After a slightly surprising amount of back and forth between the Commons and Lords, the Data (Use and Access) Bill (DUAB) is finally set to receive Royal Assent. 

This legislation has been some years in the making, having first been introduced by the Conservative Government as the Data Protection and Digital Information Bill back in 2022.  However, following two (failed) attempts to introduce a data bill in the previous Parliament, the DUAB was introduced by the new Labour Government as part of the first King’s Speech in July 2024. 

Whilst the Bill contains some incremental amendments to the UK’s data protection framework, the Bill’s principal aims go wider than simply another addition to the data protection landscape.  The Government is seeking to facilitate increased open access to customer and business data through introducing a regulatory framework enabling ‘smart’ data to be made available via third parties in order to foster growth and innovation (by extending this approach to new sectors of the economy beyond financial services).  

The Bill also introduces new provisions to regulate the provision of digital verification services and creates new national registers for underground assets and a new electronic register for births and deaths, as well as a proposal to reshape the Information Commissioner’s Office to become the ‘Information Commission’ (thereby changing its corporate constitution from a ‘body sole’ to a 'body corporate' in line with other national regulators).   

The Act’s provisions reflect the UK Government’s desire for a more flexible data protection regime that does not put at risk the UK’s adequacy status with the EU. The European Commission has recently extended the UK’s existing adequacy status for a further six months to December 2025 to give it more time to assess the effect of the changes brought about by the Act.

Key changes to the UK’s data protection regime, which organisations should be aware of, are set out below:

Automated Decision Making (ADM)

Under the previous UK GDPR framework, the ability of organisations to take solely automated decisions having legal or significant effects was heavily restricted. The Bill expands the scope of ADM to enable controllers to deploy ADM based on any legal basis (not just consent, contract or national laws), with the existing restrictions to apply only when special category data (e.g., health, ethnicity) is involved.  

Decisions will only be considered to be made on a solely automated basis when there is no meaningful human involvement in the decision. Therefore, organisations seeking to benefit from the new approach will need to demonstrate that there has been meaningful human involvement in the ADM process to avoid the restrictions (as well as comply with new statutory requirements around transparency and the right to obtain human intervention in relation to such decisions).  This change potentially allows greater flexibility in using AI and automation for tasks such as eligibility assessments, fraud detection, and service triage.

Subject Access Requests

The Bill brings (some) clarity for controllers processing Data Subject Access Requests (DSARs). Now organisations are only required to carry out reasonable and proportionate searches and are able to pause the timeline for response if additional information is required from the requester. These amendments have been introduced to bring the ICO’s existing guidance onto a statutory footing. 

Legitimate Interests

A new 'Legitimate Interest List' has been introduced, which pre-approves certain processing activities such as internal administration and IT security.  These activities no longer require a full Legitimate Interests Assessment (LIA), simplifying compliance for routine data uses, especially in the public sector.

PECR

The UK’s existing regime for the regulation of electronic communications (Privacy of Electronic Communications Regulations 2003) has been brought into alignment with the ICO’s enforcement powers under the Data Protection Act 2018 – this enables the ICO to levy fines in line with that available to it under the GDPR (ie. up to £17.5million or 4% of turnover). The amendments have also enabled charities to benefit from the “soft opt-in” consent option when receiving communications from fundraising or marketing teams (see our linked article here).

International data transfers

The Bill introduces a new modality by which transfers to third countries may be safeguarded, in that the Secretary of State will be able to approve such transfers where a new ‘data protection test’ is met in relation to the destination country.  That test differs in emphasis slightly from the EU approach, in that the standards of data protection in the destination country should not be ‘materially lower’ than the data protection standards in the UK, in contrast to the ‘essentially equivalent’ standard set out under European law.

Other key changes

ICO Complaints Process

The Bill also mandates that individuals must first raise complaints directly with the organisation before escalating to the ICO. Given the levels of complaints raised with the ICO, particularly in relation to how organisations have handled access to information queries (such as DSARs) it is perhaps unsurprising that the ICO have included this requirement, which reflects the current regime in relation to Freedom of Information requests. 

Public Sector Data Use 

The Bill also promotes the adoption of federated data platforms, such as the NHS Federated Data Platform, to enhance data sharing and integration. It also mandates compliance with information standards for IT systems in health and social care, aiming to improve interoperability and service delivery. The Secretary of State will be given the power to publish such information standards. 

What happens next?

Following the Bill’s passing into law, many of the provisions of the new Act will be applied incrementally through secondary legislation, thereby potentially taking some months to come into force.  

Organisations will need to take stock of their current data protection policies and procedures to ensure they align with the new legislation. In particular, policies relating to automated decision making and subject access requests should be updated to reflect the more flexible approach of the new Act. Once these policies and procedures have been updated, organisations should ensure that staff are aware of the new changes in legislation through training. 

For further help and assistance regarding the changes to data protection legislation and the impacts on your organisation, please contact Ben Pumphrey, head of data governance at Anthony Collins.