The Data (Use and Access) Bill

Smart data already exists in the banking sector through the open banking initiative.

It is intended to be a secure way by which customers (both consumers and others) can share their data with authorised third parties/intermediaries. The Government hopes that expanding smart data to other sectors will facilitate switching suppliers, give customers access to new services and better control over relevant data.

The Bill provides a framework for the Government to make regulations enabling new smart data initiatives. The regulations will also set out a framework for payment of fees and/or a levy, complaints and enforcement, including financial penalties.

The Bill will enable companies that provide identity verification services to be certified against a government standard “trust mark”.

The Government has said rules of the scheme will include:

• “Not ‘profiling’ users for third-party marketing purposes
• Not creating large datasets that could risk revealing sensitive data about users 
• Explicitly confirming that users understand how their data is being shared, whenever this happens.”

The Bill also establishes a framework for a statutory register of DVS providers, building on the existing non-statutory version. The Bill also provides public authorities with power to disclose information to registered DVS providers, subject to certain conditions, including compliance with data protection legislation. A “public authority” is defined in this context as those whose functions are of a public nature or which include functions of that nature. A code of practice will be published which public authorities must have regard to when disclosing information.

Trust services consist of services concerning website authentication, electronic seals and signatures, timestamps and electronic delivery services. These measures in the Bill are intended to reduce cross-border trade friction.

The Bill amends the existing regime to provide a framework for regulations to allow the recognition of EU member state conformity assessment reports, as well as to allow the removal or amendment of UK recognition of EU standards in this area. Other measures include recognising trust service products provided by entities established outside the UK, subject to conditions, and enabling data sharing/cooperation between the Commissioner and overseas trust services regulators.

The Bill includes a number of changes although overall the reforms are less extensive than those proposed by the Sunak administration. For example, it doesn't include the Sunak Bill’s measure to replace the requirement to a appoint data protection officer with a “Senior Responsible Individual”.

In general, the changes are intended to make some research and lower risk processing activities easier, although there are some new obligations on controllers in relation to complaints handling.

This section of our summary focuses on general processing under UK data protection law – there are some further nuances as regards law enforcement and intelligence services processing. The Bill will no doubt be considered by the European Commission as it reviews the 2021 adequacy decisions permitting personal data transfers from the EU to the UK.

Supporting the “RAS purposes” - research, archiving and statistics

Various provisions relating to data processing for historical and scientific research, archiving in the public interest and statistical purposes (RAS purposes) will be updated and clarified. For example “commercial” scientific research is expressly included within the definitions. The Government says that the changes will also make it clear that research organisations can seek “broad consent for areas of scientific research”.

Other changes are intended to reduce some of the compliance burden relating to the RAS purposes, including through changes to the purpose limitation mentioned further below.

Recognised legitimate interests

The Bill contains provisions intended to give data controllers greater confidence that certain types of processing in the public interest will be lawful.

There will be a new “recognised legitimate interests” (RLI) lawful basis for processing, to which the legitimate interests “balancing test” would not apply. The categories of RLI will consist of specified grounds of processing relating to public interest matters including:

• disclosures to data controllers who have requested data for their task in the public interest/in exercise of their official authority 
• national security / defence / emergency response
• the investigation and prevention of crime
• safeguarding vulnerable people and under 18s

Changes to the purpose limitation

The Bill amends the “purpose limitation” provisions of UK GDPR, setting out additional conditions intended to clarify when re-use or further processing of data may be permitted.

The Bill provides that certain processing for a new purpose will be treated as compatible processing, including certain processing for the RAS purposes, as well as on some broader public interest grounds or where fresh consent is obtained.

There are also specific restrictions where the data was originally collected on the basis of consent.

New types of special category data 

The Bill permits Government to add new special categories of personal data through regulations. The powers cannot be used to remove existing special categories, or to remove or vary the conditions for existing special categories.

Data subject rights and complaints handling

The Bill confirms that where the data controller reasonably requires further information to identify the information or processing activities to which a rights request relates, the controller may request such information and the clock for any response is paused until the information is received.

It also confirms that when responding to an Article 15 subject access request, data controllers are only obliged to provide information, personal data and confirmation as the controller is able to based on a reasonable and proportionate search. The Government considers this provision to codify existing caselaw. The Bill provides that these amendments will be treated as having come into effect on 1 January 2024 (the date when a number of structural changes to the UK status of pre-Brexit EU law took effect).

Provisions will also oblige controllers to implement and comply with various complaints-handling procedures, including obligations to:

• Facilitate making complaints relating to suspected infringements of UK GDPR, such as by providing a complaints form that can be completed electronically as well as by other methods
• Acknowledge complaints within 30 days
• Take “appropriate steps” to respond to a complaint without undue delay. This includes making appropriate enquiries and informing the complainant of progress.

