Shorter Reads

ICO response to the Data (Use & Access) Bill (DUAB)

The Information Commissioner has published a response to the DUAB that was introduced to Parliament on 24 October 2024. In summary, it regards the Bill as a welcome reform of data protection laws, improving the way in which the ICO can now regulate.

1 minute read

Published 6 November 2024

Authors

Share

Key information

The Information Commissioner has published a response to the DUAB that was introduced to Parliament on 24 October 2024. In summary, it regards the Bill as a welcome reform of data protection laws, improving the way in which the ICO can now regulate.

The ICO sees the changes proposed by the Bill as pragmatic and necessary amendments to UK Data Protection legislation, aligning with the ICO’s objectives and ensuring flexibility to evolve.  They point out the vital importance retaining adequacy status with the EU, that is, confirmation that UK GDPR remains aligned with EU GDPR, which is due to be reviewed in 2025. The ICO believes that the Bill does not put this in jeopardy.

They applaud the ambitious introduction of smart data schemes, aimed at enabling people to access their personal information more easily, and are optimistic that this will stimulate economic growth, in addition to establishing and maintaining people’s trust, which is vital to ensuring the success of these projects. They highlight that such schemes should be focussed on a privacy-by-design approach to personal information processing, so that data protection principles are embedded from the outset. They also supportive of the planned digital verification services.

The ICO also welcomes the proposed changes to the requirements for automated decision making (ADM), as aside from situations involving special category data, ADM will no longer be expressed as a prohibition (with exceptions) and businesses will be able to rely on legitimate interests. They highlight benefits such as increased efficiency, and consider this change strikes a good balance between facilitating the benefits of automation & maintaining additional protection for special category data.

The proposed changes to consent requirements for cookies, reducing the circumstances where consent will be needed if the purpose is for statistical analysis or to improve website performance, are seen as positive.

The ICO approves of the changes relating to processing of data within the healthcare sector but because such data will invariably be special category, they highlight the need for organisations to share such personal information responsibly. Organisations must be clear and transparent about how they will use people’s personal information, and are encouraged to prioritise inputting initiatives from the start to ensure the safe and secure collection and storage of data

Despite the concerns expressed by businesses and public bodies that the reforms do not go far enough, the ICO welcome the modest changes to the rights of individuals. The Bill will require organisations to put a complaints process in place before they are escalated to the ICO. This is intended to achieve more direct and swift resolution of people’s complaints and concerns, instead of involving the ICO, but that remains to be seen.

The increase in fines under PECR (to the same level as GDPR fines) in relation to direct marketing abuses of personal data should enable the ICO to take more effective action against predatory marketing calls which often target vulnerable people.

Finally, the ICO appear to be happy with the proposal to restructure their organisation. They will have new obligations to establish stakeholder panels to inform the content of our codes of practice and to develop and publish impact assessments on their key regulatory products and interventions. Their governance structure will be modernised to a Board and chief executive model. The Chair of the Board will be appointed by the Crown, and the Board will appoint the CEO.  This is seen to address the ICOs concerns (under the previous proposals) that their independence could be potential compromised by Government intervention.

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Shorter Reads

ICO response to the Data (Use & Access) Bill (DUAB)

The Information Commissioner has published a response to the DUAB that was introduced to Parliament on 24 October 2024. In summary, it regards the Bill as a welcome reform of data protection laws, improving the way in which the ICO can now regulate.

Published 6 November 2024

Associated sectors / services

Authors

The Information Commissioner has published a response to the DUAB that was introduced to Parliament on 24 October 2024. In summary, it regards the Bill as a welcome reform of data protection laws, improving the way in which the ICO can now regulate.

The ICO sees the changes proposed by the Bill as pragmatic and necessary amendments to UK Data Protection legislation, aligning with the ICO’s objectives and ensuring flexibility to evolve.  They point out the vital importance retaining adequacy status with the EU, that is, confirmation that UK GDPR remains aligned with EU GDPR, which is due to be reviewed in 2025. The ICO believes that the Bill does not put this in jeopardy.

They applaud the ambitious introduction of smart data schemes, aimed at enabling people to access their personal information more easily, and are optimistic that this will stimulate economic growth, in addition to establishing and maintaining people’s trust, which is vital to ensuring the success of these projects. They highlight that such schemes should be focussed on a privacy-by-design approach to personal information processing, so that data protection principles are embedded from the outset. They also supportive of the planned digital verification services.

The ICO also welcomes the proposed changes to the requirements for automated decision making (ADM), as aside from situations involving special category data, ADM will no longer be expressed as a prohibition (with exceptions) and businesses will be able to rely on legitimate interests. They highlight benefits such as increased efficiency, and consider this change strikes a good balance between facilitating the benefits of automation & maintaining additional protection for special category data.

The proposed changes to consent requirements for cookies, reducing the circumstances where consent will be needed if the purpose is for statistical analysis or to improve website performance, are seen as positive.

The ICO approves of the changes relating to processing of data within the healthcare sector but because such data will invariably be special category, they highlight the need for organisations to share such personal information responsibly. Organisations must be clear and transparent about how they will use people’s personal information, and are encouraged to prioritise inputting initiatives from the start to ensure the safe and secure collection and storage of data

Despite the concerns expressed by businesses and public bodies that the reforms do not go far enough, the ICO welcome the modest changes to the rights of individuals. The Bill will require organisations to put a complaints process in place before they are escalated to the ICO. This is intended to achieve more direct and swift resolution of people’s complaints and concerns, instead of involving the ICO, but that remains to be seen.

The increase in fines under PECR (to the same level as GDPR fines) in relation to direct marketing abuses of personal data should enable the ICO to take more effective action against predatory marketing calls which often target vulnerable people.

Finally, the ICO appear to be happy with the proposal to restructure their organisation. They will have new obligations to establish stakeholder panels to inform the content of our codes of practice and to develop and publish impact assessments on their key regulatory products and interventions. Their governance structure will be modernised to a Board and chief executive model. The Chair of the Board will be appointed by the Crown, and the Board will appoint the CEO.  This is seen to address the ICOs concerns (under the previous proposals) that their independence could be potential compromised by Government intervention.

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):



    Article contributors

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    < Back to menu

    I have an issue and need your help

    Scroll to see our A-Z list of expertise

    Get in touch

    Get in touch using our form below.



      Business Close
      Private Wealth Close
      Hot Topics Close