On Wednesday, 23 October 2024, the Data (Use and Access) Bill (DUA) was introduced in the UK's House of Lords by Baroness Jones. Sponsored by the Department for Science, Innovation and Technology (DSIT), the Bill seeks to modernise data usage in the UK while prioritising economic growth, improved public service efficiency, and enhanced online safety.
While several provisions from the expired Data Protection and Digital Information Bill (DPDI) are retained, a number of new proposals are also included.
The DUA Bill contains 8 sections:
- Part 1: Access to customer data and business data
- Part 2: Digital verification systems
- Part 3: National underground asset register
- Part 4: Registers of Births and Deaths
- Part 5: Data protection and privacy
- Part 6: The Information Commission
- Part 7: Other provisions about the use of, or access to, data
- Part 8: Final provisions
According to the government's press release, the DUA Bill aims to strengthen the UK economy, contributing £10 billion over the next decade through data-sharing practices in areas such as open banking and smart data schemes.
Other provisions in the Bill introduce plans to certify digital verification services against a stringent framework of security and privacy-preserving standards. Businesses that meet the criteria would receive a Trust Mark. Aside from increasing trust, the efficiency gains from simplifying important tasks will add £4.3 billion to the UK economy over the next decade.
In the public sector, the DUA Bill seeks to reduce bureaucracy by streamlining data access, freeing up an estimated 1.5 million hours of police officers' time, and saving around £42.8 million per year. As reported on Monday, the Bill contains provisions to digitise NHS patient medical records, saving 140,000 hours of NHS staff time every year.
The Bill also introduces measures to support research into online safety by allowing researchers access to relevant data from online platforms. This effort is intended to increase transparency regarding online harms and improve the effectiveness of interventions aimed at addressing these issues.
In a statement responding to the announcement, Information Commissioner John Edwards said: "We welcome the introduction of the Data Use and Access Bill in the House of Lords and look forward to seeing it progress through parliament to Royal Assent. This is an important piece of legislation which will allow my office to continue to operate as a trusted, fair and independent regulator and provide certainty for all organisations as they innovate and promote the UK economy." The ICO will publish a more detailed response at a later date.
In an initial assessment comparing the DUA Bill to the DPDI Bill, data protection specialist at Michcon de Reya Jon Baines comments that while some of the more controversial proposals have been dropped, others have been added. Unlike its predecessor, the DUA Bill refrains from amending UK General Data Protection Regulation (GDPR) accountability provisions, such as the requirement for certain data controllers to appoint data protection officers, conduct data protection impact assessments, or maintain records of processing activities. However, notable amendments to the GDPR affect subject access requests and transparency obligations. A new obligation would require controllers to implement a complaints procedure for data subjects.
Changes to the Privacy and Electronic Communications Regulations 2003 (PECR) include first-party cookies used for analytics and marketing communications. Monetary penalties under PECR have also been brought into line with the GDPR. Changes to the structure of the Information Commissioner's Office (ICO) have also been revived.
Baines concludes that of most importance now will be how the finalised Bill is received by businesses and the European Commission given that the UK-EU adequacy agreement is set to expire in 2025.
A separate comparison by Robert Bateman on LinkedIn looks at different areas of the Bill.
Additional legal analysis is available from Pinsent Masons.
In a detailed assessment, the Open Rights Group (ORG) claims that the Bill will fail to protect the public from harmful uses of artificial intelligence (AI) and rehashes many of the provisions in the controversial DPDI Bill.
ORG Legal and Policy Officer Mariano delli Santi said: "Strong data protection laws are an essential line of defence against harmful AI and automated decision making (ADM) systems which can be used to make life-changing decisions.
"The Data Use and Access Bill weakens our rights and gives companies and organisations more powers to use automated decisions. This is of particular concern in areas of policing, welfare and immigration where life-changing decisions could be made without human review.
"The Government says that this Bill will generate billions for the economy but at what cost to the privacy, security and dignity of the British public?"
Meanwhile a statement from Susannah Copson, Legal and Policy Officer at from Big Brother Watch (BBW) said: "The Government’s new Data Bill threatens to set the UK years behind our international partners when it comes to safeguarding against the threats of new and emerging technologies such as AI. Our data protection laws are amongst the few legal protections we have against these threats, yet this Bill waters them down by simultaneously eroding privacy protections and restricting peoples’ control over their own data. Meanwhile, advancing with a digital ID framework with serious implications for privacy that lacks a legal right to opt-out poses a serious threat to individual autonomy and consent.
"As the Bill makes its way through Parliament, the Government must listen to the warnings of rights campaigners and amend the Bill to protect the public’s privacy rights."
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.