The New Data (Use and Access) Bill: What You Need to Know
Author: Alexander Cater
Key contact: Declan Goodwin
What is the Data (Use and Access) Bill?
The government’s new Data (Use and Access) Bill (“DUA Bill”) was published on 24 October 2024. It builds upon the Data Protection and Digital Information Bill prepared by the previous Government in March 2023, but with some noticeable differences.
Here, we break down what the DUA Bill seeks to achieve and what businesses will need to watch out for in the coming months and years.
Do businesses need to know about the DUA Bill?
Yes. While it is still early days for the DUA Bill, businesses should keep themselves aware of its progress and undertake a full review of their organisation’s use of personal data once it enters into law.
What are the main topics covered by the Bill?
Fines
The DUA Bill will see increased maximum fines under the Privacy and Electronic Communications Regulations (“PECR”) from £500k (currently) to £17.5 million or 4% of annual global turnover. This brings fines under PECR in line with those under UK GDPR.
Legitimate interest
Organisations who process personal data must have a lawful ground for such processing. The DUA Bill aims to clarify and perhaps expand the most commonly used ground known as “legitimate interest”, which will be welcome news to organisations. The Bill also looks to include additional “recognised legitimate interests”, such as national security, emergency response, and safeguarding where organisations are exempt from conducting a full Legitimate Interests Assessment when processing data.
Special category data
Under the DUA Bill, the Secretary of State will be able to expand special category data to include other types of data. This power is subject to Parliamentary approval, but would have ramifications for any organisations who use and process data that falls within any newly expanded definition of special category data.
Automated decisions
Only automated decisions using sensitive data like health information will be automatically prohibited going forward. Automated decisions using other such data will be permissible provided adequate protections are in place.
Digital verification
The DUA Bill is paving the way for the creation of a public register that organisations and businesses will be able to voluntarily sign up to and demonstrate that they have met the appropriate data processing requirements.
Smart data
The DUA Bill is looking towards the creation of “smart data” schemes where service providers can share data between themselves at a customer’s request. The banking sector has already seen developments in this area under “Open Banking” where consumers can view all their financial information on one central platform, even where they may have accounts and savings with various banks or schemes.
Cookies
User consent will no longer be required for certain non-intrusive cookies including those for performance and statistical use. However, suitable notice and information about the cookie and the data collected must still be provided.
Research
Keeping in mind the future and the UK’s position as a leading research centre, the DUA Bill has provided further guidance and allowance for the use of data for research and scientific purposes. This will be a hot topic for discussion going forward as the government attempts to balance the need for advancement against the needs of the individual.
Transfer of data
The DUA Bill looks to create more flexibility when transferring data internationally where the standard of protection in the recipient country is not “materially lower” than the UK.
If you have any queries about how the DUA Bill may affect your business, or if you have any other data queries, then please get in touch with our Commercial & Technology team.