Data (Use and Access) Bill: Laying the groundwork for smart data schemes

In this article, the latest in our series of deep-dives into the Bill's provisions, we will be looking in detail at the provisions in the Bill which create a framework for the creation of new "smart data" schemes.

The Bill, announced originally in the King's Speech of July 2024 under the name of the "Digital Information and Smart Data Bill", is somewhat of a grab-bag of assorted data-related provisions, including amendments to the UK's data protection regime, provisions covering smart data schemes and improving access to public sector data for the private sector, digital identify verification services, changes to the structure and functioning of the Information Commissioner's Office, and more besides.

Overall, the Government intends the Bill's provisions to contribute towards three key objectives:

1. To harness the power of data to grow the economy;
2. To improve public services and enable and support modern digital government; and
3. To make peoples' lives easier.

The full text of the Bill as introduced into Parliament is available here, and its explanatory notes may be read here.

Background to the smart data agenda

A "smart data" scheme is a scheme or infrastructure that allows customer data, held by a company or other organisation which providers goods, services or content to that customer, to be shared (with the customer's prior authorisation) with a third party. The third party recipients in question are neither the provider nor the customer themselves and generally offer some service to the customer that relies on the provision of this data. Typically, this is done to enable the third party provider to offer innovative data-enabled services to the customer.

To date, the chief example in the UK, and to all practical extents the only "smart data"-type scheme that has yet gained widespread uptake in the UK, has been Open Banking. This is a scheme originally established by an order made by the UK Competition and Markets Authority ("CMA") in 2017 following a market investigation into nine of the largest UK banking providers. This CMA order required those banks to "open up" access to data relating to personal and business current accounts, to be managed by a new "Open Banking Implementation Entity" (the "OBIE").

This scheme has been notably successful, and has led to the creation of a wide array of new account management and other data-enabled services being offered to consumers and businesses, relying on open data access within the Open Banking framework. As of July 2024, according to the Bill's explanatory notes, over ten million consumers and small businesses were using Open Banking-enabled services. Other open data schemes, such as the Pensions Dashboards Programme, are already in progress.

The Bill's explanatory notes state that to enable schemes like Open Banking to "grow and expand", it needs to be put "on a legislative footing". The Government's ambitions, however – in pursuit of its economic growth agenda – are not limited to the financial sector. Instead, it would like to see further smart data schemes set up in other sectors, with a view to providing the same kinds of benefits to consumers and businesses on a broader basis. The Bill's explanatory notes are explicit in saying that the Government is now taking the lessons learned since 2017 in the rollout of Open Banking and seeking to apply these more broadly.

The new powers that will be created under the Bill aim to enable this. Those powers will, as set out in the explanatory notes, replace the powers that already exist under the Enterprise and Regulatory Reform Act 2013 ("ERRA 2013"). The Government's view is that the existing ERRA 2013 powers are insufficient in general and lacking in key respects – for example, those powers do not encompass wider business data as well as customer-specific data; they do not permit schemes to be designed around technical standards that will routinely receive frequent updates and revisions; and they do not contain powers to require providers of goods, services and content to collect and retain certain data sets that would be important for the operation of a smart data scheme.

The powers under the Bill also go further than the data portability provisions in the UK GDPR, as these only apply where the "customer" is an individual, they do not cover "wider contextual data", and in the Government's view they do not sufficiently provide for the real time provision of customer data from data holders to third parties that is necessary for functioning smart data schemes.

Regulation-making powers

The general scheme of the provisions in the Bill that relate to smart data schemes is that they create the framework for future, detailed regulations, rather than creating any schemes or detailed requirements directly. Government Ministers will be given broad regulation-making powers with a wide variety of possible structures and provisions that those regulations could create, in order to enable new smart data schemes. It is clear that different smart data schemes created under these regulation-making powers, for different sectors and different types of goods and services, could in theory vary widely from each other in terms of their characteristics, standards and infrastructure.

Customer and business data

The Bill would give Ministers the power to create regulations requiring "data holders" to share both "business data" and "customer data", in real time, either directly with the customer, or with a third party authorised by the customer (where that third party meets certain conditions, which Ministers are also empowered to set out in the relevant regulations).

A "data holder" can be either a trader – a person who provides goods, services or digital content in the course of business – or otherwise a person who processes business data, customer data, or both, in the course of business.

