The UK Data (Use and Access) Bill – what businesses should be aware of

The UK government has now published its much-anticipated draft data legislation, the Data (Use and Access) Bill. According to the government, its core objectives are to help grow the economy, improve UK public services, and make people’s lives easier.  

The bill is about a lot more than data protection, standardising information sharing across the NHS or (potentially) removing (some) barriers to the implementation of AI systems. It is, fundamentally, about making better use of data across many sectors of the UK economy; be that energy, telecoms, infrastructure, health and social care or financial services. It does that, for example, by creating a framework for smart data schemes (similar to the open banking regime), which will then be introduced via secondary legislation across relevant sectors (such as energy or telecoms); by introducing a certification framework for digital identity verification systems; and by specific targeted reforms to UK data protection laws. 

Much of the bill is not new: smart data schemes, certification for digital identity service providers and data protection reforms all featured in the Conservative government’s Data Protection and Digital Information Bill (DPDI). However, there are some new aspects.

In the context of data protection specifically, some of the changes to the UK data protection regime which were proposed in the DPDI have been scrapped. In particular, unlike the DPDI, the bill does not make any changes to the requirement on businesses to maintain records of processing, undertake data protection impact assessments nor to appoint a data protection officer.   

What are some of the bill's key provisions? 

Automated decision making

There is a softening of the current restrictions on automated decision making (ADM), for example in making explicit that the (partial) prohibition on ADM would apply only for special category data, and where there is "no meaningful human involvement".

In theory this gives organisations broader scope to use ADM, which may facilitate deploying AI systems for additional use cases. However, the changes are subtle and several conditions and restrictions still apply, so that organisations will need to consider very carefully whether and how they may be able to increase their use of ADM systems. 

Research use of data 

Definitions of certain types of research are added to the UK General Data Protection Regulation (GDPR) to refine the scope of those concepts.

In particular, the definition of "scientific research" arguably makes the concept wider, in that it is deemed to include any research that "can reasonably be described as scientific" irrespective of the source of research funding, and whether or not it is commercial.

The definition of "statistical purposes" potentially slightly narrows the concept, in that it applies only where the data is used for statistical surveys or to produce statistical results.

There is a broader concept of what people can consent to their data being used for. The bill clarifies that, in appropriate cases, a person will be able to give consent to their data potentially being used for more than one type of scientific research, even if not all those research purposes are identifiable at the time they give that consent.  

Overall, the changes are intended to benefit organisations that conduct research or use research results. While the broadening of the scope of "scientific research" will be welcome, this is still tempered by safeguards and limitations. 

Common standards for health records

The bill provides for the government to bring in standards to enable interoperability and sharing of health-related data. IT suppliers for the health and care sectors will need to ensure that their systems meet common standards to enable data sharing across platforms. Such standards have yet to be set. 

In due course, suppliers to the NHS and social care sector will need to ensure that their contracts with both their customers and their own suppliers and contractors reflect the new requirements. 

Digital identity

Under the bill, the Office for Digital Identities and Attributes (OfDIA), which was originally set up in 2022, will oversee a standards framework for online digital verification services.

Compliance with the standards framework will not be mandatory, but organisations successfully applying for certification will be awarded certification and be included on a publicly accessible register and entitled to display a "trust mark" to show they meet the standards.  

The standards will include:

• not “profiling” users for third-party marketing purposes;
• not creating large datasets that could risk revealing sensitive data about users; and
• explicitly confirming that users understand how their data is being shared, whenever this happens. 

Organisations hoping to obtain certification will of course need to ensure that their data processing practices meet the requirements, which in some circumstances will go beyond their current UK GDPR compliance obligations.  

Smart data

The government will set up a "smart data" regime, which will allow the setting up of separate smart data schemes to address specific sector needs, such as in finance, energy and telecoms. 

Smart data schemes will allow individuals to request that their data be shared directly with them, or with authorised and regulated third parties, and establish a supporting framework to ensure secure storage and transfers of this data.  

