Data protection reforms envisaged under UK ‘use and access’ bill

The proposals are contained in a new Data (Use and Access) Bill (DUAB), which was introduced into the UK parliament on Wednesday. The draft legislation was trailed – albeit under a different name – in the King’s Speech that followed the new Labour-led government’s election in July.

The Bill, in part, represents the latest effort to update data protection laws in the UK post-Brexit, following two failed attempts to do so under earlier governments – the last saw a Data Protection and Digital Information (DPDI) Bill fall before it could be finalised and enacted, when parliament broke up for general election campaigning in late May. Some proposals that were contained in the DPDI Bill have been resurrected in similar fashion in the DUAB, but others have been dropped.

Among earlier proposals that have not been included in the DUAB include plans to curb organisations’ obligations in relation to creating and maintaining records of personal data processing activities as well as those pertaining to conducting data protection impact assessments. A further proposal dropped is one that envisaged requirements around the need for data protection officers to be replaced with more limited obligations to appoint senior managers responsible for ‘high risk’ processing. Plans to do away with the need for third country controllers or processors to appoint a UK representative have also been omitted from the DUAB.

While some procedural changes to rules relating to the handling of data subject access requests are included in the DUAB, more substantive changes that had been previously considered to ease the cost and resourcing challenges pertaining to DSARs have not been replicated in the DUAB either.

Proposals that have resurrected include those that envisage a relaxation of some existing restrictions applicable to automated decision-making, which are particularly relevant to organisations using AI systems.

The DUAB would effectively permit automated decision-making in most circumstances as long as the organisation using the relevant AI or other technology implements safeguards, allowing individuals affected by those decisions to make representations, obtain meaningful human intervention and to challenge decisions made by solely automated means.

Restrictive provisions, similar to those currently in place, would continue to apply where an automated decision is “significant” because it has legal or similarly significant effects on an individual and is based entirely or partly on “special category” personal data such as information concerning health, political opinions, religious or philosophical beliefs, sex life or sexual orientation. The more restrictive provisions would also apply where decisions are based on genetic data or biometric data, such as that collected for facial recognition, where it is used for the purpose of uniquely identifying an individual. In those cases, decisions made by solely automated means would be permitted only with the individual’s explicit consent, or where the decision is necessary for entering into, or performing, a contract with that individual, or where the decision is required or authorised by law, and there is a “substantial public interest” in the decision being made.

The DUAB also provides for greater flexibility for commercial research and innovation by expanding the concept of ‘scientific research’ to include certain privately funded and commercial research activities, and not just non-commercial research as is the case currently, and by seeking to allow consent granted by a data subject to the use of their data for scientific research purposes to follow a project as it evolves for new purposes – provided that consent is consistent with generally recognised ethical standards relevant to the area of research and the data subject is given the opportunity to consent only to processing for part of the research.

Other proposals contained in the DUAB seek to provide businesses with greater clarity on when they can rely on the so-called ‘legitimate interests’ ground for processing personal data under UK data protection law. In this regard, new ‘recognised legitimate interests’ would be specifically provided for in law – including for national security and defence purposes, but also for responding to emergencies and for safeguarding vulnerable people.

The Bill further provides that other purposes of data processing – including processing that is necessary for the purposes of direct marketing; some sharing of data between companies in the same group for internal administrative purposes; and processing that is necessary for the purposes of ensuring the security of network and information systems – “may” also qualify for ‘legitimate interests’ processing.

Qualified powers for the government to update the list of ‘recognised legitimate interests’ in future by making regulations are provided for in the DUAB. Regulations of that nature would, under the government’s proposals, only be able to be adopted if approved by parliament.

Structural changes have also been proposed to the UK’s data protection authority, with the DUAB envisaging a transfer of functions from the current information commissioner – a statutory role where powers of enforcement rest with an individual, currently John Edwards – to a new corporate body to be known as the Information Commission. The statutory information commissioner role is to be abolished as part of this change.

In tandem with those proposals, the DUAB also provides for a change in the law to reduce the number of complaints reaching the UK’s data protection authority – by requiring complaints to be made first to the data controller, with escalation to the authority only if they are not satisfactorily dealt with.

Further amendments proposed are aimed at strengthening enforcement powers under the Privacy and Electronic Communications Regulations (PECR), which sets out rules on direct e-marketing and on the use of cookies. Under DUAB, GDPR-level fines could be imposed on businesses that breach PECR.

Data protection law expert Malcolm Dowden of Pinsent Masons said implementation of the DUAB as drafted would require organisations to make some changes to their existing UK GDPR-compliant privacy notices.

“While those changes are in themselves relatively minor, they will involve some cost and administrative resource, particularly for organisations that are subject both to UK GDPR and EU GDPR, where it will be necessary to decide whether to have separate documentation for each regime or to create a combined version,” Dowden said. “Specific changes to UK GDPR privacy notices will include the addition of wording to inform data subjects of their right to complain to the controller, with information as to how that right may be exercised.”

Anna Flanagan, also of Pinsent Masons, added: “The DUAB will, if enacted in its current form, also set out a new UK legal framework for initiatives on digital ID, smart data, and the digitising of key public registers and assets. It includes provisions that approximate to aspects of the EU Data Act in terms of access to business and customer data. It also seeks to extend the principles of open banking to other sectors, demonstrating the power of data in the economy in different sectors. The energy sector has specifically been called out as an important sector in this.”

The Bill further addresses data use in the context of healthcare with provisions designed to "ensure that healthcare information – like a patient’s pre-existing conditions, appointments and tests – can easily be accessed in real time across all NHS trusts, GP surgeries and ambulance services, no matter what IT system they are using”, as the government said in a statement accompanying publication of the DUAB. This, the government added, “will require IT suppliers for the health and care sector to ensure their systems meet common standards to enable data sharing across platforms” and “will free up 140,000 hours in NHS staff time every year, providing quicker care for patients and potentially saving lives".  

The DUAB has been introduced into the House of Lords but will need to be approved by both the Lords and MPs in the House of Commons if it is to become UK law. A second reading of the Bill has not yet been scheduled.