The Data (Use and Access) Bill is heading to Royal Assent!
The months-long ping-pong match in the Houses of Parliament has come to an end, and the bill has now finally entered the final stages of passage.
As we can now expect the bill to come into law very soon, here are 13 of the bill’s most interesting key changes that you’ll want to know.
1: SMART DATA SCHEMES
The DUA Bill is introducing something called ‘Smart Data Schemes,’ which will let the government create rules for how businesses and customers can share data. Think of it like how Open Banking already works in the UK, letting you share your financial data with other apps.
The government will hold consultations to figure out exactly which businesses can access this data and what safeguards need to be in place.
2: Recognised legitimate interests and legitimate interests
The new DUA Bill is changing how we can process personal data. It introduces something called ‘recognised legitimate interests,’ which lets businesses use data for specific things like national security or helping vulnerable people, all without needing to do a full assessment.
On top of that, the Bill also lists other activities that might count as legitimate interests, such as direct marketing or sharing data within a company. While these still need an assessment, having them listed in the law makes it clearer that we can use legitimate interests for them.
3: Wider permitted use of cookies
The DUA Bill makes important changes to cookie rules under PECR, especially around needing consent. It creates exceptions, so consent isn’t required for some non-essential cookies and tracking technologies used just for gathering statistics to improve a website’s look or performance, tailor it to user preferences, or enhance services.
The Bill also lists specific ‘strictly necessary’ purposes for cookies, like security and fraud detection, where neither consent nor an opt-out option is needed. Additionally, non-compliance with PECR now carries the same high fines as UK GDPR, up to 4% of global turnover or £17.5 million, whichever is greater.
4: Automated decision making
The Data (Use and Access) Bill is easing up on rules for Automated Decision Making (ADM). It will allow ADM without needing to get consent, as long as it doesn’t involve sensitive ‘special category’ data.
Even when special category data isn’t used, the Bill still requires safeguards like being clear about how ADM is used and letting people challenge decisions and ask for human review.
5: Mandatory healthcare data standards
IT systems used in health and social care now have to meet a set of agreed technical standards. The Secretary of State will gain the power to publish an information standard for healthcare IT services, covering technical aspects like how they function, connect, share data, store information, and maintain security.
This should make it easier and faster to share patient information across different organisations, which could reduce mistakes, cut down on repeated tests, and save staff time.
6: Digital identity trust mark
The DUA Bill is setting up a system for ‘trusted’ digital verification services (DVS).
This involves creating a DVS register and an additional certification process called the DVS Trust Framework, which the Secretary of State will develop with the ICO.
7: Simplifying Data Subject Access Requests (DSARs)
The Data (Use and Access) Bill aims to clarify confusion on Data Subject Access Requests (DSARs) and make them less burdensome for businesses. It clarifies that individuals are only entitled to information that comes from a ‘reasonable and proportionate’ search, which should cut down on costs and admin.
8: Definition of scientific research
The DUA Bill is expanding what counts as ‘scientific research’ to include any research that can reasonably be called scientific, whether it’s public, private, commercial, or non-commercial. This broadens the situations where we can process sensitive ‘special category’ data for research, including privately funded and commercial projects.
Also, this new definition removes the need to do a public interest assessment when processing scientific research data. Plus, individuals will now be able to consent to their data being used for scientific research even if the exact purposes aren’t clear yet.
9: International data transfers
The DUA Bill changes how we approve data transfers to other countries. Instead of ‘adequacy decisions,’ we’ll now have ‘transfers approved by regulations.’ This means the UK Secretary of State needs to confirm that the other country’s data protection standard isn’t ‘materially lower’ than the UK’s.
When they assess this, they’ll look at things like whether that country respects the rule of law, human rights, and has a data protection authority. Even though these changes seem big, they probably won’t have a huge impact on international data transfers from the UK because the core framework remains pretty similar.
10: Purpose limitation
The DUA Bill brings clarity to ‘further processing’ of data. It provides criteria to help decide if new processing aligns with the original purpose, looking at things like the connection between the purposes, the context of data collection, and potential impacts on individuals.
The Bill also lists situations where new processing is considered compatible, such as when the individual consents, or if the processing is needed to meet a legal obligation, like a court order, as outlined in the new Annex 2.
11: Children’s data
To better protect children’s data, the DUA Bill adds ‘children’s higher protection matters’ to the idea of data protection by design and default, especially for online services kids can access.
This means businesses and the ICO now have extra responsibilities to consider how vulnerable children are when handling data, aiming to put stronger safeguards in place for young people..
12: The Information Commission
The DUA Bill brings big organisational shifts to the ICO. It actually gets rid of the ICO and creates a new ‘Information Commission,’ replacing the Information Commissioner with a Chair and other members.
It also changes how people complain: individuals must now go to the business first, and only if their complaint isn’t handled well can they then escalate it to the Information Commission. This is expected to cut down on the number of complaints the Commission receives.
13: Soft opt-in for charities
The DUA Bill will significantly help charities by extending the ‘soft opt-in’ marketing rule (under PECR) to them. This means if a charity gets someone’s contact details when they show interest or support, the charity can send them marketing without needing explicit consent, as long as an an opt-out is always provided.
This change should make it easier for charities to engage with supporters and raise funds, although they’ll still need to ensure their marketing is proportionate under legitimate interests (UK GDPR).
Want to be prepared for the new bill?
As organisations prepare for the DUA Bill’s updates, we’re here to provide the guidance needed to understand these changes and ensure a smooth transition.
Introducing our new training course:
Understanding the Data (Use and Access) Bill – 1 day course.
- Gain a basic understanding of the key changes
- Become familiar with your responsibilities following the changes, and how to adapt.
- Prepare a compliance plan to support the change in your organisation.
…and more!
Learn more about this course and book yourself a place here.
