25 Oct 2024
by Neil Ross, Audre Verseckaite

The Data (Use and Access) Bill: What’s changed and what remains from the DPDI Bill

The Data Use and Access Bill, introduced on 23 October, is a welcome effort from the new Government to unlock the power of data and marks an important step in modernising the UK’s data protection framework. Building on its predecessor – the Data Protection and Digital Information (DPDI) Bill – this new legislation retains many core provisions while introducing some important changes.

You can see our summary of the old DPDI Bill here.

Notably, many of the key elements, previously supported by techUK members, remain. For example, the DUA Bill will enable Smart Data schemes and digital ID (with a few adjustments). It also preserves changes to scientific research provisions and introduces the concept of "recognised legitimate interests" which will simplify compliance for businesses in certain scenarios, and support research and development. Changes to automated decision-making, and international data transfer rules also remain largely intact, along with NHS health and social care provisions. The Bill also establishes a national registry for underground infrastructure, such as power lines, water pipes, and utility cables.

However, there are some notable changes to its predecessor legislation that will be of importance to techUK members, including:

  • Introduction of new measures for researcher access to online safety data;
  • Removal of provisions that would have allowed government oversight of ICO’s strategic priorities and issuance of recommendations to ICO;
  • Introduction of a new duty for the ICO to consider children's vulnerability in data processing;
  • Removal of previous proposals like the concept of "vexatious" data requests;
  • Removal of modifications to the Data Protection Officer role, and Data Protection Impact Assessments requirements;
  • Removal of proposed requirements for telecoms providers to report suspected illegal marketing to the ICO
  • Previously proposed changes aimed at making Subject Access Requests (SARs) more proportional and considerate of business resources have been removed.

Key DPDI Bill provisions that have been retained (potentially with some changes)

Smart Data

The DUA Bill retains the provisions that will enable Smart Data Schemes in key sectors such as finance, transport, energy, and home buying, improving data interoperability and driving innovation. These provisions remain largely in line to the government’s previous plans, with two changes of note:

  • New Clause 17 (The FCA and coordination with other regulators) has been added, allowing the Treasury to compel the FCA to better coordinate with other regulators in relation to payment systems.
  • New Clause 22 (Regulations under this Part: Parliamentary procedure and consultation) to strengthen Parliamentary oversight and increases consultation requirements before regulations are made.

Digital ID

  • Building on the DPDI Bill's digital ID provisions, the DUA Bill will establish a robust Digital ID Trust Framework to support greater innovation and adoption of digital IDs.
  • The new Bill introduces several adjustments, Key changes include streamlining rules for digital verification services, adding parliamentary oversight of fees, strengthening national security provisions for provider registration, and expanding consultation requirements to include devolved governments.

Research provisions

  • The DUA Bill keeps the DPDI's provisions that clarify that companies can use personal data for research and development projects, as long as they follow data protection safeguards. This makes it easier for businesses to understand when they can use data for research without having to be overly cautious about whether they're allowed to do so. The DUA Bill makes a technical change: it limits the Secretary of State's power to change core research safeguards, ensuring these protections for research data use remain stable.

Legitimate interest list

  • The DUA Bill retains the concept of 'recognised legitimate interests' - specific purposes for data processing such as national security, emergency response, and safeguarding for which organisations are exempt from conducting a full Legitimate Interests Assessment when processing data.
  • The new Bill adds extra safeguards around changing the list of recognised interests. Before adding new types of data use to the list, the Secretary of State must show they are needed for specific objectives like public security, crime prevention, public health, judicial proceedings, regulatory functions, or protecting individual rights.

Automated Decision Making

  • The DUA Bill retains the DPDI's approach to Automated Decision Making, allowing it to be used in low-risk scenarios, while maintaining specific protections for sensitive data and ensuring people can still challenge decisions and request human review when decisions significantly affect them.

International data transfers

  • The DUA Bill maintains most of the DPDI's international transfer provisions but adds one limitation: while the Secretary of State can still create new data transfer safeguards or modify existing ones, they can only remove safeguards that were previously added through regulations, not those originally established in law.

Health and social care information standards

  • The DUA Bill maintains, without any changes, the provisions that establish consistent information standards for health and adult social care IT systems in England, enabling the creation of unified medical records accessible across all related services.

Key changes between the DPDI Bill and the DUA Bill

Researcher access to specific data related to online safety concerns

  • [New provision] Clause 123 (Information for research about online safety matters) introduces rules allowing researchers to access data from online services for online safety research. It sets out how researchers can apply for data access, includes privacy protection measures, and requires government consultation with relevant organisations like OFCOM, before any new rules are made.

ICO powers

  • [Removed provision] ICO strategic priorities: the DUA Bill removes the DPDI's proposed "strategic priorities" mechanism, which would have allowed the Secretary of State to set binding priorities for the Information Commissioner.
  • [Removed provision] Codes of practice: Secretary of State’s recommendations: The DUA Bill removes the DPDI's proposed requirements for the Information Commissioner to submit codes of practice to the Secretary of State for review and recommendations. This maintains the Commissioner's direct authority over codes of practice, without introducing a new ministerial oversight stage in their development process.
  • [Changes to terminology] Vexatious or excessive requests: the DUA Bill retains the established "manifestly unfounded" terminology for Information Commissioner requests, in contrast to the DPDI Bill which would have introduced "vexatious" as the new standard and implemented additional procedural changes.
  • [New provision] ICO duties – children: the DUA Bill includes an additional duty for the Information Commissioner to consider children's vulnerability regarding data processing, while maintaining the same core obligations around innovation, competition, crime prevention and security that appear in the DPDI Bill.

