"Data reform is back on the agenda with publication of this new Data (Use and Access) Bill which proposes changes to the UK's data protection framework among other more wide-ranging measures. Businesses will be relieved that this isn't a major overhaul of the current regime. As usual, the devil will be in the detail. We'll be following and analysing this new piece of proposed legislation as it progresses through the various stages and reporting on what it means for businesses in practice."
- Andrew Northage, Partner, Regulatory & Compliance
What's happened?
The Data (Use and Access) Bill received its first reading in the House of Lords and is now awaiting its second reading, where there will be debate relating to its content. These are the very initial stages and so there is still some way to go before the Bill reaches the final stages, receives Royal Assent and becomes law.
Three years have passed since the Johnson government consulted on post-Brexit data reform. Progress has since been patchy. One Bill was subsequently withdrawn with a change in leadership, and a later Data Protection and Digital Information Bill failed to proceed further due to the general election. The King's Speech in July alerted us that data reform was back on the agenda.
What does the Bill do?
While the Bill seems to focus more on matters such as the introduction of smart data schemes, unlocking the power of data to improve public services and legislating on digital verification services, it does propose making various changes to the UK's framework for regulating the processing of personal data as set out in the UK GDPR and Data Protection Act 2018. Among other things, this will include changes relating to:
A new lawful ground for processing personal data will be created, where processing is necessary for the purposes of a 'recognised legitimate interest'. This will include important public interest grounds such as safeguarding vulnerable adults and children, safeguarding national security, public security and defence, or where a public authority requests information that may include personal data. This stems from the government's desire to encourage personal data processing and sharing for important public interest scenarios, amid concerns that the current rules may result in delay or failure to process and share.
Unlike its predecessor, this new Bill doesn't propose changes to the requirements for organisations to appoint a data protection officer and keep processing records.
The Bill also proposes changes to the Privacy and Electronic Communications Regulations 2003, including increasing the fines for breaches to align with the UK GDPR.
In his response, the Information Commissioner welcomed the Bill as 'a positive and balanced package of reforms'. In addition to commenting on the proposed changes to the data protection framework, which he described as 'pragmatic and proportionate', the Information Commissioner also welcomed 'the renewed focus on broader measures distinct from the data protection framework that will support growth, trust and engagement with the digital economy and improved delivery of public services'.
The Information Commissioner says that a top priority is the certainty provided by a positive EU adequacy decision. His view is that the proposed reforms should not present a risk to the UK's adequacy status.