. This is a new name for the Digital Information and Smart Data Bill, announced in the King’s Speech back in July. With the acronym DUA, this Bill revives some, but certainly not all aspects of the previous Government’s Data Protection & Digital Information Bill (DPDI) which fell by the wayside when the general election was announced.

At 262 pages it’s a lengthy document, so we’ve provided a summary of some key proposals likely to be of interest to those working in data protection-related roles. Of course, at this stage everything is subject to change as the Bill progresses through Parliament.

DATA PROTECTION (UK GDPR & DPA 2028)

1. Accountability requirements NOT changed

The previous DPDI’s controversial plans to amend accountability obligations under UK GDPR have not been carried over into DUA. There are no plans to remove the requirement for organisations which meet certain criteria to appoint a Data Protection Officer, nor are there any planned changes relating to Data Protection Impact Assessments or Records of Processing Activities.

Some organisations may be disappointed more flexibility is not planned in these areas. However, we’d stress UK GDPR is already littered with the words ‘proportionate’ and ‘appropriate’. Small-to-medium sized businesses are not currently expected to put in place as robust measures as larger organisations, unless the nature of their business activities and the sensitivity of the personal data they handle warrants it.

2. Data Subject Access Requests (DSARs)

In the main, the proposals in relation to the Right of Access (aka Data Subject Access Requests) aim to give a statutory footing to practices already commonly applied. Such as confirming:

■ Organisations can ask the requestee for details of the information or activities a DSAR relates to, and to pause the time period for responding to the request while seeking this information. For example, the ability to seek clarification when the organisation “processes a large amount of information concerning the data subject”.

■ The time period for compliance with a DSAR does not begin until the organisation is satisfied the requestee is who they say they are; i.e., any necessary proof of identity has been received.

■ The search for personal data in response to a DSAR would only need to be “reasonable and proportionate”.

Making these points crystal clear in law would create certainty for organisations, who currently rely on guidance from the Information Commissioner’s Office. Many organisations may be disappointed the concept of ‘vexatious’ requests has not been revived from the abandoned DPDI bill.

3. Privacy notices & the right to be informed

The DUA Bill proposes the obligation to provide privacy information to individuals under Articles 13 and 14 (e.g. via a privacy notice) will not apply if providing this information ‘is impossible or would involve disproportionate effort‘. This move could be viewed as an attempt to water down requirements to notify individuals of the processing taking place. This was a particular point of contention in the Experian vs ICO case. In relation to its processing of the Edited Electoral Roll, Experian argued it would be disproportionate effort to notify and provide privacy information to millions of people.

4. Recognised legitimate interests

The concept of ‘recognised legitimate interests’ is revived from the DPDI Bill. It’s proposed organisations would be exempt from conducting a full Legitimate Interests Assessment (LIA) for certain specified purposes; such as national security, emergency response, and safeguarding. The DUA Bill also looks to confirm legitimate interests as an acceptable lawful basis where necessary for direct marketing purposes. Clearly, legitimate interests will only be an option when the law doesn’t require consent, for example under the Privacy and Electronic Communications Regulations (PECR).

5. Automated decision-making

Noteworthy changes are proposed aimed at making it easier for organisations to use automated decision-making more widely. For example, using artificial intelligence (AI) systems. Currently, Article 22 of UK GDPR places strict restrictions on automated decision-making (including profiling) which could produce legal or similarly significant effects. The new Bill seeks to reduce the scope of Article 22 to only cover automated decisions made using special category data. There is likely to be concern this will have a negative impact on people’s rights in relation to automated-decisions made about them using other personal data. This also may put the UK out of kilter with the EU.

6. Data protection complaints procedure

It is proposed for organisations to be obligated to make sure they have clear procedures so people can raise complaints in connection with the use of their personal data. For example, organisations would need to:

■ Facilitate people’s ability to make complaints (for instance by providing a complaint form).

■ Respond to complaints within 30 days of receipt.