"Customer data" under the Bill is defined, very broadly, as being data that is specific to a particular customer of a trader. This can include personal data pertaining to that customer, but is not limited to just personal data. It can also include data about the goods, services or content provided by the trader to that customer, including information on pricing, usage, performance and quality, and can even include information about the provision of customer data itself, to the customer or third party under the regulations.

A "customer" is anyone who has purchased, been supplied with, or otherwise received goods, services or content from a trader, including free of charge. A customer can be a natural person, but does not have to be.

It is noteworthy the scope of "goods" for the purposes of the Bill encompasses utilities such as water and gas.

"Business data" receives a similarly broad definition under the Bill. It is defined as information relating to goods, services and/or content provided by a trader – including information on pricing, use, performance, quality and location – where that data does not relate to a particular customer of that trader. Similarly to customer data, business data can also encompass information about the provision of business data to the customer or third party under the relevant regulations.

In the Bill's explanatory notes, the Government has expressed the view that whilst both options (direct sharing with the customer, versus sharing with a third party) should be included in the Bill for future flexibility, it is most likely that any future regulations will focus on requiring data sharing with authorised third parties, as that third party will (following the Open Banking model) be "best able to make use of the data on the customer's behalf" and to provide customers with "innovative services".

It is, of course, possible that different approaches to this point will be taken by different regulations made under the Bill, each of which might pertain to a distinct smart data scheme for a particular sector or type of trader.

Third party data sharing – authorisation, accreditation and approval

Where the regulations made under the Bill provide for customer data to be shared, on the customer's or the third party's request, with a third party who is authorised by the customer to receive the data, or for business data to be shared with a third party on a customer's or third party's request, the regulations can limit the third parties with whom data can be shared to those which meet "specified conditions".

The Bill's explanatory notes refer to this concept as "accreditation", in respect of customer data. Where a third party is accredited, they will fall within the class of parties with whom customer data may be shared if authorised. However, this concept is distinct from the customer's "authorisation" which is also required where customer data is to be shared. A third party which is accredited is one which a customer can then authorise to have customer data shared with them by a data holder, but before the sharing can take place, the customer must also have actually authorised sharing the data with that particular third party. Regulations made under the Bill can specify particular procedures by which this authorisation must take place.

As business data does not pertain to any particular customer, once a third party meets the specified conditions for business data to be shared with them – which the Bill refers to as being "approved" – they may request the data holder to share that data with them, with no further authorisation steps needed from any particular customer.

Alternatively, the Bill says that regulations can require business data to be outright published by data holders, and can require the use of particular data formats and/or platforms for publishing this data as well as specifying the frequency with which the data must be published.

The Bill further says that the regulations made under it can provide for a "specified person" to make the decision as to whether a particular third party has met the conditions for "accreditation" (in respect of customer data sharing) and/or "approval" (in respect of business data sharing). This specified person is referred to as the "decision-maker". The regulations can confer extensive powers on these decision-makers, which are further discussed below.

The FCA can, under regulations enabled by the Bill, be given special powers to monitor and make rules for the conduct of smart data schemes concerned with financial services.

How can third parties use data shared with them?

The Bill provides that where a third party is authorised to receive customer data from a data holder, the regulations made under the Bill can then permit that third party to take (on the customer's behalf) some or all of the same actions as the customer could themselves take. This might, for example, be operationalised by a third-party data recipient using customer data, which it is authorised to receive, to switch between utility providers (or recommend the same to the customer) in order to get better deals.

This is, in many ways, the heart of what the Government hopes to achieve by the Bill's smart data proposals and the regulations that Ministers will be empowered to make once the Bill passes – permitting the use of customer data by third parties in providing innovative services for the customer's own benefit, following the Open Banking example but across a far broader range of sectors and use cases.

Decision-makers

The Bill gives Ministers extensive latitude to endow those persons or organisations appointed as "decision maker" for a particular smart data scheme with wide-ranging powers to determine who should be accredited and/or approved.

Regulations made under the Bill could, if Ministers elect, empower decision-makers to:

• Suspend or revoke decisions to accredit or approve a third party in respect of customer or business data sharing;
• Carry out monitoring of those third parties who have been accredited or approved to ensure their continuing compliance with the conditions of that accreditation or approval (including delegating those functions to others) – which can include powers to require the production of documents and other information; and
• Handle and resolve complaints made about accredited or approved third parties (and the regulations can require a decision-maker to implement particular complaints procedures).

