UK data reform resurrected
Data (Use and Access) Bill hits the House of Lords
The UK Government introduced the Data (Use and Access) Bill (DUA Bill) to the House of Lords on 23 October 2024. Most of its content carries over from the Data Protection and Digital Information Bill (DPDI Bill) introduced by the Conservative Government in 2022, which fell when Parliament was dissolved before the 2024 general election, with some minor additions and a few notable omissions.
Amending the UK General Data Protection Regulation (UK GDPR) and Data Protection Act was seen by the previous Government as an opportunity to demonstrate post-Brexit opportunities for "unlocking the value of data" and "securing a pro-growth and trusted data regime". These aims had to be balanced against the economic cost should the UK lose its adequacy status under the EU GDPR if the DPDI Bill pushed the UK's data protection regime too far from that in the EU.
Following the dissolution of Parliament there was a period of uncertainty as to whether the incoming Labour Government intended to carry the reforms forward. However, the DUA Bill was announced, in a low-key way and under a different name, in the briefing notes to the King's Speech at the State Opening of Parliament in July. Now, introducing the DUA Bill to the House of Lords, the Government says that the bill will "unlock the secure and effective use of data for the public interest", putting special emphasis on the use of data in law enforcement and health and social care.
Despite the change of emphasis, the DUA Bill inherits most of the key features of its predecessor, aiming to:
- lay out a framework for the secure sharing of so-called 'smart data' between service providers at consumers' request, in the vein of the established opening banking regime;
- lay out a framework for the introduction of a regime for secure digital verification services as part of the Government's ongoing work in building a digital identity ecosystem for the UK;
- clarify and simplify certain aspects of the UK's data protection regime, including the principles of lawfulness of processing and purpose limitation and the regime governing the use of automated decision-making techniques;
- make it easier for scientists to obtain broad consent from individuals for the use of their data in research;
- re-structure and strengthen the regulatory powers of the Information Commissioner's Office, which is to become the "Information Commission";
- facilitate the keeping and sharing of registers relating to underground apparatus in streets;
- provide for the setting and enforcement of IT standards in health and social care.
Compared to the last version of the DPDI Bill, the DUA Bill:
- removes some previously proposed changes to the UK's (electronic) direct marketing regime;
- presumably in response to concerns about undermining the independence of the regulator, removes the requirement that the Information Commission should take into account strategic priorities determined by the Secretary of State in carrying out its functions;
- does away with the change to the threshold for rejection of data subject rights requests from "manifestly unfounded" to "vexatious";
- removes democratic engagement from the list of pre-approved legitimate interests and the list of conditions for the processing of special category data;
- removes controversial amendments to social security legislation that would have allowed the Department of Work and Pensions to obtain information on the bank accounts of benefits claimants – we understand, however, that these provisions may re-appear, perhaps in a more limited form, in the forthcoming Fraud, Error and Debt Bill;
- makes provision for the Secretary of State to make regulations: altering what processing of special category data is prohibited under the UK GDPR and the Data Protection Act and requiring providers of certain services to provide information for independent research into online safety matters.
We anticipate that, if passed in its present form, the DUA Bill may facilitate innovation in the exploitation of data, but mainly non-personal data and primarily in certain narrow contexts such as public service planning and delivery. The smart data and digital verification services frameworks remain firmly on the new Government's agenda for their potential to deliver benefits to both consumers and businesses. Tweaks to the UK GDPR may lower the compliance burden for small- to medium-sized businesses that are not also subject to the EU GDPR.
Read our comparison of the DUA Bill against the pre-dissolution form of the DPDI Bill.