The Data (Use and Access) Bill has now completed its passage through the House of Lords, reflecting the government’s renewed focus on harnessing the economic power of data. Under the previous government, the Data Protection and Digital Information Bill did not complete the legislative process before parliament was dissolved ahead of the July 2024 general election. The new Data (Use and Access) Bill retains a number of its predecessor’s reforms, while discarding or refining others.
This article highlights which elements of the Data Protection and Digital Information Bill will remain and which will be discarded in the Data (Use and Access) Bill, as well as looking at recent comments on the bill from the information commissioner.
Several reforms originally proposed under the Data Protection and Digital Information Bill have been omitted, including planned amendments to the definition of personal data and changes to records of processing and data protection impact assessment requirements. Additionally, the Data (Use and Access) Bill no longer replaces the data protection officer role with the role of a senior responsible individual.
For any organisations operating across the EU and UK that need to comply with the EU General Data Protection Regulation (GDPR) as well as reformed UK data protection laws, these developments will be a welcome change in position as they reduce the number of divergences between the two.
In contrast, key elements of the Data Protection and Digital Information Bill that remain include recognition of certain 'legitimate interests', removing the need for legitimate interest assessments for these pre-determined legitimate interests, and reducing restrictions on automated decision-making. These reduced restrictions will make it easier for organisations to utilise AI technologies, albeit the current restrictions will be maintained for automated decision-making involving special category data.
The Data (Use and Access) Bill also introduces a new definition of scientific research, which expressly includes both publicly and privately funded research, as well as commercial and non-commercial research. It then enables organisations to rely on consent to process personal data for scientific research purposes even where it is not possible to fully identify the purposes for which personal data will be processed at the time that consent is sought.
These reforms are just a flavour of the proposed updates to UK data protection laws, but they demonstrate a focus on changes which will help to improve innovation within the UK and boost the UK economy.
The Data (Use and Access) Bill also aims to boost innovation and competition by permitting sector-specific 'smart data' schemes. Additionally it provides for new national registers of underground utility assets and creates a regulatory framework for digital identity verification services. In the healthcare sphere, the Data (Use and Access) Bill paves the way for unified electronic health records in England - an initiative the government hopes will streamline services and enhance patient outcomes. These data-sharing reforms would all help to drive efficiency and reduce costs.
While less radical than the original Data Protection and Digital Information Bill, the Data (Use and Access) Bill's targeted reforms to UK data protection law will still require close monitoring. This is so that businesses can take advantage of relaxed restrictions and ensure compliance with new requirements.
The information commissioner has published an updated response to the Data (Use and Access) Bill labelling it a ‘positive package of reforms’, and recognising the role it will play in strengthening data protection while fostering regulatory clarity and economic growth. Whilst noting that the changes provide greater certainty for organisations, the commissioner seeks further clarity on certain aspects.
While the commissioner acknowledges the bill’s balanced approach to automation and new regulatory responsibilities, concerns remain over enforcement challenges and the potential impact on the UK’s adequacy status granted by the EU. The commissioner will continue advising parliament as the bill progresses.
Given the Data (Use and Access) Bill’s origins in well-advanced predecessor legislation, its passage through parliament could be swift, with Royal Assent anticipated in the spring or summer of 2025. We'll provide further content once the bill is published in final form.
For further information, please contact our privacy and data team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
