Towards the end of October, the UK government once again introduced attempts to reform the data protection law in the UK. The latest introduction, the draft Data (Use and Access) Bill (DUA Bill), contains previously proposed reforms of the Data Protection and Digital Information Bill (DPDI Bill) but also contains some significant changes.
The DUA Bill has shifted in tone from its predecessor and now seeks to promote enabling greater use of data to grow the economy, improve public services and make people’s lives easier. According to the UK government, the DUA Bill is largely focused on making better use of data across many sectors of the UK’s economy and improving public sector services.
DUA Bill: Key Proposals
Some of the new reform proposals include:
- Special category of personal data: the Secretary of State will be given the power to expand the list of special categories of personal data and define additional processing activities that would be subject to the prohibition of its processing.
- Children’s data: the ICO has an additional duty to consider the vulnerability of children in relation to data processing, when carrying outs its responsibilities under data protection law.
- Complaints by data subjects: submitting complaints to the ICO will also be reformed. Data subjects will first need to address their complaints to the relevant controller. The complaint can only be escalated to the ICO when the complaint has not been dealt with satisfactorily. This proposal is to reduce the number of complaints received by the ICO.
- Online Safety Research: proposals to amend the Online Safety Act to enable the Secretary of State to issue regulations requiring regulated providers to give researchers access to online safety-related information have also been included.
DUA Bill and DPDI Bill
The DUA Bill has also retained certain provisions from the DPDI Bill, which include amongst others:
- Research: which expands upon the ‘scientific research’ exemption to include privately funded and commercial research.
- Healthcare data: IT systems in the healthcare sector will have to meet common standards to enable data sharing across platforms. The Secretary of State will now have the power to publish an information standard on IT services in healthcare which may include technical provisions on functionality, connectivity, interoperability, portability, storage and data security.
- PECR-Cookies: the DUA Bill includes a proposal for the exemption of obtaining consent for cookies where they pose a low to risk to users. This includes where the cookies are used solely for analytics and where they are strictly necessary to ensure security and prevent or detect fraud.
Another important proposed amendment the DUA Bill intends to retain is the requirement of a UK Representative. Currently, this is a requirement for controllers based outside the UK. The DPDI Bill had previously indicated that this requirement would be removed but the DUA Bill has retained this requirement.
Conclusion
The strong commitment to the reforms and the removal of some of the more controversial elements, means it is likely that the DUA Bill will, at some point, become law. Once enacted, organizations will need to ensure compliance with any changes or additional measures. This is a development that we at DPO Consultancy will continue to monitor.