The Data (Use and Access) Bill was introduced in the House of Lords on 23rd October 2024. This Bill replaces the Data Protection and Digital Information (DPDI) Bill, which failed to pass before the July 2024 general election, and is currently going through the report stage before its third reading, after which it will move to the House of Commons, and we expect it to come into force later this year.
The Bill is designed to address how data is accessed, shared and used, and covers a wide range of topics, some of which are outside of the scope of data protection. The Bill will not change the rules set out in the UK GDPR, however it will change some compliance requirements. This blog aims to set out key proposed changes where they relate to data protection.
Currently, under the UK GDPR, the regulatory body for data protection is an independent body called the Information Commissioner’s Office (ICO). The Bill proposes changes to the structure of the ICO, which will be renamed the ‘Information Commission’, including the establishment of a formal board and changes to the Information Commission’s duties and powers. These changes are intended to improve data protection governance, the ICO has published a response to the draft Bill welcoming the strengthening of its enforcement powers.
Unlike the DPDI Bill, the Data (Use and Access) Bill does not contain allowances for controllers to refuse requests that are seen as vexatious. It does, however, include welcome clarifications for controllers around the time limits for handling requests, and confirmation that controllers are only required to carry out a “reasonable and proportionate search” when fulfilling these.
One of the main topics of the Bill is the use and regulation of automated decision-making. Currently, under the UK GDPR, Article 22 places strict restrictions around solely automated decision-making. The Data (Use and Access) Bill introduces a new clause (clause 80) intended to replace the entirety of Article 22 of the UK GDPR with new Articles 22A-22D. These changes will make automated decision-making involving personal data simpler under the UK GDPR than it is under the EU GDPR, the current, stricter rules would apply mostly where special category data is concerned.
Under the new rules the Secretary of State will have the power to amend the definition and scope of the term ‘Special Category Data’ under Article 9 of the UK GDPR. The Secretary of State will be able to add and/or remove categories of special category data. However, this power does not apply to the pre-existing categories under Article 9, which will remain unchanged.
The Data (Use and Access) Bill proposes the introduction of a ‘data protection test’, as a new method of identifying the adequacy of recipient countries. The Secretary of State will consider whether or not the level/standard of protection provided to data subjects in the recipient country is likely to be lower than the standard under UK law. Adequacy regulations will be based on whether or not the third country meets the data protection test.
The Data (Use and Access) Bill proposes changes to data management, access, and protection. While these changes present challenges for business, this also offers an opportunity to build trust with customers by demonstrating a proactive approach to data protection. By understanding the Bill and taking steps to comply, organisations can stay ahead of the curve, NormCyber’s team of data protection experts can help you prepare for the upcoming changes.
