The UK's Data (Use and Access) Bill – Key Considerations

On Wednesday 23 October, the UK Government published its Data (Use and Access) Bill ("DUA"), promising that it will "harness the enormous power of data to boost the UK economy by £10 billion" and "unlock the secure and effective use of data for the public interest". Although tweaked in structure, the DUA mirrors many of the concepts and provisions that were in the previous Government's abandoned Data Protection and Digital Information Bill ("DPDI Bill") or makes subtle changes. It does appear to place greater focus than the DPDI on data sharing and digital verification and certain key areas of divergence between the DPDI Bill and the DUA suggest that the UK Government intends to stay aligned with the EU and EU GPDR.

We have summarised below the key points for organisations to monitor as the DUA progresses through Parliament:

• ICO Reform: The Information Commissioner's Office ("ICO") will be replaced by a body corporate. This reform will bring the data protection regulator into a similar structure to other UK regulators which form part of the Digital Cooperation Regulation Forum and are involved in online regulatory matters such as OFCOM and the CMA. The Information Commission will also gain new enforcement powers including a power to compel individuals to speak to them and a power to require the recipient of an assessment notice to instruct an approved person to prepare a report at the recipient's cost and provide it to the Commission.
• Changes to DSARs: in what is likely welcome news to data protection officers, data protection professionals, the DUA clarifies that responses to data subject access requests (DSARs) require a "reasonable and proportionate" search, putting ICO guidance onto a statutory footing for the first time. However, the concept of a "vexatious" DSAR that was introduced by the DPDI Bill has been scrapped in the DUA.
• Recognised legitimate interests: a concept of recognised legitimate interests has been introduced which will mean there is no need to undertake a full legitimate interest assessment where the processing is carried out for a recognised interest. Unlike the DPDI Bill, which had a broader scope of recognised legitimate interest, under the DUA any new recognised legitimate interest must be needed to safeguard objectives such as national or public security, defence, crime prevention/investigation, public health, data subject rights, regulatory functions or civil law claims. The Government will be able to update this list via regulation, subject to parliamentary approval.
• Digital Verification Services: as mentioned in our July edition of Data Bytes, digital verification services were specifically mentioned in the King's Speech. The DUA includes legislation for these digital verification services meaning that companies providing tools for verifying identities will need to be certified against the Government’s standards and receive a ‘trust mark’. A new Office for Digital Identities and Attributes will lead this process.
• Data Access: The DUA draws some parallels with the EU's Data Governance Act and Data Act which came into force in June 2022 and January 2024 respectively (more on those here ). For example, the DUA gives powers to the Secretary of State or the Treasury to make provisions on access to customer and business data. In a bid to avoid diverging with the EU, provisions could look similar to EU legislation (for example, similar to the Data Governance Act and Data Act, the DUA also uses the term "data holders"), however the DUA's data access provisions appear broader in scope than its EU counterparts.
• Automated Decision Making: The DUA limits the general prohibition on automated decision making currently found in article 22(1) of the UK GDPR to those decisions which are "significant" and based entirely or partly on the processing of special category data. Notably, the DUA also gives the Secretary of State powers to add new types of special category data which would in effect add those listed in article 9(1) UK GDPR.
• PECR Penalties: The DUA also proposes changes to the Privacy and Electronic Communications Regulations (PECR), including strengthening the ICO's enforcement powers and enabling GDPR level fines to be imposed on PECR violations. If the recent increase in PECR enforcement action wasn't enough to motivate organisations to reconsider any potentially questionable direct marketing practices, the DUA should make this a priority in light of the heightened enforcement and penalty proposals.
• Cookie Consent Exemptions: A new schedule A1 to PECR would allow cookies to be used without consent in certain circumstances, such as where the technical storage or access to information is strictly necessary to ensure the security of the terminal equipment, to prevent or detect fraud or technical faults, to collect information for statistical purposes to make improvements to the service, to enable the way the website appears or functions for the user or to provide emergency assistance.
• Data Transfers: Chapter 5 of the UK GDPR on transfers of personal data to third countries is replaced by Schedule 7 of the DUA and include a "data protection test" which controllers must taken into account when a transfer is made subject to appropriate safeguards (such as the UK IDTA). The test focusses on assessing with the data protection standard in the destination country is not "materially lower" than in the UK.

As at the date of this article the DUA has undertaken its first reading in House of Lords. Whilst, no date is currently set for the second reading, the similarity of the provisions to the previous DPDI Biil which reached the final stage of the legislative process suggests that DUA's passage through Parliament may be relatively quick.