The Data Usage and Access Bill [House of Lords], or DUAB, is the latest piece of legislation aimed at updating how data is handled and shared in the UK. At 251 pages, with 138 clauses and 16 schedules, this change to UK GDPR is significant. Many of its data protection changes come in the form of amendments to previous legislation, like the UK GDPR and the Data Protection Act 2018. The proposed changes are certainly substantial, and could raise the question of adequacy from the EU. However, more controversial reforms proposed by the previous government have been dropped.
Why is the Data (Use and Access) Bill starting in the House of Lords?
DUAB kicks off its journey through Parliament in the House of Lords. This starting point has its advantages for the government; it lets them move past the more intense scrutiny of the initial stages while Peers and NGOs are still getting up to speed on the details. Since the bill carries over many ideas from the previous government’s Data Protection and Digital Information (DPDI) Bill, it’s unlikely to face much opposition and a rapid passage through the Commons given the governments’ majority.
What has not been carried over from the previous legislation?
The Data (Use and Access) Bill (DUAB) doesn’t include everything that was in the previous governments’ Data Protection and Digital Information Bill (DPDI). For instance, DUAB avoids weakening the definition of “personal data.” It also steers clear of altering the role of Data Protection Officers or changing requirements around Data Protection Impact Assessments (DPIAs) and record-keeping. There’s no shift in the rules requiring consultation with the Information Commissioner’s Office (ICO) if data processing risks can’t be managed, and subject access requests haven’t been limited, meaning that individuals retain the right to request their data even if their inquiries are seen as “vexatious.” Provisions for changes to the ICO’s strategic focus are absent, though the government might address the ICO’s direction by other means.
While wholesale changes to the ICO have been abandoned, functions currently handled by the Information Commissioner’s Office (ICO), led by a single commissioner, will transition to a corporate entity called the Information Commission. This change intends to streamline operations, while new rules requiring data subjects to first lodge their complaint with the controller will reduce complaints reaching the ICO by requiring that data controllers address complaints first.
What has the new bill carried over from the previous one?
While DUAB doesn’t include some of the more controversial proposals, the Labour governments’ new legislation does carry forward some significant proposals from DPDI. It establishes a new lawful basis for processing known as “recognised legitimate interests,” which lets public bodies request data from other organisations, including private companies, to support their work. There will be limited rights for individuals to object to this data sharing especially if processing is justified as a legitimate interest.
Processing under legitimate interest will include processing for the purposes of direct marketing, maintaining the security of network and information systems, and intra-group transmission for administration purposes. Despite these being allowed, such processing activities will still be subject to the balancing test and the data subject’s right to object.
DUAB also clarifies that further data processing is allowed if it aligns with the original purpose of collecting the data. The government will have the authority to decide what qualifies as “compatible” processing. DUAB also maintains a lawful basis allowing US law enforcement agencies to access UK telecommunications data for serious crime investigations.
In opposition to GDPR, DUAB allows the extensive and relatively unfettered use of AI or other automated processes for decisions on most personal data. This excludes special category data however. Restrictions on automated decision making will continue to apply to special category data. This is different from the current position under UK GDPR, where automated decision making is restricted on all personal data that has a legal or other significant effect on the data subject. That could include applications for a loan or for employment purposes.
This change under DUAB could enable profiling and automated evaluations in scenarios like employment screening. However organisations using AI for decision-making must still put safeguards in place, allowing individuals to challenge or appeal decisions made solely by machines. More restrictive measures remain for cases where automated decisions significantly impact individuals, especially if they rely on sensitive data such as health, political views, or biometric information. For such sensitive cases, automated decisions will require explicit consent, be legally mandated, or meet criteria for substantial public interest. While the government have not yet announced their own AI bill, this suggests the UK’s approach to AI regulation will not be as strict as the EU’s.
Scientific research receives a substantial boost under DUAB, with commercial research now qualifying under the “scientific research” category. This reclassification means that data subjects’ consent for research use can continue as projects evolve, provided the research meets ethical standards. By expanding research definitions and relaxing restrictions, DUAB seeks to foster innovation while aligning with public expectations for ethical data use.
DUAB outlines clearer timelines for handling data subject rights requests, such as limiting the scope of searches for requested data to those that are “reasonable and proportionate.” There’s also a requirement for data subjects to first file complaints directly with the data controller before escalating to the ICO, aiming to streamline resolution at the company level.
The bill relaxes restrictions on marketing by allowing third parties to use an opt-out approach for contacting individuals, rather than requiring explicit consent. Additionally, DUAB exempts research, archival, and statistical (RAS) activities from some transparency requirements, meaning data can be shared between controllers and third parties for RAS purposes, provided safeguards are in place.
What’s new in DUAB?
New to DUAB of the government to designate specific types of data, such as “neurodata,” as special category data, placing limits on how this sensitive information can be processed. The Treasury now also has new powers over “business data” and “customer data” when permission is granted by the customer. This is meant to establish “smart data” schemes where customer data can be used or shared with third parties for various services.
DUAB strengthens enforcement capabilities under the Privacy and Electronic Communications Regulations (PECR), which governs e-marketing and cookie use, introducing GDPR-level fines for violations. Organisations who are already compliant with UK GDPR may need to update privacy notices under DUAB to include clearer guidance on data subjects’ rights to complain to controllers directly.
When controllers are responding to subject access requests, the time limits will not include the time taken to verify the identity of the data subject, or if the controller is seeking clarification on the scope of their request.
What should organisations start doing to prepare?
Review privacy notices and documentation: Update privacy notices to inform data subjects of any new rights under DUAB, particularly around the right to complain directly to the data controller before escalating to the Information Commission. Organisations should also consider whether they need separate documentation for compliance with both UK and EU GDPR if operating across both jurisdictions.
Assess AI and automated decision-making processes: For businesses using AI or automated decision-making, it’s crucial to review current processes to ensure they incorporate meaningful human intervention, especially for decisions impacting individuals significantly. Automated decisions involving special category data (e.g., health or biometric data) will need a further legal justification, so businesses should ensure they have mechanisms for obtaining and documenting such consent.
Re-evaluate legitimate interests justifications: DUAB expands the scope of the “legitimate interests” basis for processing data, including for national security, direct marketing, and internal data sharing within company groups. Businesses should identify where they can lean on these “recognised legitimate interests” and prepare clear justifications for such processing. Documenting these will be important for both transparency and compliance.
Plan for new data use in research and innovation: DUAB allows for broader data use in scientific research, including privately funded projects. Companies involved in R&D should familiarise themselves with the revised standards for consent in research contexts, especially regarding evolving research purposes. Setting up frameworks for ethical standards in research can help streamline compliance.
Strengthen internal complaint processes: With new rules requiring data subjects to first lodge complaints with the organisation before reaching the Information Commission, businesses should ensure robust and transparent complaint-handling mechanisms are in place. Designate team members responsible for handling and resolving data-related complaints effectively.
Prepare for potential PECR enforcement updates: Companies involved in direct marketing and digital advertising should be aware of the strengthened enforcement of PECR regulations, as GDPR-level fines could now apply to breaches. This might include re-evaluating cookie compliance, opt-out mechanisms, and the storage of consent records.
Stay informed on compliance for new data sharing initiatives: DUAB’s introduction of “smart data” schemes and digital identity provisions means certain sectors, such as finance and healthcare, may soon see new standards for data sharing. Businesses should monitor updates in these areas, especially if their sector could be impacted by new obligations for data access and interoperability.
