The Labour Government picks up where its predecessor left off, aiming to harness the power of data for public benefit and modernise the UK’s data protection regime
The bill targets large economic benefits through a reformed approach to data sharing, digital public services, and the regulation of personal data
On 23 October 2024, the Department for Science, Innovation and Technology (DSIT) published the Data (Use and Access), or DUA, Bill for its first reading in the House of Lords. The bill, previewed by Labour in the King’s Speech on 17 July 2024, follows broadly in the footsteps of the previous Conservative Government’s Data Protection and Digital Information (DPDI) Bill – which failed to pass during the wash-up period before July’s general election. The bill has been positioned as one part of a broader effort to harness the power of data for economic growth, underpinned by a revamped Information Commissioner’s Office (ICO) with specific focuses on supporting modern digital government and improving people’s lives. The Government claims that the bill could generate approximately £10bn for the UK economy over 10 years by legislating on data sharing to benefit businesses and consumers. In summary, the bill will aim to:
Accelerate UK-wide innovation, investment and productivity through establishing Digital Verification Services and Smart Data Schemes;
Improve people’s lives by enabling more and better digital public services; and
Ensure people’s data is well protected by bolstering the regulatory powers of the ICO.
Despite expectations that the new Government would radically re-write the DPDI Bill, many of the proposed changes to the UK GDPR remain
Many of the proposed reforms, particularly relating to the UK GDPR (the UK’s data protection regime post-Brexit) and the ICO’s governance structure, represent carryovers from the incomplete DPDI Bill, which many expected to be dropped. Still on the cards for the new DUA Bill are changes to Privacy and Electronic Communications Regulations, as well as the new ability for the Secretary of State to approve third countries as secure enough for UK data to be exported. As with the DPDI Bill, the proposed legislation covers issues similar to those addressed by the EU’s Data Act and Data Governance Act, promising to deliver on Labour’s manifesto commitments to propel open banking development and the growth of new smart data schemes. These provisions aim to allow consumers and businesses to safely share personal information with carefully-regulated third parties to facilitate personalised advice and market comparisons, which is expected to boost competition in finance and energy sectors. Several notable amendments have also been made, however, with removed DPDI proposals including planned changes to the definition of personal data, the watering down of accountability provisions on data protection and the requirement for the ICO to take into account the Government’s strategic priorities. One stand-out addition to the bill’s data protection reforms is Section 74, which would give powers to the Secretary of State to amend the types of data classed as special category data.
Further legislative movement on digital verification and online safety is expected, beyond the wider focus on economic growth
While many proposals contained within the DUA Bill are given in broad terms, for example promising the general use of data to cut down bureaucracy, support public services and foster innovation, it also offers some specific directions. In particular, the bill promises legislation on digital verification services, building on the DPDI Bill’s plan to support digital ID rollout through the establishment of a robust Digital ID Trust Framework. As part of this framework, the bill would create a ‘trust mark’ certification system for companies offering verification tools based on the Government’s own standards framework. If successfully certified, services will be awarded a new logo to visibly demonstrate approval by DSIT’s new Office for Digital Identities and Attributes. One year on from the adoption of the UK’s Online Safety Act (OSA), the new bill also includes measures targeting online harms, including through the establishment of a researcher data access regime. This provision would let researchers access the data held by online platforms, in order to allow them to conduct in-depth independent research into online safety trends, supporting the work of DSIT and Ofcom in implementing the OSA effectively. The bill remains under early consideration in the House of Lords but is likely to progress quickly through Parliament given its similarity to the previously-advanced DPDI Bill, which fell primarily because of the lack of time available to debate amendments (now removed from the DUA Bill) made by the Government in the wash-up period, rather than because of any significant opposition to its content.