Data (Use and Access) Bill: New Powers and a Makeover for the ICO

The DUA Bill, announced originally in the King's Speech of July 2024 under the name of the "Digital Information and Smart Data Bill", is somewhat of a grab-bag of assorted data-related provisions, including amendments to the UK's data protection regime, provisions covering smart data schemes and improving access to public sector data for the private sector, digital identify verification services, changes to the structure and functioning of the Information Commissioner's Office, and more besides.

Overall, the Government intends the DUA Bill's provisions to contribute towards three key objectives:

1. To harness the power of data to grow the economy;
2. To improve public services and enable and support modern digital government; and
3. To make peoples' lives easier.

The full text of the DUA Bill as introduced into Parliament is available here, and its explanatory notes may be read here.

In this article, the latest in our series of deep-dives into the DUA Bill's provisions, we will be looking in detail at the proposed changes to the structure and composition (and indeed, the name!) of the Information Commissioner's Office ("ICO"), as well as the new investigatory and enforcement powers that the DUA Bill would give to the regulator and the impact that these might have.

You can read the previous article in the series, in which we examined the DUA Bill's proposed changes to the UK's data protection regime, here.

You can also read the Information Commissioner's response to the Data (Use and Access) Bill here.
 

New structure and leadership, and a new name

As proposed under the previous government's Data Protection and Digital Information Bill ("DPDI Bill"), the DUA Bill retains plans to overhaul the UK's data protection regulator, giving it a new name and a new structure. The ICO, and the current role of the Information Commissioner, will be abolished – in place of which, a corporation will be created under the name of the Information Commission ("IC").

Up to now, the structure of the ICO, a corporation sole in the person of the Information Commissioner, has been out of step with how most other UK regulators – such as Ofcom or the Financial Conduct Authority – are organised. Generally, these are structured as full corporations with a board comprised of executive and non-executive members, a chairperson, and a distinct chief executive.

The new IC will be structured along these lines and will therefore look much more like a "typical" UK regulator. It will be a full corporation with between 3 and 14 board members – the Secretary of State being required to decide on the exact number. There will be a mix of executive and non-executive directors, with the Secretary of State mandated, insofar as practicable, to ensure that the non-executive directors outnumber the executive directors.

The current Information Commissioner, John Edwards, will become the first chair of the IC when it comes into being, and he will continue in office for the duration of his original five-year appointment as the Commissioner, which ends in January 2027.

Subsequent chairs will be appointed by the Secretary of State "on merit" and following an "open competition", presumed to mean an interview process. Neither the chair nor any of the other non-executive members can be appointed more than once, and the maximum duration of any appointment is set at seven years. The Secretary of State will appoint the other non-executive members in consultation with the chair.

The IC will also have a chief executive, a distinct role from the chair. The first chief executive of the Commission, to be referred to as the "interim chief executive", will be appointed by the chair in consultation with the Secretary of State, and cannot be in post for more than two years. Subsequent chief executives will then be appointed by the non-executive members collectively, in consultation with the Secretary of State. The non-executive members are also responsible for deciding, in consultation with the chief executive, how many executive members to appoint and who to appoint to these posts.

When compared to the previous DPDI Bill, it is noteworthy that the new DUA Bill will not permit the government of the day to set strategic priorities for the IC, to which it must have regard when exercising its functions. The proposal of the DPDI Bill in this regard had been criticised as potentially jeopardising the regulator's independence and freedom of action, and imperilling the renewal of the UK's adequacy arrangements with the EU. With the new Labour Government clearly signalling that it considers maintaining the adequacy decision to be a key priority, it is perhaps unsurprising that this measure was not carried over into the DUA Bill.
 

Interview notices

The IC will gain a significant new investigatory power, under the DUA Bill, to issue "interview notices", by which it may require an individual to attend an interview in person and to answer questions. This power will be available where the IC suspects a failure to comply with the UK GDPR or the Data Protection Act 2018 ("DPA"), or that a relevant criminal offence under the DPA has been committed.

Interview notices may be issued to:

• the controller or processor themselves, if they are an individual;
• any individual who is currently, or who was at any time previously, employed by the controller or processor; and
• any individual who is currently, or who was at any time previously, "concerned in the management or control" of the controller or processor.