Regulations may require controllers to notify the Information Commission of the number of complaints made.

Solely automated decision-making (ADM) and profiling

As under the current regime, the ADM provisions concern “solely” automated processing which produces a legal effect concerning the data subject or similarly significantly affects them. The Bill will revise the regime so that in broad terms there will be greater flexibility in relation to ADM that doesn't involve special category data:

• the gateway conditions currently set out in UK GDPR Art 22(2) will in future only apply where the ADM processing involves special category data. The rationale for this is that those with protected characteristics are more likely to face discrimination due to historic biases in datasets that ADM often uses
• there will be an absolute prohibition on ADM where the processing is carried out entirely or partly in reliance on the new “recognised legitimate interests” basis for processing
• safeguards will apply to all ADM processing, regardless of whether it includes special category data. The safeguards will include providing certain information to the data subject, enabling them to make representations, obtain human intervention and contest the decision.
• References to “profiling” which are currently potentially treated as a type of automated processing are removed, although whether decisions are reached by means of profiling will be a factor when considering whether there is meaningful human involvement in decision-making.

Further provisions may be set out in regulations, including about:

• what might or might not amount to "meaningful human involvement” in decision-making
• what might or might not amount to a “similarly significant effect” for a data subject

Transfers of personal data to third countries

The Bill will revise the current regime for international transfers of personal data although the gateways for transfers will remain similar.

The new regime will require a “data protection test” to be considered by the Secretary of State when considering whether to make an adequacy decision. A similar test will apply to a data controller acting “reasonably and proportionately” when considering whether to make a transfer of data pursuant to one of the “appropriate safeguard” methods.

The test requires the standard of protection for the data subject after the transfer to not be materially lower than the standard provided under UK data protection law. What is reasonable and proportionate is to be determined with reference to all circumstances or likely circumstances, including the nature and volume of personal data transferred.

The Information Commissioner will be replaced by an Information Commission. The Commission will also be given some new and updated duties and powers, including the power to issue fines for breach of the Privacy and Electronic Communications Regulations 2003 in line with the fines under UK GDPR (up to 4% global turnover/or £17.5m, whichever is greater).

The updated regulatory toolkit will include new powers to require organisations to produce technical reports as part of the assessment notice procedure, and greater alignment between the PECR and UK GDPR regimes.

Clarifying amendments to the direct marketing provisions of PECR confirm that attempted calls and communications are in scope even if they don't reach their intended recipients.

The Government has also tabled an amendment to the Bill to enable charities to send emails for direct marketing purposes where the sole purpose is to further one or more of the charity’s charitable purposes.

This would be subject to conditions that the recipient’s contact details were obtained in the course of the recipient expressing an interest in or offering/providing support for one or more of the charitable purposes.

The recipient must also be provided with a simple free of charge means of opting out, both when their details were collected and in all subsequent communications.

The Bill also includes measures intended to reduce cookie fatigue by creating some new PECR exceptions (subject to conditions) to the need to obtain cookie consent in relation to:

• Collecting statistical information about how an organisation’s service or website is being used with a view to implementing service improvements
• Enabling an online service to be displayed in a certain way (eg to accommodate different screen sizes)
• Enabling a user’s location to be ascertained to allow emergency assistance to be provided

The Bill also clarifies and updates the definitions of what amounts to “storing” or “gaining access” to a device (such as mobile phones, computers, smart TVs and other connected devices) where the cookie provisions in PECR are engaged.

The Bill includes provisions intended to provide coroners better access to information held by technology companies following the death of a child, by requiring such information to be retained for a period at Ofcom’s request.

It also enables regulations to be made under the Online Safety Act requiring regulated social media, search and messaging providers to provide information to enable independent research on online safety to be conducted. Ofcom has also initiated a call for evidence.

The Bill is intended to make information standards mandatory for suppliers of IT services to the health and care system. Information standards may consist of technical standards, data standards or information governance standards. More information is available here.

The Bill will broaden the gateway for sharing information under the Digital Economy Act to enable specified public authorities to share information for the purpose of improving service delivery for businesses. At present the Act only allows such sharing in respect of services provided to individuals and households.

The Bill would also provide a statutory framework for the NUAR digital map of underground pipes and cables, with the intention to create a more standardised system and increase efficiencies for ‘safe digging’. The Government says this “will accelerate the average data-sharing process from 6 days down to 6 seconds”.

The Bill will remove the requirement for paper records; the register will only be maintained electronically.