■ Notify the Information Commissioner of the number of complaints received in specified periods.

PRIVACY & ELECTRONIC COMMUNICATIONS REGULATIONS (PECR)

The following changes to PECR are proposed:

1. PECR Fines

Significantly increasing potential fines for infringements of PECR to bring them in line with the level of fines under UK GDPR. Currently, the maximum fine under PECR is capped at £500k.

2. Analytics cookies

Permitting the use of first-party cookies and similar technologies for website analytics without a requirement to collect consent. Also included is a provision to allow for the introduction of other circumstances in which cookie consent would not be required.

3. Spam emails and texts

Expanding what constitutes ‘spam’ to include emails and text messages which are sent but not received by anyone. This will mean the ICO can consider much larger volumes in any enforcement action. In conjunction with higher fines – SPAMMERS BEWARE!

THE INFORMATION COMMISSION

The plan is for the Information Commissioner’s Office to be replaced by an Information Commission. This would be structured in a similar way to the Financial Conduct Authority and the Competitions and Markets Authority, with an appointed Chief Executive. There’s also provision for the Government to have considerable influence over the operations of the new Commission. For example, this could include determining the number of Commission members and a requirement for the Commission to consult with the Government on the appointment of a Chief Executive.

SMART DATA SCHEMES

The Government announcement states: ‘the Bill will create the right conditions to support the future of open banking and the growth of new smart data schemes, models which allow consumers and businesses who want to safely share information about them with regulated and authorised third parties, to generate personalised market comparisons and financial advice to cut costs.‘

The Right to Portability under UK GDPR currently allows individuals to obtain and reuse their personal data. DUA aims to expand this to allow consumers to request their data is directly shared with authorised and regulated third parties. The hope is this will allow for the growth of smart data schemes to enable data sharing in areas such as energy, telecoms, mortgages, and insurance. It’s proposed this would be underpinned by a framework with data security at its core.

HEALTHCARE INFORMATION

Ever been to hospital and found your GP has no record of your treatment, or the hospital can’t access your GP’s notes? The government is hoping proposals in the Bill will support plans for a more uniform approach to information standards and technology infrastructure, so systems can ‘talk’ to each other. For example, allowing hospitals, GP surgeries, social care services, and ambulance services to have real-time access to information such as patient appointments, tests, and pre-existing conditions.

SCIENTIFIC RESEARCH

There are proposed changes to scientific research provisions, including clarifying the definition of scientific research and amending consent for scientific research. This is in part driven by a desire to make it easier for personal data collected for specific research to be reused for other scientific research purposes.

DIGITAL VERIFICATION SERVICES

There’s an aim to create a framework for trusted identity verification services, moving the country away from paper-based and in-person tasks. For example, proposals allow for digital verification services aimed at simplifying processes such as registering births and deaths, starting a new job, and renting a home.

In summary

The DUA Bill revives some old ideas and introduces some new ones. Some proposals more controversial than others. But unlike the DPDI, it does not present any significant softening of data protection compliance obligations under UK GDPR. All proposals will be scrutinised and could be amended before the Bill is enacted. However, unlike the previous Tory bill, this Bill is highly likely to become law.

In all of this, the Government will have a close eye on EU-UK adequacy. The European Commission’s adequacy decision for the UK is up for review in 2025 and there’s a recognition losing adequacy status would have a significantly negative impact on organisations which share data between the UK and EU. It will be hoped dropping controversial plans to dilute accountability requirements under UK GDPR will mean the European Commission will find the DUA Bill more palatable and less contentious.

The Bill as introduced can be found here. For quick reference these are the key parts of DUA:

Part 1: Access to customer data and business data
Part 2: Digital Information Services
Part 3: National underground asset register
Part 4: Registers of births and deaths
Part 5: Data Protection and Privacy
Chapter 1: Data Protection
Chapter 2: Privacy and Electronic Communications Regulations (PECR)
Part 6: The Information Commission
Part 7: Other Provisions
Part 8: Final Provisions