The Data Protection team comments on the government’s new data processing bill introduced to the House of Lords on 23rd October 2024, and what the key changes mean for businesses

The Government has introduced a bill which will make a number of changes to the way in which both personal and non-personal data can be processed. Data (Use and Access) Bill [HL] – Parliamentary Bills – UK Parliament (the Bill). The Bill was introduced to the House of Lords on 23 October 2024 and in part resurrects failed attempts under previous governments to provide an update to existing rules of data protection within the UK. However, it also goes further and proposes rules that are relevant to the re-use of data in various fields, as well as the operation of automated and Artificial Intelligence systems that are entrenched within decision making processes.

What are the key changes that businesses need to know about?

New Regulatory Bodies and Repositories

The Bill has created several new organisations, including replacing the Information Commissioner’s Office (ICO) with a new organisation, to be known as the Information Commission (IC). The statutory Information Commissioner role will be abolished.

The Office for Digital Identities and Attributes (OfDIA) will supervise a framework for online digital verification services. The aim is to have a better functioning digital identity system, protect against fraud, enhance privacy and data minimization and promote inclusive solutions.

Organisations can apply for certification as a Digital Verification Service (DVS) which will be publicly available on a register beside a trust mark, to highlight that they have met the relevant data processing standards. Businesses that choose to become certified will incur a one-off organisational change cost to upskill. UK business users will likely be required to pay fees levied by public sector organisations to connect to government-held datasets and to check data.

A new smart data regime will target exact sector needs and ensure that individuals can request that their data be shared directly with them or authorised third party providers (ATPs). These ATPs, or data intermediaries, use the customer’s data to provide services for the business, such as offering efficient switching and personalised market comparisons, effective managing of accounts, and cross-sector control of data centred around the user. This will accompany a new framework that will ensure secure data storage and data transfers.

The National Underground Asset Register (NUAR) will be a digital service to provide prompt access to a map of the underground pipes and cables and require owners of underground infrastructure, such as telecoms operators, to register their underground resources. This heightens the need for transparency as it can leave organisations liable for damages for a breach, or in extreme cases, this may constitute a criminal offence.

Automated Decision Making

The Bill would effectively allow automated decision-making to occur if the organisation using AI mechanisms employs relevant safeguards, so that individuals can obtain meaningful human intervention and challenge decisions made. In these situations, solely automated decisions would only be allowed with the individual’s explicit consent, or where the decision is necessary for performing a contract with that person, or where there is a considerable public interest in the decision being made.

The current partial prohibition of automated decision making would now only apply for special category data, and where there is “no meaningful human involvement”.

Scientific Research

The Bill has been prepared with an eye on advancement in the scientific field – it provides for greater flexibility for commercial research and innovation as it expands the concept of ‘scientific research’ to include privately funded entities and those carrying out commercial research activities. This would thus widen the exemptions from the application of individual data subject rights, allowing legitimate researchers doing scientific research in commercial settings to make equal use of the provisions by clarifying that commercial research activities can benefit from the special position of research in the data protection framework. The Bill would clarify that research into public health only falls under the definition of scientific research if it is in the public interest.

The Bill also aims to enable scientific data controllers to obtain consent where it is not possible to identify fully the purposes for which the personal data is to be processed at the time of collection. Clarification of how these exemptions might work in practice is awaited.

Legitimate Interests

Processing of personal data under UK GDPR requires a data controller to have a valid legal basis. One of the most frequently used legal bases is “legitimate interests”. The Bill aims to provide businesses with greater clarity on when they can rely on the ‘legitimate interests’ ground for processing personal data. It will potentially broaden the circumstances in which businesses can rely on this legal basis, including for direct marketing, data sharing between companies in the same group for internal administrative purposes and processing to ensure network security.

New ‘recognised legitimate interests’ would be specified – including for national security and defence purposes, and national emergencies.

Enforcement

The Bill will strengthen enforcement powers under the Privacy and Electronic Communications Regulations (PECR), which contain the rules on direct e-marketing and cookies. At present the maximum fine for a contravention of PECR is £500,000. The Bill proposes to allow GDPR-level fines to be imposed on businesses that breach PECR.

Healthcare

The Bill aims to expand data use in relation to healthcare by enabling information to be easily accessed immediately across all NHS trusts. The hope is to free up 140,000 hours of NHS staff time every year.  However, concerns have been raised regarding the necessity to safeguard individuals’ data and ensure they cannot be identified. There is a heightened responsibility to protect people’s data in this regard. The Government proposes to link this new regime with the re-constituted Information Commission, which will have new powers of enforcement, to act as a deterrent. Further detail regarding the strict security protocols is awaited.

Cookies

The Bill will effectively expand the definition of “necessary” cookies, for which user consent is not required, to include certain functional technology to collect statistical data for improving a service and adapting it to user preferences. Performance-related information can be used to optimise content, for example “responsive design” which enables a webpage to reconfigure itself for the particular dimensions of a screen. There is still an obligation to provide users with clear and comprehensive information about the purpose of the cookie and to give a simple and free means of objecting to the storage or access of their data.

Data Subject Access requests (DSARs)

Organisations may have hoped that the Bill would limit the rights of or impose additional requirements on data subject to file a DSAR.  In fact, the only change in the Bill is that an organisation is only required to carry out a ‘reasonable and proportionate search’ for personal data. Arguably, this is the position under the current law.  Disappointingly for some commentators, the Bill contains no proposal to broaden the scope of what constitutes a manifestly unreasonable or excessive request for personal data.

What are the big takeaways for businesses?

The Government appears to want to add some teeth to the enforcement powers of the IC and the regulation of data protection. However, in many places the Bill seems to propose little more than a codification of current practices in data protection laws. It should also be noted that the Bill had only had its first reading and there is scope for considerable change during its passage through Parliament.

The “lightening of Regulatory burden” promised by the previous Government in its draft legislation is not so obvious in the Bill. The essence of the principles of UK GDPR looks to be remaining the same, so organisations should not expect to be any less vigilant in complying with their obligations.

Once the Bill has progressed to a statute, businesses should review their current notices, policies, procedures and technology to ensure continuing compliance, and ensure that staff at all levels are trained and reminded of the obligations imposed by data protection laws.