December 4, 2024

Contents
    Contact us

    The Data (Use and Access) Bill (DUA Bill) is the current government’s new proposal to build on the previous government’s Data Protection and Digital Information Bill (DPDI Bill) and was set out before Parliament on 23 October 2024. 

    In the government’s words (according to its Factsheets on the Bill), the DUA Bill is about the secure and effective use and access of data given the pace of technological change and is intended to help boost public services, as well as the UK’s finances in the current economic climate. 

    Like a bag of Liquorice Allsorts, the DUA Bill looks to be a mixture of initiatives thrown together, all relating in some way to the use of data, including access to healthcare data across the health sector.   

    From a data protection perspective, the DUA Bill dropped some of the previous government’s proposals. Gone are proposals to water down data protection record keeping, data processing impact assessments or Data Protection Officer (DPO) requirements.  However, the data transfer changes in the new DUA Bill should hopefully make it easier to transfer personal data abroad and for the UK to retain its status for transfers of personal data from the EEA when this is next reviewed by the EU – something that the previous DPDI Bill did cast a shadow over. 

    Particular provisions to note with a specific data protection slant include: 

    - Data transfers abroad:

    Which can incur cost, time and slow down deals, where the government aims to facilitate easier cross border flows to countries with equivalent protection. 

    - PECR fines:

    Increased fines for failure to comply with the electronic marketing rules of PECR, that sit alongside the GDPR, from current £500,000 levels to the same levels as UK GDPR, so a maximum of the higher of £17.5m and 4% of the organisation’s total annual worldwide turnover in the previous financial year. 

    - Cookies:

    Changes to consent rules for low risk cookies enabling website changes and collection of statistical data about websites to become less burdensome (also found in PECR -not to be confused with “peckish” when referring to cookies). 

    - Automated decision-making:

    Loosening around the rules, so, other than for special personal information (protected under GDPR as a “special category”), automated decisions will be possible for a business’s legitimate interests, subject to safeguards being in place. 

    - Data Subject Access Requests:

    Centralisation of the law on data subject access requests to assist organisations so searches for responses must be reasonable and proportionate. 

    - “Legitimate interests”:

    Increased clarity around use of this lawful basis or ‘right’ to process personal data. 

    - Boosting the ICO:

    by changes to its constitution and to give it more enforcement powers. 

    Some other ‘non-DP’ provisions 

    Some other aspects of the DUA Bill may also bring opportunities for IT providers such as: 

    Smart Schemes:

    The government will be able to legislate for new ‘Smart Data’ schemes to extend ‘open banking’ to other sectors to engage the public over use of their data and promote sharing of data between businesses.  Creation of such smart schemes could mean more IT projects needing IT expertise, particularly from the government’s desire for security to promote consumer participation needed to grow the economy, though data protection impacts must be assessed at the outset. 

    National Underground Asset Register (NUAR):

    To centralise public and private underground infrastructure data with mandatory sharing of infrastructure asset data. Water, electric and telecommunications companies, plus local authorities will benefit, with potential opportunities for IT providers for potential new contracts for such a new digital service.  The government claims that this new NUAR digital service will “grow the UK economy by over £400 million a year. 

    Digital Certification Schemes:

    for digital identity (ID) providers to build on existing trust framework schemes for certifying data as an alternative to providing hard copy ID.  Currently certified providers under the government’s trust framework carry out right to work, rent and DBS checks. Under the DUA Bill, digital repositories for the storage of identification data would aim to reduce the data required to be shared. An example is an ID check in a shop of a customer seeking to buy a product with an age requirement. Here, a driving licence with full personal data could be substituted for less intrusive and limited digital identity.

    Summary

    The ICO as an independent regulator from the UK government supports the DUA Bill and provides a useful summary of the changes. The DUA Bill is in its early stages in the legislative process so there could be some time yet before it is implemented. Our team will be closely monitoring the bill as it progresses through parliament and will publish more information before the bill becomes law - sign up to our newsletter to be notified when we share new information alternatively follow us on LinkedIn for updates.

    Contact us if you have any queries relating to data protection or the new DUA Bill.  

    Do you have a legal question for us?

    Whether you are just getting started, need a template package or just some legal advice for your business, we are here to help with any questions you may have.

    Our mission is to help you succeed, with less risk.

    Related articles