The UK’s new Data (Use and Access) Bill is set to mark quite a shift in the country’s data laws. Introduced in the House of Lords in October 2024, the Bill aims to advance prior regulatory Bills such as the Data Protection and Digital Information (DPDI) Bill. As it progresses through Parliament, we look at key areas of the Bill and practical considerations for the ways the proposed changes may impact data management strategy.
The Data Use and Access Bill retains many of the changes proposed in the previous DPDI Bill, though some anticipated adjustments were excluded. Notably, changes to the definition of personal data, the role of Data Protection Officers (DPOs), Data Protection Impact Assessments (DPIAs), and requirements around appointing representatives have been removed.
Other omissions include the introduction of “vexatious” data subject access requests and the obligation for the Information Commissioner’s Office (ICO) to consider government priorities in its enforcement actions. Additionally, several proposed reductions in ICO enforcement powers have been abandoned. However, core elements from the DPDI Bill remain, including “recognised legitimate interests,” eliminating the need for a Legitimate Interest Assessment (LIA) for certain types of processing.
Key Provisions in the Bill
- Automated decision-making: flexibility for organisations using automated decision-making technologies, such as AI, by easing restrictions except in cases of “significant” impact on individuals, i.e. use of sensitive data. Organisations using automated decision-making should assess where AI decisions impact individuals’ rights and freedoms and be prepared to offer human intervention where special category data is involved.
- Enhanced provisions for scientific research: concept of ‘scientific research’ extended to allow broader usage of personal data for research purposes, including certain commercial research activities, provided that ethical standards are met.
- Data sharing and legitimate interests: legitimate interests to now include public security, emergencies, and safeguarding vulnerable individuals. Additionally, “smart data” sharing, particularly in regulated sectors will be encouraged to support innovation and competition. Organisations may use these recognised legitimate interests for specific processing without the need for a LIA. Data privacy teams should prepare for potential data-sharing frameworks introduced through secondary legislation and develop protocols that balance compliance and innovation.
- Healthcare Data Integration: targeted provisions for healthcare information interoperability, which requires IT providers in the health sector to enable real-time data access across NHS and related services.
- Changes to the Role of the Information Commission: proposal for a Corporate Information Commission will replace the current Information Commissioner role, to enhance regulatory efficiency.
- Privacy and Electronic Communications Regulations (PECR) Enforcement: an introduction of stronger enforcement capabilities for the Privacy and Electronic Communications Regulations, bringing potential GDPR-level fines for breaches.
- Simplified identity verification through Digital Trust Frameworks: new certification process for digital identity providers, allowing for a government-approved “trust mark” that signals compliance with privacy and security standards. The certification promotes secure, privacy-preserving digital identities, reducing the risk of data misuse and allowing consumers to verify identities with minimal data sharing.
- Smart Data Schemes for economic growth: the government is empowered to introduce Smart Data schemes in sectors like finance, energy, and telecommunications, enabling consumers and organisations to securely share data with authorised third parties.
Practical actions should the Bill become law
- Review and update privacy notices: update existing privacy notices, particularly to include instructions on how individuals can address complaints directly to data controllers before escalating to the Information Commission.
- Enhanced data-sharing protocols: organisations using smart data-sharing systems, such as finance, energy, and telecommunications, must establish protocols for secure and compliant data-sharing processes. Tracking changes in secondary legislation is crucial as further guidelines develop.
While the Data Use and Access Bill is still in its early stages, it introduces meaningful shifts that will require organisations to reassess compliance strategies across AI, research, data-sharing, and healthcare. HewardMills will continue to monitor developments in the Bill and provide updates on practical applications as it progresses through Parliament.