Cookies consent

We use cookies on this website. You can choose to accept them all or to opt out of some. You can change your consent at any time by opening this window again

I consent to cookies

We use cookies on this website. You can choose to accept them all or to opt out of some. You can change your consent at any time by opening this window again

I do not consent to cookies

If you choose this option, we will block all performance, targeting and persistent cookies. Many parts of this site will then not work.

Please read the full details in our Cookie Statement.

Data (Use and Access) Bill introduced to Parliament

Data (Use and Access) Bill introduced to Parliament

by Adam Grimwood
14 Nov 2024

The Data (Use and Access) Bill [HL Bill 40] 2024-25 (the DUA Bill) was introduced to parliament on 23 October 2024. The last major change to data protection legislation in the UK took place in 2018 with the introduction of GDPR. More recently the Data Protection and Digital Information Bill (the DPDI Bill) had been going through the parliamentary process, which often takes a considerable time, and which meant it fell away with the dissolution of Parliament prior to the UK General Election in July 2024. 

Now we have the DUA Bill, which has the stated aims of attempting to harness the power of data for economic growth, support a modern digital government and improve people's lives.  This introduces provisions ranging from targeted reforms to update and simplify the UK data protection and privacy regime, to the creation of a digital asset register to improve the efficiency and safety of underground work on broadband cables and utility pipes. Significant proposals which affect SMEs include (but are not limited to): 

A new lawful basis for processing personal data, to be known as "recognised legitimate interest".

  • A list of "recognised" legitimate interests, as a legal basis for processing, to include various public interest purposes such as national security and defence, responding to emergencies and safeguarding vulnerable people for which no balancing test (i.e. the data controller's legitimate interests versus the rights and interests of the data subject) would be required.
  • A list of other types of processing which may count as legitimate interests, including direct marketing purposes, sharing data intra-group for internal administrative purposes, and ensuring security of network and information systems. Many businesses will already be using the legitimate interests basis for processing in these circumstances.
  • The Secretary of State can specify in the future further types of processing which qualify as "legitimate interests".

 

  • A power for the Secretary of State (subject to Parliament’s approval) to class further types of data as special category data. Special category data is generally data of a more sensitive nature, for example health data, political views, religious beliefs, sexual orientation, criminal records etc. This could increase the burden on SMEs given the additional protections that relate to this category of data. 
  • A relaxation of the rules on automated decision-making for personal data (except for special category data). 
  • Creating a new data protection test for transfers of personal data outside of the UK.
  • "Smart data" schemes, to allow for the secure sharing of customer and business data.
  • A regulatory structure for the provision of digital verification services.
  • A new legal framework and asset register to improve the efficiency and safety of underground work on apparatus, such as broadband cables and utility pipes.
  • Targeted reforms to update and simplify the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Commerce Regulations (which deal with electronic marketing amongst other things).
  • Making healthcare information more easily accessible across all NHS trusts, GP surgeries and ambulance services.
  • Services for the provision of electronic signatures, electronic seals, timestamps and other trust services. 

Some proposed changes to the existing law which had previously been included in the DPDI Bill, have now been removed. This is no doubt because the government wants to ensure that the UK retains its adequacy status, for the free flow of personal data under the EU GDPR, as this does get reviewed at certain set points in time and to lose it would be problematic for UK businesses. The EU's adequacy decision for the UK means that the EU accept that the UK provides an "essentially equivalent" level of data protection as the EU, and therefore allows most data to flow between the EU and the UK without additional safeguards. Aspects which no longer feature in the DUA Bill include (but are not limited to):

  • Proposed changes to the definition of "personal data", which had set out a subjective test, and which narrowed the scope of data caught by the UK GDPR.
  • Proposed revision of the threshold for refusing or charging for data subject access requests from "manifestly unfounded or excessive" to "vexatious or excessive".
  • Various measures which were intended to reduce the administrative burden on businesses, such as:
  • Limiting record keeping obligations
  • Replacing mandatory Data Protection Officers with "senior responsible individuals"
  • Replacing "Data Protection Impact Assessments".

The DUA Bill aims to ease compliance burdens on businesses and the public sector alike, but as you can see, that was also the aim of the previous Bill which has now been amended. The Information Commissioner’s Office (ICO) has made clear that in his view the proposals strike a positive balance and should not present a risk to the UK’s adequacy status. It’s hoped that many of the proposals should make compliance with data protection legislation easier. However, as we always say with parliamentary bills, one never categorically knows if, when, or in what form they will emerge into actual law, and therefore there may be numerous changes to the DUA Bill as currently drafted. 

As always, we recommend that you “watch this space” for further updates. Of course we will provide FSB members with detailed guidance and appropriate precedent documents as and when the DUA Bill passes through Parliament and certainly well before it becomes law.