Published: 8th January 2025
Area: In House Counsel

The UK government unveiled plans for the Data (Use and Access) Bill to Parliament on Wednesday 23 October, a landmark piece of legislation aimed at modernising how data is used and accessed across public and private sectors.

As the bill progresses through Parliament, organisations should begin thinking about how it might affect their operations, particularly in terms of data protection compliance and ethical data usage.

What is the Data (Use and Access) Bill?

The proposed legislation aims to create a framework that balances innovation with privacy. Its objectives include:

  • Streamlining access to data for innovation: Encouraging responsible data sharing between organisations to drive advancements in areas such as healthcare, technology, and scientific research.
  • Protecting personal data: Ensuring robust safeguards are in place to prevent the misuse of personal information.
  • Facilitating public trust: Promoting transparency and accountability in how organisations use and share data.

The bill builds on existing UK data protection laws, including the Data Protection Act 2018 and the UK GDPR, while introducing new mechanisms intended to enhance accessibility without compromising security.

What is the timeline for implementation

  • Bill introduction: The bill was introduced to Parliament in October 2024.
  • Consultation period: A public consultation period is expected to conclude by the end of January 2025.
  • Royal assent: If approved, the bill is anticipated to receive Royal Assent by mid-2025.
  • Enforcement begins: The main provisions of the bill are likely to come into force by early 2026, with transitional arrangements to help organisations achieve compliance.

What are the key features of the bill?

Data intermediaries

The bill proposes introducing ‘data intermediaries’ to act as trusted third parties that facilitate data sharing under ‘smart data’ schemes which enable the secure sharing of customer data held by service providers (e.g., communications or financial services providers) with authorised intermediaries upon the customer’s request. These entities will ensure that shared data is used ethically and in line with regulatory requirements.

Trust framework

The bill mandates the creation of a ‘trust framework’, which sets baseline standards for digital verification services. This framework is to ensure that digital identity products and services are reliable and secure.

Data sharing for public interest

Specific provisions will facilitate data sharing in an NHS context and for projects deemed to be in the public interest, such as health research or environmental initiatives. However, organisations will still need to demonstrate that their data use aligns with the principles of proportionality and necessity.

Key reforms to the UK’s data protection regime

The bill introduces a number of important changes to data protection and privacy legislation.  These include:

  • Legitimate interests: The bill provides a list of ‘recognised legitimate interests’ under Article 6 of the UK GDPR, allowing for use of personal data in certain circumstances without having to carry out a legitimate interests assessment. The bill also confirms that direct marketing, intra-group sharing of data for internal administrative purposes, and processing to ensure network and information security may be considered processing necessary for the purposes of legitimate interest.
  • Special categories of data: New powers are granted to the Secretary of State to add new special categories of personal data to enable “the Government to rapidly respond to future technological and societal developments”.
  • Data subject access requests (DSARs): The bill clarifies that data subjects are entitled only to findings of reasonable and proportionate searches and allows time for further information about the DSAR’s scope to be sought before the timelines for responding to DSARs begins.
  • Automated decision-making: The bill relaxes the rules on automated decision-making, potentially allowing for more flexibility in using automated systems (including AI) to process personal data.
  • International data transfers: Amendments to Articles 44 to 47 of the UK GDPR will streamline the ability of the UK Government to grant an adequacy decision to a recipient country.
  • Cookies and tracking technologies: The bill widens the scope for implementing cookies and similar tracking technologies without the need for user consent, under certain conditions.
  • Fines and penalties: The cap on fines under the PECRs (which regulate the use of cookies and electronic direct marketing) is amended to align with the UK GDPR, substantially increasing the potential penalties for non-compliance.
Enhanced enforcement powers

The Information Commissioner’s Office (ICO) may receive expanded powers to oversee and enforce compliance with the new regulations, including the ability to impose sanctions for non-compliance.

Data ethics framework

A new data ethics framework will provide organisations with guidance on ensuring their data practices are fair, transparent, and aligned with societal values.

What are the potential impacts on organisations?

Increased compliance burdens

Organisations will need to review their existing data-sharing agreements, policies, and procedures to ensure compliance with the new rules. This could involve additional administrative work and legal oversight.

Opportunities for innovation

The bill’s focus on streamlining data access could create opportunities for businesses to collaborate on innovative projects, particularly in the technology and healthcare sectors.

Heightened scrutiny

With enhanced enforcement powers for the ICO, organisations may face greater scrutiny over their data usage. This highlights the importance of implementing robust data protection measures.

Building public trust

By adopting the bill’s ethical guidelines, organisations can strengthen public confidence in their data practices, which could be a competitive advantage in today’s privacy-conscious market.

What can organisations do now to prepare for the new bill?

  1. Review and update policies and procedures: Ensure your internal practices align with the proposed requirements, particularly if you use automated decision making (such as AI), and update policies and procedures around DSARs, data protection impact assessments and the use of legitimate interest as a lawful basis for processing.
  2. Engage with stakeholders: Communicate with partners and third parties about potential changes to data-sharing agreements and new opportunities for collaborations and data sharing.
  3. Invest in training: Educate employees about the importance of data ethics and compliance with the new rules.
  4. Seek legal advice: Consult legal experts to ensure your organisation is ready for the regulatory changes.

How we can help

As specialists in data protection law, we’re here to help your organisation navigate the complexities of the Data (Use and Access) Bill. From conducting compliance audits to drafting updated data-sharing agreements, our team provides tailored advice to ensure your business stays ahead of the curve.

Get in touch with us today to discuss how we can support your organisation in preparing for the future of data regulation.

Get in touch

Kim is an expert on data protection law and has considerable experience of helping businesses with their compliance with the GDPR. He is the firm’s representative on PrivacyRules, which is an international alliance of data privacy and cyber security lawyers and technology companies.

Trevor is triple-qualified as a solicitor in Scotland, England & Wales, and British Columbia (non-practising status). He is also a Law Society of Scotland Certified Specialist in Cyber Security, and has the data protection certifications CIPP/E and CIPM. With over 17 years’ experience both in-house and in private practice, Trevor advises clients on data protection and privacy (especially GDPR and PECR), commercial contracts, small business acquisitions, and freedom of information.

How we can help

Data Protection

Our data protection experts have a meticulous eye for detail and will identify your risks, cut through the noise and give you practical and actionable steps to implement.

Commercial Law

Identifying business goals and putting a strategy in place to reach them is paramount; you’ll need experts with the skills and resilience to help you get the best results.

Our latest Organisations updates

Our legal experts are here to answer any question you might have

If you’d like to speak to a member of our team, please fill out the form and we’ll be in touch within two hours.
If you know who you need to contact, you will find a full list of our people with email and telephone numbers here.
Call Us: 0330 024 0333