The Bill also permits the regulations to include provisions for a public authority (to be specified in the regulations) to enforce – including, subject to some constraints, by way of financial penalties – the accreditation and approval requirements and the decisions made by the decision-maker under the regulations.

Interface bodies and assistance

The Bill also provides that, through its regulation-making powers, Ministers can establish "interface bodies" for smart data schemes.

Analogous to the role performed up to now, in the Open Banking context, by the OBIE, interface bodies can be empowered to establish and administer "interfaces" or platforms for the data sharing, access and/or publishing described above to be carried out on a practical level. Interface bodies will also be able to establish and maintain standards for the provision, sharing and access of such data via these interfaces.

The Bill allows regulations to require both data holders and third party recipients of shared data to provide "assistance" to the interface body, which can include financial assistance of varying descriptions – this is considered below in further detail.

Fees and financial assistance

Regulations made under the Bill will be able to provide for data holders, interface bodies, decision-makers, enforcers, and/or anyone else holding a duty under those regulations to require payment of a fee in connection with carrying out those duties. The explanatory notes to the Bill clarify that in general, the Government's expectation is that data holders will not be permitted under the regulations (as they are actually implemented) to require a fee for sharing data with customers or third-party recipients. Regulations might however allow data holders to require a fee from anyone making excessive data sharing requests.

Ministers, and the Treasury, are empowered to require data holders and/or third-party data recipients to pay a levy to decision-making, enforcement and interface bodies to meet expenses incurred by those bodies in the exercise of their duties under the relevant regulations.

Financial assistance can also be provided directly by Ministers and the Treasury to a person tasked with performing duties under any regulations made under the Bill's provisions, with the exception of data holders, customers and most third-party data recipients (excluding certain public authorities when they act in a third-party recipient capacity).

Ancillary powers to support operation of smart data schemes – standards and requirements

Regulations made under powers granted by the Bill can specify formats, standards and mechanisms for data that is to be shared under a smart data scheme – such as requiring the use of particular APIs. This is intended to ensure interoperability and standardisation within the relevant smart data scheme, rather than creating a "free for all" of sharing methodologies within the general data sharing duty created by the relevant regulations.

Regulations under the Bill can also require data holders to produce and retain certain customer and business data sets, in order to ensure that data holders will have that data "to hand" on a consistent basis to enable the functioning of a particular smart data scheme. These powers can extend to requiring the data holder to rectify customer data where, for example, it is inaccurate, at the customer's or an authorised third-party recipient's request. This rectification power is broader than the right of a data subject to request rectification under the UK GDPR, as the power under the Bill will extend to all customers, whether or not they are natural persons, as well as to all customer data, whether or not this is personal data.

Notably, however, the explanatory notes to the Bill make clear that the capacity of regulations made under the Bill to require a data holder to produce and retain certain customer data will not override the rights of data subjects under UK GDPR to request erasure of their personal data.

Sector-specific schemes or cross-sectoral standardisation?

In the debate so far on the Bill in Parliament, some criticism has been levelled against the notion of separate smart data schemes, with separate interface bodies and potentially separate standards, being implemented on a sector-specific basis.

In a House of Lords debate held in November 2024, Lords Knight and Vaux were among those who raised concerns – also echoed by think-tank the Open Data Institute in a published response to the Bill's proposals – that a failure to provide for a central authority with responsibility for data standards across all smart data schemes set up under the Bill might needlessly hinder data interoperability, both between different UK smart data schemes and internationally. Strong data interoperability might substantially lower barriers to, and speed up the rollout of, new schemes.

Now that the Bill has passed from the Lords to the Commons, it remains to be seen whether any amendments to the Bill will be considered that might move towards this sort of approach, and indeed what sort of approach Ministers will take when making regulations under the Bill once it passes into law. For example, whether in practice there will be substantial differences between data standards used in different schemes, or whether particular standards will, in practice, be mandated across the piece by a consistent requirement to use those standards under multiple different smart data schemes.

Next up

In our next article in the series, we will consider the Bill's measures to establish a new statutory register for digital ID verification services and to require employers and landlords to use ID verification providers listed on the new register when carrying out right-to-work and right-to-rent checks.

You can follow this article series, and access each article in the series as it is published, at this page on our data protection hub.