Debbie Heywood, Victoria Hordern and Chris Jeffery provide an overview of the new DUA Bill.
What's the issue?
After the Data Protection and Digital Information (DPDI) Bill failed to make it through the last Parliament ahead of the July general election, the new Labour government announced a Digital Information and Smart Data Bill in the July 2024 King's Speech. In the background briefing notes to the speech, the government said the Bill would aim to harness the power of data for economic growth. Among other things, it would establish a framework for trusted digital verification services, a national underground asset register, and smart data schemes which allow secure sharing of customer data with authorised third party providers. It would also preserve many of the reforms to the ICO's governance structure proposed under the DPDI Bill and would include “targeted reforms to some data laws….where there is currently a lack of clarity”.
What's the development?
The Data (Use and Access) Bill – which rejoices in the unusually memorable acronym DUA – was published and received its first reading in the House of Lords on 23 October 2024.
Personal data
While many expected the government would drop the bulk of the changes to the UK GDPR proposed under the DPDI Bill, the majority, although not all of the DPDI changes remain, some in identical form and others with subtle changes. Gone, for example, are:
- changes to the definition of personal data
- changes to the Data Protection Officer role, to Data Protection Impact Assessments and to the role of the representative
- the watering down of accountability provisions
- the introduction of a concept of "vexatious" data subject access requests
- the requirement on the ICO to take into account the government's strategic priorities
- some of the changes to the ICO's enforcement powers.
Changes which remain in place (although not necessarily in exactly the same way) include:
- changes to scientific research provisions including to the definition of consent and by the addition of a definition of scientific research (currently in the Recitals of the GDPR) (see here for more)
- the concept of recognised legitimate interests which will mean there is no need to carry out a Legitimate Interest Assessment where the processing is carried out for a recognised interest
- changes to the purpose limitation and clarification of what constitutes further processing
- changes to rules on automated decision-making
- changes to rules on data exports including the ability of the Secretary of State to approve third countries, and the introduction of a data protection test to assess whether the third country or international organisation has a standard of data protection not materially lower than that in the UK
- changes to the Privacy and Electronic Communications Regulations (see here for more)
- changes to the role of the ICO (see here for more).
A significant addition to the data protection reforms is s74 of the DUA Bill which gives powers to the Secretary of State to make changes to the types of data classed as special category data.
See here for more on the changes to the UK's data protection regime.
Data sharing
The government's own press release plays down the data protection changes and focuses on the other half of the Bill. As with the DPDI Bill, the DUA Bill covers issues similar to those in the EU's Data Act, Data Governance Act (DGA) and European Health Data Space (EHDS), in ambition. Among other things it:
- Gives powers to the Secretary of State to make provisions on access to customer and business data. This has the potential to replicate elements of the Data Act and Data Governance Act at EU level, but is not limited to IoT (as the data sharing elements of the Data Act are) or public sector data (as the Data Governance Act is). The Bill provides a very broad canvas for the government, but the focus seems to be on creating open public databases of 'smart data', including on a sectoral basis, to encourage innovation and competition
- Creates a framework for trusted identity verification services
- Provides for a national register of underground services like power, water and utility pipes and cables
- Sets out new provisions on birth and death registers
- Makes some changes to law enforcement data access and retention (although not more extensive than those in the DPDI Bill)
- Provides for uniform information standards concerning information technology for the provision of health and adult social care in England - this is the part of the legislation which will allow for single medical records, accessible across all health and social care services – the aspect of the Bill which the government is particularly highlighting
- Introduces provisions around access by researchers to certain data relating to online safety issues.
See here for more on data sharing and here for more on digital identification verification services.
What does this mean for you?
There was some initial disquiet expressed by the EU about the considerable discretion provided to the Secretary of State to introduce new data transfer mechanisms and extend the UK's adequacy network under the DPDI Bill, particularly as it was released prior to the agreement of the EU-US Data Privacy Framework. There were, however, no notable concerns over the general planned changes to the UK's data protection standards. The DUA Bill looks less likely still to set alarm bells ringing ahead of the Commission's review of the UK adequacy decision next year.
Equally, while businesses may welcome the moderate lightening of governance for some legitimate interest processing, additional flexibility for research and adding new adjacent purposes of processing, dropping the ability to reject vexatious data subject requests may disappoint as many businesses see the subject access right as disproportionate and easily abused.
With the rise of AI, the changes to automated decision-making are nuanced but important. In practice they would enable businesses to use automated decision-making more widely than under EU GDPR. Only where special category data is used would companies be subject to additional requirements to show consent or that the processing is required for a contract or legal compliance. Individual rights of objection and to require human intervention are preserved.
Some businesses may cautiously welcome the provisions around data sharing and digital verification while others may be concerned about the reach of access provisions, however, much of the detail will be filled out in secondary legislation so it's too early to assess the full impact. Hopefully the NHS will benefit as much as, if not more than the government intends.
The DUA Bill is in its initial stages but the DPDI Bill on which much of it was based, had progressed nearly all the way to enactment with only a few points of contention remaining before the general election. This suggests that progress should be reasonably rapid.
In November's issue of Radar:
