Ever since the UK left the European Union, the UK Government has looked at how it can expand its use of personal data to grow the economy whilst still maintaining ‘adequacy’ for the purposes of the EU GDPR. The Conservatives made an attempt with the Data Protection and Digital Information (DPDI) Bill; however, it did not make it through Parliament before the July 2024 general election. But the incoming Labour Government had also spotted data’s potential, stating in the King’s Speech that it planned to introduce a Digital Information and Smart Data Bill:

“to ensure we harness the power of data for economic growth, to support a modern digital government, and to improve people’s lives”.

According to the briefing notes, the Bill would:

“…enable new innovative uses of data to be safely developed and deployed and will improve people’s lives by making public services work better by reforming data sharing and standards; help scientists and researchers make more life enhancing discoveries by improving our data laws; and ensure your data is well protected by giving the regulator (the ICO) new, stronger powers and a more modern structure…”

This all resulted in the introduction of the Data (Use and Access) Bill, conveniently known as the DUA Bill in October 2024.

What is the Data (Use and Access) Bill about?

The DUA Bill has three core objectives, namely:

• Kickstarting economic growth.
• Taking back our streets.
• Building an NHS fit for the future.

It is expected that the Bill will “harness the enormous power of data to boost the UK economy by £10 billion, and free up millions of police and NHS hours”.

The Bill is comprised of eight parts and sixteen schedules.

• Part 1 – covers access to customer data and business data and aims to enable the expansion of “smart data” use outside open banking in the finance sector.
• Part 2 – creates a trust framework, a register of providers, an information sharing gateway, and a trust mark to regulate data verification services.
• Part 3 – gives statutory footing to the National Underground Asset Register (a digital map of underground pipes and cables in England, Wales, and Northern Ireland.
• Part 4 – creates a digital registry of births, deaths, and marriages.
• Part 5 – makes changes to the UK’s data protection regime.
• Part 6 – abolishes the Information Commissioner’s Office and transfers its functions to a new body, the Information Commission.
• Part 7 – sets out how data is used and accessed in the following areas:
  • health and social care.
  • smart meter communication services.
  • public service delivery.
  • online safety.
• Part 8 – contains final and procedural provisions relating to consequential amendments, powers for making regulations, interpretation, and the Bill’s commencement.

Is the DUP Bill different from the Data Protection and Digital Information (No. 2) Bill?

One of the biggest concerns surrounding the Data Protection and Digital Information (No. 2) Bill was that it watered down privacy and personal data protections. Particular concerns included:

• Giving public authorities and companies wider scope to refuse Subject Access Requests.
• Increasing the situations where automated decision-making was permitted.
• Reduce the circumstances where an impact assessment would be required before data could be processed.
• Water down the circumstances in which a Data Protection Officer should be appointed.

Most of the differences between the DUA Bill and the Data Protection and Digital Information (No. 2) Bill relate to data protection.

What is the ICO’s response to the DUA Bill?

The Information Commissioner’s has said of the DUA Bill:

“I welcomed the Bill as a positive package of reform that maintains high standards of data protection and protects people’s rights and freedoms. It also provides greater regulatory certainty for organisations and promotes growth and innovation in the UK economy.”

“Overall, the Bill remains one which I support as improving the effectiveness of the data protection regime in the UK, upholding people’s rights, providing regulatory certainty and clarity for organisations and improving the way the ICO regulates.”

Regarding the highly contentious provisions concerning automated decision making, the Information Commissioner said that although no amendments to the relevant clauses were agreed in the House of Lords, there was vigorous debate on the subject. In particular, concerns were raised about the reframing of the automatic decision-making provisions so that, apart from a few exceptions, they no longer provide a general restriction on automated decision regarding issues that have legal effects. Instead, amendments to the Bill provide that as long as certain safeguards are put in place, there is no limit on the scope of ‘lawful basis’ for using automated decision-making. However, the Information Commissioner believes the DUA Bill balances the need to enable the benefits of automation with protecting data subjects’ rights, especially rights relating to special category data.

Summing up

Our team can assist you with any legal advice concerning data protection risk management and disputes. We believe in putting in place watertight policies and procedures to minimise the risk of regulatory investigations and protect your organisation’s commercial reputation  and customer trust.

Bibliography

Sources used to write this article include:

• https://bills.parliament.uk/bills/3322
• org.uk
• org.uk
• https://researchbriefings.files.parliament.uk/documents/CBP-10186/CBP-10186.pdf

To find out more about any matters discussed in this article, please email us at [email protected] or phone 0121 249 2400.

The content of this article is for general information only.  It is not, and should not be taken as, legal advice.  If you require any further information in relation to this article, please contact 43Legal.

“Melissa Danks is the founder of 43Legal. She has over 20 years’ experience as a solicitor working within the legal sector dealing with issues relating to risk management, dispute resolution, and advising in-house counsel in SMEs and large companies. Melissa has extensive expertise in providing practical, valuable, modern legal advice on large commercial projects, joint ventures, data protection and GDPR compliance, franchises, and commercial contracts. She has worked with stakeholders in multiple market sectors, including IT, legal, manufacturing, retail, hospitality, logistics and construction. When not providing legal advice and growing her law firm, Melissa spends her time running, walking in the countryside, reading and enjoying downtime with close friends and family.”