Duty to notify the Commissioner of unlawful direct marketing

  • [Removed provisions] The DUA Bill removes DPDI's proposals around telecoms providers reporting suspected illegal marketing to the ICO, including the 28-day notification requirement, associated fines, and ICO guidance on suspicious marketing behavior.

Accountability framework

  • [Removed provisions] Changes to the accountability framework that the DPDI Bill would have introduced have been removed, including changes to the Data Protection Officer, and Data Protection Impact Assessments requirements.

Subject Access Requests (SARs)

  • [Removed provisions] Previously proposed changes aimed at making SARs more proportional and considerate of business resources have been removed.

In response to the Bill’s publication, techUK said:

“Data underpins every part of our economy and society, offering significant opportunities both for economic growth and public service reform through improved access and use of data.

“This Bill marks the start of a welcome effort from the new Government to unlock the power of data, through initiatives on digital ID, Smart Data, digitising key public registers and assets, and reforming the data protection laws.

“These legislative changes strike the right balance between maintaining the UK’s existing high data protection standards and driving forward essential reform. However, they must be coupled with the cultural and organisational mindset shift required to seize the full potential advantages of new data-driven technologies.

Neil ROss 2.jpg

 

 techUK looks forward to continuing to work with the Government as it commits to this reform agenda with the potential to provide significant benefits for economic growth and public services.

 

- Neil Ross, Associate Director for Policy, techUK


Authors: 

Audre Verseckaite

Audre Verseckaite

Senior Policy Manager, Data & AI, techUK

Audre joined techUK in July 2023 as a Policy Manager for Data. Previously, she was a Policy Advisor in the Civil Service, where she worked on the Digital Markets, Competition and Consumers Bill at the Department for Science, Innovation and Technology, and at HM Treasury on designing COVID-19 support schemes and delivering the Financial Services and Markets Bill. Before that, Audre worked at a public relations consultancy, advising public and private sector clients on their communications, public relations, and government affairs strategy.

Prior to this, Audre completed an MSc in Public Policy at the Korea Development Institute and a Bachelor's in International Relations and History from SOAS, University of London. Outside of work, she enjoys spending time outdoors, learning about new cultures through travel and food, and going on adventures.

Email:
[email protected]
Website:
www.techUK.org,www.techUK.org
LinkedIn:
https://www.linkedin.com/in/audre-v-81b2b0a2/,https://www.linkedin.com/in/audre-v-81b2b0a2/

Read lessmore

Neil Ross

Neil Ross

Associate Director, Policy, techUK

As Associate Director for Policy Neil leads on techUK's public policy work in the UK. In this role he regularly engages with UK and Devolved Government Ministers, senior civil servants and members of the UK’s Parliaments aiming to make the UK the best place to start, scale and develop a tech business.

Neil joined techUK in 2019 to lead on techUK’s input into the UK-EU Brexit trade deal negotiations and economic policy. Alongside his role leading techUK's public policy work Neil also acts as a spokesperson for techUK often appearing in the media and providing evidence to a range of Parliamentary committees.

In 2023 Neil was listed by the Politico newspaper as one of the '20 people who matter in UK tech' and has regularly been cited as a key industry figure shaping UK tech policy. 

Email:
[email protected]
Twitter:
@neil13r
Website:
www.techuk.org/
LinkedIn:
https://www.linkedin.com/in/neilross13/

Read lessmore


techUK's Policy and Public Affairs Programme activities

techUK helps our members understand, engage and influence the development of digital and tech policy in the UK and beyond. We support our members to understand some of the most complex and thorny policy questions that confront our sector. Visit the programme page here.

 

 

Latest news and insights 

Upcoming events

Learn more and get involved

 

Policy Pulse Newsletter

Sign-up to get the latest tech policy news and how you can get involved in techUK's policy work.

 

 

Here are the five reasons to join the Policy and Public Affairs programme

Download

Join techUK groups

techUK members can get involved in our work by joining our groups, and stay up to date with the latest meetings and opportunities in the programme.

Learn more

Become a techUK member

Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.

Learn more

Meet the team 

Antony Walker

Antony Walker

Deputy CEO, techUK

Neil Ross

Neil Ross

Associate Director, Policy, techUK

Alice Campbell

Alice Campbell

Head of Public Affairs, techUK

Edward Emerson

Edward Emerson

Head of Digital Regulation, techUK

Samiah Anderson

Samiah Anderson

Head of Digital Economy, techUK

Audre Verseckaite

Audre Verseckaite

Senior Policy Manager, Data & AI, techUK

Mia Haffety

Mia Haffety

Policy Manager - Digital Economy, techUK

Archie Breare

Archie Breare

Public Affairs Manager, techUK

Oliver Alderson

Oliver Alderson

Policy and Public Affairs - Team Assistant, techUK

 

Authors

Neil Ross

Associate Director, Policy, techUK

Audre Verseckaite

Policy Manager - Data, techUK