The government hopes that these schemes can mirror the success of the open banking regime, enhancing consumer confidence in using trusted third-party services to provide, for example, personalised market comparisons and financial advice on costs savings, as well as "one-click" service switching to a new provider. 

National Underground Asset Register

The National Underground Asset Register (NUAR) is a government digital service which provides instant access to a map of the underground pipes and cables for authorised users. It will be put on a statutory footing, rather than the current voluntary arrangement, mandating that owners of underground infrastructure, such as water companies or telecoms operators, register their underground assets.

Failure to comply with the obligations may constitute a criminal offence and those in breach may be liable for damages to those suffering loss as a consequence of that failure. 

The idea of the NUAR is that companies will benefit from a more comprehensive and rich view of buried assets, enabling them to know exactly where any underground asset is placed. However, it places a burden on organisations to provide accurate, timely data. 

Organisations should consider whether they need to review their contracts to ensure that, for example, contractors are obliged to provide the information needed for owners of these assets to fulfil their obligations, and that asset owners will not breach confidentiality obligations if they provide the relevant data. 

Cookies and tracking 

The bill creates some useful exceptions to the current regime; for example, that user consent is not required for use of cookies/other tracking technologies in some online services where they are used solely to collect statistical data in order to make improvements to services or a website, or are used solely to improve the appearance or performance of a website, or adapt it to a user's preferences.  

The exceptions are subject to various conditions, including around transparency, the right to object, and not using the collected data for purposes beyond the scope of the exceptions. 

These are practical improvements which will be welcomed by providers of online services. However, organisations need to bear in mind the conditions, and consider whether compliance will entail technical operational changes (for example, to consents obtained using consent management platforms), or updates to transparency information (such as cookies policies). 

Subject access requests

The bill proposes to limit the right for an individual to obtain copies of their personal data under the GDPR so that they are entitled only to the data that would be found in a "reasonable and proportionate" search.  

While this clarification is welcome, in reality it does little more than codify the existing case law and guidance from the Information Commissioner's Office (ICO).

Legitimate interests processing

The bill provides that certain types of processing purposes will be more likely to count as "legitimate interests", including processing for the purposes of:

• direct marketing;
• intra-group transfers for internal administration (including transfers between affiliated institutions, not just between groups of parent and subsidiary businesses); and
• network and IT system security 

In theory, this makes it easier for organisations to use the legitimate interest ground as the basis for their processing in these areas. However, its impact is reduced in practice, because the changes mean only that those types of processing are more likely to be considered legitimate interests (they are not deemed to be); the recitals of the EU GDPR already referred to the processing of personal data for direct marketing purposes potentially being regarded as carried out for a legitimate interest; and many organisations will have already concluded that they were covered by the legitimate interest ground. 

The bill also includes provisions allowing the government, in future, to introduce categories of processing which will be deemed to be legitimate interests purposes. 

Information Commission

The ICO will become the Information Commission and have a different structure and powers. 

Osborne Clarke comment 

This is a wide-ranging bill, with many intricate provisions, much of it amending existing legislation or setting up frameworks to be fleshed out later in secondary legislation, and businesses will need time to consider the detail. It is still at the earliest stage of the legislative process, so there is, in theory, scope for significant changes. However, because many of the provisions were based on its previous incarnation (the DPDI) and this had been virtually agreed by the time it fell before the election, it seems likely that those provisions will not be subject to extensive further debate or amendment. This may make for a reasonably speedy progression through the legislative process. 

Businesses should keep an eye on the bill as it moves forward, consider its potential impact on them, and ensure that projects and contracts which might be affected are flexible enough to take account of its development.

As the bill progresses through the legislative process, we will be publishing further Insights on specific aspects and on the bill's significance to certain sectors (such as online service providers, health system providers, financial services, scientific and statistical research teams, and network and utility providers). If you would like to discuss how it may affect your business, please get in touch with your usual Osborne Clarke contact, or one of our experts listed below.