This is notably broad in scope, particularly given that interview notices may be issued to anyone in the organisation, not just DPOs, but also to current and former employees, with no time limits as to how long ago a person may have been employed by the relevant organisation. Should these interview powers be enacted as presently drafted, without reference to a maximum period by which a person remains eligible to be interviewed post-termination of their contract of employment, we advise organisations to consider reviewing the post-termination provisions in their employment contracts to account for the possibility of an interview notice being issued against an employee after they leave the organisation.

There are carve-outs in the DUA Bill forbidding interview notices to be issued where Parliamentary or legal privilege applies. The DUA Bill also provides that an interview notice cannot require an individual to answer questions which might cause them to incriminate themselves. Notably, however, offences under the DPA are explicitly left out of this restriction, such that individuals can still be compelled to give answers to questions which might self-incriminate in respect of these offences.

It will be an offence for an individual to knowingly or recklessly make a materially false statement when being interviewed under an interview notice, and the IC will be given a power to issue a penalty notice to an individual who fails to comply with an interview notice – for example, by failing to attend at the specified time and place. Individuals will be able to appeal against an interview notice and ordinarily, such a notice will not be able to require an individual to attend and be interviewed at a time before the expiry of the appeal period – although there is an exception if the regulator considers that there is an "urgent" requirement for the individual to answer questions.
 

Power to require production of documents

The Bill further enhances the IC's investigatory powers by clarifying that it can require the production of specific documents, as well as specific information, under its power to issue an information notice.

The explanatory notes to the DUA Bill refer to this as a clarification of the ICO's existing powers. Nevertheless, the clarification is likely to lead the regulator to change its approach in practice – we expect that following passage of the DUA Bill, it will be more empowered to regularly require documents to be produced in the course of its investigations, which it has not typically done up to now.

Ostensibly, this clarification is intended to ensure that IC investigators are not hamstrung by needing to ask for specific information "in the dark", lacking documentary evidence to drive assessments of what potentially relevant information they should ask for – in short, having no way of knowing which are the right questions to ask.

The power to require production of documents does pose a potential risk to organisations subject to investigation, in that the regulator is less likely to have the full context at hand for particular documents provided to it than if the organisation had instead provided its own explanation. Organisations should ensure, when providing a document, that it is accompanied by appropriate narratives explaining the context and rationale for the creation of the document. There is also the prospect of a greater compliance burden for organisations as they will now need to be able to locate and then provide the specific documents requested, and to carefully review the document to ensure it is up-to-date and to redact, for example, legally privileged information.
 

Power to require preparation of a report

In an expansion of the regulator's existing assessment notice power, the IC will now be able to mandate the production of a report, in connection with that notice, by an "approved person". This can be seen as similar to the "skilled person" regime in a financial services regulatory context. The IC will be able to specify the subject matter of the report, the form and manner in which it must be prepared, and the date by which it must be provided. The controller in receipt of the assessment notice will also be required to bear the cost of producing any such report.

When a controller receives an instruction to prepare a report, it must in the first instance nominate a person to produce it. The IC can approve that person if it believes they are suitable and appropriate, but may equally refuse to give its approval. If the IC does not approve a nominated person, or if the controller fails to nominate a person within the time limit (which will be specified in the assessment notice), the IC can then appoint and approve a person of its own choosing to prepare the report.

One scenario in which it is likely that the IC will make use of this power is in the context of personal data breaches. It may use this power, for example, to require the production of a report into the suitability (or otherwise) of the security measures that the controller who suffered the breach had in place at the time. Any such report prepared at the request of the IC would not have the protection of privilege in relation to disclosure to the IC, unlike many breach reports prepared with the assistance of legal counsel for internal purposes.

This could become a concern in the context of litigation proceedings following a data breach, where claimants may seek disclosure of any such reports prepared on the IC's instruction by the controller. Claimants that are successful in obtaining a copy of any such reports are likely to seek to rely on the contents of the report to advance their case in a manner that they may not otherwise have been capable of doing without it. There is also the risk that organisations will see claimant parties using such a report to argue (where the report finds any failings or inadequacy on the part of the controller) that the controller's breach of data protection legislation is already established and therefore that liability has already been proven – in much the same way that we have seen claimants seeking to argue that a controller's breach is already established where there is an existing ICO enforcement notice against it.

