This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Back
Insights / Blog

Blog

All Posts
| 4 minute read

New data laws coming in 2025

Businessman Inspecting Paperwork Document of Business Data Analysis working Management report with KPI and metrics connected to database. Corporate strategy for finance, operations, sales, marketing.

Get in touch

Avatar
Emma Watt
Senior Associate

Get in touch

Avatar
Emma Watt
Senior Associate

The Data Use and Access Bill (the Bill) contains the Government's proposals to update the UK’s data protection legislation. The Bill contains many similar or identical provisions to the Conservatives’ Data Protection and Digital Information Bill that failed to complete all its stages before the general election. Whilst the detail is being scrutinised in the House of Lords, some of the proposed changes are as follows:

Subject access requests

Data controllers only need to carry out a ‘reasonable and proportionate search’ when responding to a subject access request. 

This codifies the existing principle set out in ICO guidance: data controllers ‘should make reasonable efforts to find and retrieve the requested information. However, [they] are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.’

Recognised legitimate interests

Data controllers must identify a lawful basis for processing data (Art 6 UK GDPR), plus a lawful basis for processing special category data (Art 9 UK GDPR). 'Legitimate interests' is the most flexible lawful basis for processing, provided that data controllers can satisfy the three-part test:

  1. identify the legitimate interest
  2. confirm whether the processing is strictly necessary;
  3. consider the impact on the individual and balance the proposed activity against the rights of the individual which should then be recorded as a form of legitimate interest assessment.

The Government wants to simplify this exercise and reduce the need for legitimate interest assessments, by creating a pre-approved list of ‘recognised legitimate interests’. This would include for example, when safeguarding a child or adult considered to be at risk, to investigate crime or to prosecute offenders.

The House of Lords has stated that the amendment is unnecessary; the public interest objectives listed in Article 23(1)(c) to (j) UK GDPR still leave a margin of discretion and the proposed, ‘recognised legitimate interests’ are permitted in UK GDPR. However, many data controllers don't carry out legitimate interest assessments when required and would be relieved to rely on a pre-approved list of ‘recognised legitimate interests’, especially when using or sharing particularly sensitive information. 

Automated decision making

The Government plans to expand solely automated decision-making, unlocking the power of data and helping frontline staff make better-informed decisions quickly.

Automated decision-making is currently broadly prohibited with specific exceptions. The Bill will permit it in all but a limited set of circumstances. Removing the general prohibition presents an opportunity to save time and money.

If implemented poorly, wrong decisions can be made, undermining people’s trust and confidence - potentially leading to complaints and challenges and ruining cost savings. 

The change means that individuals, rather than companies must enforce their rights to demonstrate why automation is permissible. There are still significant and valid concerns about the increase in biased and discriminatory outcomes, and data controllers will still need to take care when working with a highly pressurised digital transformation agenda. Whilst the Bill might allow for more solely automated decision-making, none of these risks will fall away. 

Removing the general prohibition could make it harder to understand how automation works in practice; suppliers are already protective over their intellectual property and this change reduces external pressure to justify the proposed processing activity. This could make it harder for data controllers to demonstrate accountability. Where automated decision-making is the right solution, they need to adopt appropriate policies and practices that implement data protection by design and default.

Information standards for health and adult social care in England

The Department of Health and Social Care is proposing to lay new regulations before Parliament in spring 2025, which will set out the procedure to be followed for preparing and publicising information standards. 

The proposed regulations will make technical, data and information governance standards information standards binding. At the same time, changes in the Bill will extend their application to private health and adult social care providers and suppliers of IT services to the health and care system. 

Through a more standardised approach, information standards should:

  • allow information to be shared easily and in real time between organisations that use different systems;
  • ensure information flows through the system in a standardised way, in a consistent, accessible format, in a way that ensures it is always meaningful to and easily understood by any recipient or user; and
  • ensure health and care providers can effectively access information relevant to the individual's care.

As well as technical requirements relating to design, quality and capabilities, the information standards may also dictate the contracts or other arrangements under which such technology or services are marketed, supplied, provided or otherwise made available. The Secretary of State will oversee compliance with the standards and can publicly censure organisations failing to comply. 

As a result of the consultation, the regulations will confirm that when preparing and publishing the information standards, the Secretary of State or NHS England must:

  • prioritise those information standards which will contribute most to interoperability objectives;
  • provide such lead-in time wherever possible, to allow stakeholders to prepare for changes; 
  • require the consequences of non-compliance to be included with an information standard;
  • use accessible and straightforward language, to reduce the risk of misinterpretation from those who apply them; and
  • review the information standards periodically or at appropriate intervals.

Whilst stakeholders also asked the Secretary of State or NHS England to consider the cost of implementation when preparing an information standard, it doesn't appear that this will feature in the proposed regulations.

Watch this space…

The Bill's three core objectives are to grow the economy, improve public services and make people’s lives easier, cut down on bureaucracy and make more effective use of data when delivering public services. 

Whilst the details will follow, organisations will want to keep an eye on proposals as they come to review their information governance and digital transformation plans. Those operating in the health and social care sector will want to seek out opportunities to engage with future consultation on the information standards regulations.

Here we all are again, in slightly different seats but with a largely similar Bill... we welcome this important Bill; it is absolutely crucial to get our data economy right. We have a number of amendments to the Bill, a great many of which are probing. The overall theme of our amendments is how to make the Bill maximally effective at the important job that it sets out to do.
hansard.parliament.uk/...

To make sure you receive all of our latest insights, subscribe here.

Tags

data protection, automated decision making, ai, legitimate interests, information governance, gdpr, uk gdpr, due-diligence, governance, regulation compliance, health and social care, interoperability, public services

Get in touch

Avatar
Emma Watt
Senior Associate

Get in touch

Avatar
Emma Watt
Senior Associate

Latest Insights