techUK
Printable version

The Data (Use and Access) Bill: What’s changed and what remains from the DPDI Bill

The Data Use and Access Bill, introduced on 23 October, is a welcome effort from the new Government to unlock the power of data and marks an important step in modernising the UK’s data protection framework. Building on its predecessor – the Data Protection and Digital Information (DPDI) Bill – this new legislation retains many core provisions while introducing some important changes.

You can see our summary of the old DPDI Bill here.

Notably, many of the key elements, previously supported by techUK members, remain. For example, the DUA Bill will enable Smart Data schemes and digital ID (with a few adjustments). It also preserves changes to scientific research provisions and introduces the concept of "recognised legitimate interests" which will simplify compliance for businesses in certain scenarios, and support research and development. Changes to automated decision-making, and international data transfer rules also remain largely intact, along with NHS health and social care provisions. The Bill also establishes a national registry for underground infrastructure, such as power lines, water pipes, and utility cables.

However, there are some notable changes to its predecessor legislation that will be of importance to techUK members, including:

  • Introduction of new measures for researcher access to online safety data;
  • Removal of provisions that would have allowed government oversight of ICO’s strategic priorities and issuance of recommendations to ICO;
  • Introduction of a new duty for the ICO to consider children's vulnerability in data processing;
  • Removal of previous proposals like the concept of "vexatious" data requests;
  • Removal of modifications to the Data Protection Officer role, and Data Protection Impact Assessments requirements;
  • Removal of proposed requirements for telecoms providers to report suspected illegal marketing to the ICO
  • Previously proposed changes aimed at making Subject Access Requests (SARs) more proportional and considerate of business resources have been removed.

Key DPDI Bill provisions that have been retained (potentially with some changes)

Smart Data

The DUA Bill retains the provisions that will enable Smart Data Schemes in key sectors such as finance, transport, energy, and home buying, improving data interoperability and driving innovation. These provisions remain largely in line to the government’s previous plans, with two changes of note:

  • New Clause 17 (The FCA and coordination with other regulators) has been added, allowing the Treasury to compel the FCA to better coordinate with other regulators in relation to payment systems.
  • New Clause 22 (Regulations under this Part: Parliamentary procedure and consultation) to strengthen Parliamentary oversight and increases consultation requirements before regulations are made.

Digital ID

  • Building on the DPDI Bill's digital ID provisions, the DUA Bill will establish a robust Digital ID Trust Framework to support greater innovation and adoption of digital IDs.
  • The new Bill introduces several adjustments, Key changes include streamlining rules for digital verification services, adding parliamentary oversight of fees, strengthening national security provisions for provider registration, and expanding consultation requirements to include devolved governments.

Research provisions

  • The DUA Bill keeps the DPDI's provisions that clarify that companies can use personal data for research and development projects, as long as they follow data protection safeguards. This makes it easier for businesses to understand when they can use data for research without having to be overly cautious about whether they're allowed to do so. The DUA Bill makes a technical change: it limits the Secretary of State's power to change core research safeguards, ensuring these protections for research data use remain stable.

Legitimate interest list

  • The DUA Bill retains the concept of 'recognised legitimate interests' - specific purposes for data processing such as national security, emergency response, and safeguarding for which organisations are exempt from conducting a full Legitimate Interests Assessment when processing data.
  • The new Bill adds extra safeguards around changing the list of recognised interests. Before adding new types of data use to the list, the Secretary of State must show they are needed for specific objectives like public security, crime prevention, public health, judicial proceedings, regulatory functions, or protecting individual rights.

Automated Decision Making

  • The DUA Bill retains the DPDI's approach to Automated Decision Making, allowing it to be used in low-risk scenarios, while maintaining specific protections for sensitive data and ensuring people can still challenge decisions and request human review when decisions significantly affect them.

International data transfers

  • The DUA Bill maintains most of the DPDI's international transfer provisions but adds one limitation: while the Secretary of State can still create new data transfer safeguards or modify existing ones, they can only remove safeguards that were previously added through regulations, not those originally established in law.

Health and social care information standards

  • The DUA Bill maintains, without any changes, the provisions that establish consistent information standards for health and adult social care IT systems in England, enabling the creation of unified medical records accessible across all related services.

Key changes between the DPDI Bill and the DUA Bill

Researcher access to specific data related to online safety concerns

  • [New provision] Clause 123 (Information for research about online safety matters) introduces rules allowing researchers to access data from online services for online safety research. It sets out how researchers can apply for data access, includes privacy protection measures, and requires government consultation with relevant organisations like OFCOM, before any new rules are made.

ICO powers

  • [Removed provision] ICO strategic priorities: the DUA Bill removes the DPDI's proposed "strategic priorities" mechanism, which would have allowed the Secretary of State to set binding priorities for the Information Commissioner.
  • [Removed provision] Codes of practice: Secretary of State’s recommendations: The DUA Bill removes the DPDI's proposed requirements for the Information Commissioner to submit codes of practice to the Secretary of State for review and recommendations. This maintains the Commissioner's direct authority over codes of practice, without introducing a new ministerial oversight stage in their development process.
  • [Changes to terminology] Vexatious or excessive requests: the DUA Bill retains the established "manifestly unfounded" terminology for Information Commissioner requests, in contrast to the DPDI Bill which would have introduced "vexatious" as the new standard and implemented additional procedural changes.
  • [New provision] ICO duties – children: the DUA Bill includes an additional duty for the Information Commissioner to consider children's vulnerability regarding data processing, while maintaining the same core obligations around innovation, competition, crime prevention and security that appear in the DPDI Bill.

Duty to notify the Commissioner of unlawful direct marketing

  • [Removed provisions] The DUA Bill removes DPDI's proposals around telecoms providers reporting suspected illegal marketing to the ICO, including the 28-day notification requirement, associated fines, and ICO guidance on suspicious marketing behavior.

Accountability framework

  • [Removed provisions] Changes to the accountability framework that the DPDI Bill would have introduced have been removed, including changes to the Data Protection Officer, and Data Protection Impact Assessments requirements.

Subject Access Requests (SARs)

  • [Removed provisions] Previously proposed changes aimed at making SARs more proportional and considerate of business resources have been removed.

In response to the Bill’s publication, techUK said:

Data underpins every part of our economy and society, offering significant opportunities both for economic growth and public service reform through improved access and use of data.

This Bill marks the start of a welcome effort from the new Government to unlock the power of data, through initiatives on digital ID, Smart Data, digitising key public registers and assets, and reforming the data protection laws.

These legislative changes strike the right balance between maintaining the UK’s existing high data protection standards and driving forward essential reform. However, they must be coupled with the cultural and organisational mindset shift required to seize the full potential advantages of new data-driven technologies.

techUK looks forward to continuing to work with the Government as it commits to this reform agenda with the potential to provide significant benefits for economic growth and public services.

- Neil Ross, Associate Director for Policy, techUK

Channel website: http://www.techuk.org/

Original article link: https://www.techuk.org/resource/the-data-use-and-access-bill-what-s-changed-and-what-remains-from-the-dpdi-bill.html

Share this article

Latest News from
techUK

A Guide to Public Sector Contact Data Quality