The Data (Use and Access) Bill was introduced in the House of Lords on 24th October 2024. This Bill replaces the Data Protection and Digital Information (DPDI) Bill, which failed to pass before the July 2024 general election, and has now moved from the House of Lords into the House of Commons, we expect it to come into force later this year.
The Bill is designed to address how data is accessed, shared and used, and covers a wide range of topics, some of which are outside of the scope of data protection. The Bill will not change the rules set out in the UK GDPR, however it will change some compliance requirements. This blog aims to set out key proposed changes where they relate to data protection.
Currently, under the UK GDPR, the regulatory body for data protection is an independent body called the Information Commissioner’s Office (ICO). The Bill proposes changes to the structure of the ICO, which will be renamed the ‘Information Commission’, including the establishment of a formal board and changes to the Information Commission’s duties and powers. These changes are intended to improve data protection governance, the ICO has published a response to the draft Bill welcoming the strengthening of its enforcement powers.
Unlike the DPDI Bill, the Data (Use and Access) Bill does not contain allowances for controllers to refuse requests that are seen as vexatious. It does, however, include welcome clarifications for controllers around the time limits for handling requests, and confirmation that controllers are only required to carry out a “reasonable and proportionate search” when fulfilling these.
One of the main topics of the Bill is the use and regulation of automated decision-making. Currently, under the UK GDPR, Article 22 places strict restrictions around solely automated decision-making. The Data (Use and Access) Bill introduces a new clause (clause 80) intended to replace the entirety of Article 22 of the UK GDPR with new Articles 22A-22D. These changes will make automated decision-making involving personal data simpler under the UK GDPR than it is under the EU GDPR, the current, stricter rules would apply mostly where special category data is concerned.
Under the new rules the Secretary of State will have the power to amend the definition and scope of the term ‘Special Category Data’ under Article 9 of the UK GDPR. The Secretary of State will be able to add and/or remove categories of special category data. However, this power does not apply to the pre-existing categories under Article 9, which will remain unchanged.
The Data (Use and Access) Bill proposes the introduction of a ‘data protection test’, as a new method of identifying the adequacy of recipient countries. The Secretary of State will consider whether or not the level/standard of protection provided to data subjects in the recipient country is likely to be lower than the standard under UK law. Adequacy regulations will be based on whether or not the third country meets the data protection test.
The Data (Use and Access) Bill proposes changes to data management, access, and protection. While these changes present challenges for business, this also offers an opportunity to build trust with customers by demonstrating a proactive approach to data protection. By understanding the Bill and taking steps to comply, organisations can stay ahead of the curve, NormCyber’s team of data protection experts can help you prepare for the upcoming changes.
The Data (Use and Access) Bill, introduced on 24th October 2024, has now moved from the House of Lords into the House of Commons. Throughout its stages in the House of Lords the Bill has been subject to debate and a number of amendments. As the Bill passes from the Lords to the Commons the ICO has released an updated response to the Bill to acknowledge some of the changes made.
The use of AI models and automated decision making was an area of debate in the House of Lords, passing an amendment to require AI developers with a UK connection to comply with UK intellectual property law and disclose how and where they obtain training data. No amendments to the automated decision making clauses were agreed, following debates around the topic. Currently the amendments to the Bill allow processing via automated decision making with no limitation on the lawful basis an organisation can rely on.
Another update made to the Bill concerns the rules on direct marketing by email. The existing ‘soft opt-in’ rule currently allows commercial organisations to send direct marketing emails to existing customers, without prior consent to receive marketing information, providing they are given an option to opt-out of all subsequent marketing communications. This update will extend the use of the ‘soft opt-in’ to the charity sector.
Amendments to the Bill have been made to introduce further duties around the safeguarding of children’s data, including a responsibility for the ICO to consider specific protection with regard to children’s personal data.
Currently the Bill is in the Committee stage, with sittings on 4th and 6th March, after which it will enter the report stage before its 3rd and final reading before the House. We anticipate the Bill will become law in the coming months, and we will keep track of any further amendments made during its passage.
