Data (Use and Access) Bill
The Data (Use and Access) Bill was introduced to Parliament on 23 October 2024. It aims to modernise the UK’s approach to data regulation, with a variety of proposed amendments to the existing UK General Data Protection Regulation (GDPR) and the Data Protection Act (2018).
Sponsored by the Department for Science, Innovation and Technology (DSIT), the Bill focusses on updating the law in key areas, including improving health data standards, refining rules on cookie deployment, and revising the scope of automated decision making.
This page explains the key differences between the UK General Data Protection Regulation (UK GDPR) and the newly proposed UK Data (Use and Access) (DUA) Bill.
From DPDI to DUA: A brief background
The DUA Bill builds on many of the ideas, provisions, and objectives outlined in the abandoned Data Protection and Digital Information (DPDI) Bill but leaves out the most controversial aspects of the previous proposal.
Initially proposed as a comprehensive overhaul of the UK’s data protection laws, the DPDI Bill faced much opposition. It was ultimately shelved when Rishi Sunak’s government announced a general election in May 2024.
What are the proposed changes to the current UK data protection laws?
The Data (Use and Access) Bill introduces several reforms to the UK GDPR. These include a restructure of the Information Commissioner’s Office (ICO), provisions to simplify Data Subject Access Requests (DSARs), changes to automated decision-making, and strengthening data security and data protection in the Health and Care sector.
A detailed overview of the key data protection changes can be found in the table below.
Additionally, read our news story on the implications for the Health sector with comments from Lawrence Carter, DPO and Life Sciences Sector Lead.
UK GDPR VS DUA BILL
Area | UK GDPR | DUA Bill |
---|---|---|
Legitimate Interests | Requires a balancing test (known as a Legitimate Interest Assessment, or LIA) for all processing under this lawful basis | Introduces ‘recognised legitimate interests’ for which no balancing test would be required, including direct marketing and security processing |
Scientific research | Broad interpretation with examples such as “technological development and demonstration, fundamental research, applied research, and privately funded research” | Expands and clarifies the definition of scientific research to explicitly include both commercial and non-commercial research |
Further processing of personal data for scientific research purposes | Allows for further processing of personal data if it is compatible with the original purpose | Updates provisions to make it easier for clinical trial sponsors to obtain broad consent from research participants to reuse their data for scientific research purposes |
DSARs | Gives individuals the right to access their personal data held by organisations | Includes clarifications relating to DSAR responses, such as specificities relating to time limits and reasonable searches |
International data transfers | Transfers of personal data outside the UK must use appropriate safeguards such as Binding Corporate Rules (BCRs), the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs | Codifies a ‘data protection test’ for assessing adequacy – which may result in an easier pathway to future international adequacy decisions made by the Secretary of State |
UK Regulator | The Information Commissioner’s Office (ICO) is an independent body, established to uphold information rights | Restructures the ICO into the Information Commission, including the establishment of a formal Board – intended to improve governance |
Automated decision making | Article 22 places strict restrictions on solely automated decision-making, including any AI systems that have legal or similarly significant effects on individuals | Narrows the scope of restrictions to only explicitly prohibit automated decisions made using special category data |
Cookies | Except for ‘strictly necessary’ cookies, all cookies require informed consent prior to deployment | Aims to reduce the frequency of cookie pop-ups for UK users by removing the cookie consent requirement for specified purposes (e.g. statistical purposes) |
PECR fines | Current fines under the Privacy and Electronic Communications Regulation (PECR) are capped at £500,000 | Maximum fines would be brought in line with the current UK GDPR thresholds (up to £17.5M or 4% of annual turnover of preceding financial year, whichever is higher) |
The DPO Centre is monitoring the progress of the Bill and will share updates as soon as new information becomes available.
Enquire Today
Fill in your details below and we’ll get back to you as soon as possible