United Kingdom

[GB] The Data (Use and Access) Bill is introduced in the House of Lords

IRIS 2025-1:1/13

Julian Wilkins

Wordley Partnership

The Data (Use and Access) Bill (DUAB) was introduced in the House of Lords in October 2024. The report stage started on 21 January 2025. It is essentially a revised version of the Data Protection and Digital Information Bill (DPDI) which fell when the 2024 General Election was called. The Secretary of State for Science, Innovation and Technology (SoS) is responsible for the DUAB. Parts of the DPDI such as the removal of records of processing activities, data protection impact assessments, exemptions for vexatious data subject access requests (DSARs), and the shift from Data Protection Officers to “Senior Responsible Individuals” have been removed.

The main changes under the DPDI included rules relevant to the use of AI systems in decision-making processes and to the use of data for the purposes of scientific research, as well as new rules aimed at liberalising the use of data held by public sector organisations and businesses.

The DUAB retains the DPDI's approach to AI Automated Decision Making (ADM) allowing its use in low-risk scenarios, but maintaining protections for sensitive data and ensuring that people can challenge decisions and request human review. The DUAB would effectively permit automated decision making in most circumstances provided the organisation has safeguards when using AI or other technology. Restrictions would apply where an automated decision is “significant”, where it affects an individual and is based entirely or partly on “special category” personal data such as health, political opinions, religious or philosophical beliefs, sex life, sexual orientation, genetic data or biometric data such as facial recognition. In such cases, decisions made by ADM would require the individual’s explicit consent, or where the decision is necessary for entering into, or performing, a contract with that individual, or where the decision is required or authorised by law, and there is a “substantial public interest” in the decision being made.

The DUAB follows the DPDI's provisions allowing companies to use personal data for research and development projects subject to safeguards. The DUAB restricts the power of the SoS to change core research safeguards to ensure continuity.

The DUAB retains the concept of "recognised legitimate interests" to use data processing for national security, emergency response, and safeguarding for which organisations are exempt from conducting a full Legitimate Interests Assessment of data. The SoS can only change the recognised interests list if needed for specific objectives like public security, crime prevention, public health, judicial proceedings, regulatory functions, or protecting individual rights.

Another provision following from the DPDI relates to international data transfer provisions but adds one limitation whereby the SoS can create new data transfer safeguards or modify existing ones. The SoS can only remove safeguards that were previously added through regulations, not those originally established in law. Unlike the EU’s approach, the DUAB’s materiality test requires third countries to maintain protections “not materially lower” than the UK’s, rather than requiring exact equivalence.   

A new DUAB provision is Clause 123 which, subject to certain criteria, including privacy protection measures, allows researchers to access data from online services for safety research. Clause 123 requires government consultation with relevant organisations like OFCOM, before making new rules.

Another new provision under the DUAB includes an additional duty for the Information Commissioner of the Information Commissioner’s Office (ICO) to consider children's vulnerability regarding data processing albeit balanced against other provisions of the DUAB to encourage innovation, competition, crime prevention and security.

The DUAB retains the DPDI's framework for the secure sharing of so-called "smart data" between service providers at consumers' request for key sectors such as finance, transport, energy, and home buying. The DUAB adds a new Clause 17 whereby the government can compel the FCA (Financial Conduct Authority) to coordinate with other regulators to improve payment systems. A new Clause 22 strengthens parliamentary oversight and consultation requirements before regulations are made.

The DUAB allows for increases in potential fines for PECR (Privacy and Electronic Communications Regulations) regarding direct e-marketing and the use of cookies in Adtech technology used by advertisers.  

Also, the DUAB adopts the DPDI Digital ID Trust Framework to support greater innovation and adoption of digital IDs including streamlined rules for digital verification services, parliamentary fees oversight, strengthening national security provisions, and expanding consultation requirements to include the devolved governments of Scotland and Wales. The DUAB enables consistent information standards to ensure unified accessibility to health and adult social care records.

The DUAB introduces data access standards similar to the EU’s Data Governance Act, facilitating controlled data sharing between businesses and public authorities.

A provision for digital registers to manage UK assets like land is included under the DUAB.

Simplified data subject access requests are provided under Article 15 GDPR by allowing reasonable and proportionate responses. This allows data controllers to respond with proportionate searches and avoid addressing requests that may be burdensome or disproportionate.

The ICO will change from a "body sole", i.e. sole commissioner, to a "body corporate", introducing a formal board structure with an appointed CEO if the DUAB is enacted.