On 23 October 2024, the Data (Use and Access) Bill was introduced in the UK’s House of Lords by Baroness Jones of Whitchurch, a Labour Party life peer. Sponsored by the Department for Science, Innovation and Technology, the Bill seeks to strengthen the way data is managed across a wide range of businesses and services in both public and private sectors.
The Bill proposes key updates, with the most significant impacts for organisations and businesses in these sections:
The new Bill appears to build on the existing framework of the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., whilst further clarifying the rights of customers and the data governance obligations of businesses.
Lawrence Carter, DPO and Life Sciences Sector Lead at The DPO Centre has these initial thoughts regarding the business implications of the newly introduced Bill:
‘From a data protection perspective, the DUA Bill is largely a zombie chimera of the abandoned DPDI BillThe proposed Data Protection and Digital Information (DPDI) Bill aims to amend and supplement the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (2018) and the Privacy and Electronic Communications Regulation (PECR)., with the most problematic accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. proposals removed. Notably, there are no plans to abolish Data Protection Officers (DPOs), UK Representatives (DPRs), Data Protection Impact Assessments (DPIAs), or Records of Processing Activities (RoPAs), ensuring the core tenets of the UK data protection framework remain intact – for now.
‘The DUA borrows significantly from the DPDI in terms of reviving recognised legitimate interestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle., scientific research conditions, compatible purposes, reforms to the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.), and other minor amendments to the UK GDPR, DPA 2018, PECR, and related laws.
‘Similarly, the DUA serves as a legislative vehicle for various public policy matters related to data. This includes areas such as digital verification, underground infrastructure, birth registrations, and smart meters.
‘There are some newly proposed tweaks to areas like health information standards, international transfers, data subjectAn individual who can be identified or is identifiable from data. requests, privacy notices, complaints, and automated decision-making, although, for the most part, these changes are likely to be more palatable to data protection practitioners than the more radical changes previously proposed by the now defunct DPDI Bill.
‘It is important to note that the DUA Bill will likely undergo several revisions and amendments, and we will closely monitor its progress in both the House of Lords and the House of Commons for any upcoming changes.’