More time to issue penalty notices

Before issuing a final penalty notice, the regulator is required to issue a notice of intent to the person against whom it proposes to level the penalty. Currently, no more than six months may elapse between the date of the notice of intent and the final penalty notice being issued. The DUA Bill will, however, amend this, so that the IC may now take longer than this if it is "not reasonably practicable" to issue the final penalty notice within that timeframe.

The clear intent behind the change is to allow the regulator more time to investigate and resolve complex cases and to deal with oral and written representations that it might receive (from the organisation under investigation, as well as from third parties) following the initial notice of intent. In practice, it is likely to mean more complex and lengthier investigations, resulting in more time and resources spent – all of which may very well end up being more expensive for the party under investigation.

Increased PECR enforcement powers

Monetary penalties for certain breaches of PECR, which are currently capped at £500,000 – including, among others, breaches of the direct marketing restrictions and prohibitions – will be brought in line with penalties under the UK GDPR and the DPA, up to a maximum of £17.5m or 4% of global annual turnover, whichever is higher. For all other PECR breaches, the maximum monetary penalty will be the higher of £8.7m or 2% of global annual turnover.

The powers related to the issuance of information, assessment, interview, enforcement and penalty notices in respect of PECR breaches (or suspected breaches) will also align with the UK GDPR and the DPA, and the relevant rights of appeal against these notices will also apply. Certain criminal offences will also apply in the context of investigating suspected breaches of PECR, including the offence of deliberately obstructing an investigation by destroying or falsifying information.

The key change to the PECR regime is the enhanced enforcement ability that the IC will have in relation to PECR violations. This reflects the continued focus on organisations' compliance with cookies rules under PECR and its interest in the AdTech sector. Companies operating in digital advertising (or any sector that is tracking heavily) should be aware of these reforms and prioritise compliance with PECR rules to avoid heightened penalties and the regulator's attention.

Complaints

The DUA Bill creates a new right for data subjects to complain directly to controllers if they believe there has been a breach of their rights either under the UK GDPR or under some parts of the DPA.

Controllers will be required to facilitate such complaints. Specifically, controllers must "take appropriate steps" to do so – which might include "providing a complaint form to be completed electronically, or other appropriate means".

Controllers will be required to acknowledge receipt of any complaint within 30 days of it being made. They will then be required to respond substantively to the complaint "without undue delay" – which is likely to invite much argument as to what does, and does not, constitute "undue delay" – and to take appropriate steps to respond to the complaint. Such steps include making enquiries of the complainant about the nature of their complaint, and keeping the complainant informed as to the progression of their complaint. This is likely to lead to a number of organisations needing to create a data subjects complaints process (where one was not already in place) in order to enable the efficient handling of any complaints within the appropriate timeframes and to allow the organisation in question to record any justifications for delays (e.g. due to the complexity of the issue(s) complained about, or an inability to identify the data subject as a customer, etc.).

The DUA Bill also permits the Secretary of State to make regulations which would require controllers to report the number of complaints of this sort that they receive in a given time period. It remains to be seen whether the UK Government will elect to bring in regulations to actually impose such a requirement, and if it does, when they might come into effect – for now, the DUA Bill merely creates the possibility.

Although this largely reflects how the ICO already handles data protection complaints in practice, the creation of this new right can be seen as an effort to shift the complaints burden from the regulator to controllers, as the DUA Bill also amends the UK GDPR and the DPA to remove much of the IC's own obligation to facilitate, handle and respond to complaints that are made directly to it.  The IC will now only need to handle and respond to complaints from data subjects alleging that the relevant controller has failed to satisfactorily handle and respond to an initial complaint.

Taken together, these new requirements will require controllers to take action, as they will need to implement the new complaints process and update their privacy notices to reflect the existence of the right to complain and how data subjects can pursue it, as well as investigating and responding to individual complaints (and, of course, bearing the cost of all of these).

Next up

In our next article in the series, we will consider the DUA Bill's measures to implement a statutory framework and a range of regulation-making powers for creating an array of new "smart data" schemes.

You can follow this article series, and access each article in the series as it is published, at this page on our data protection hub.