Data (Use and Access) Bill

The Data (Use and Access) Bill, which was introduced into Parliament in October 2024, represents the UK Government's attempt to roll together a series of data-related reforms and measures into a single, keystone piece of legislation.

The new Bill – becoming known as simply the "DUA Bill" – contains proposals for reforms to the UK's data protection regime and changes to the powers and composition of the regulator; measures for increasing the breadth of possibilities for pursuing smart data initiatives; improvements in public sector data sharing; data-enabled infrastructure initiatives such as the National Underground Asset Register; a new statutory scheme for digital identity verification services; and more besides.

The Government is hoping that the detailed provisions contained in the DUA Bill will contribute towards three overarching strategic objectives:

  1. To harness the power of data to grow the economy;
  2. To improve public services and enable and support modern digital government; and
  3. To make peoples' lives easier.

Besides these objectives, the Government has also indicated that it is placing great emphasis on ensuring the renewal of the UK's data protection adequacy decision with the EU, which is up for review in 2025. This explains many of the differences between the DUA Bill and the previous Government's attempts at reforming the UK's data protection regime under the Data Protection and Digital Information Bill, which never passed into law owing to the calling of the July 2024 UK general election.

You can read our article series, each looking at a particular aspect of the Bill, at the links below:

  • Key reforms to the UK's data protection regime – including:
    • A new "recognised legitimate interests" processing basis and some statutory examples of "regular" legitimate interests;
    • A new regime for international transfers;
    • The potential for ministers to add further special categories of data;
    • Important clarifications to the "purpose limitation" principle; and
    • An expansion of the types of decisions that can be made on a "solely automated" basis.
  • Changes to the ICO's powers, structure and composition - including:
    • New investigatory powers, including being able to require individuals to attend an interview when a data breach is being investigated;
    • Greater fining powers for breaches of PECR;
    • A new requirement that controllers must establish a direct complaints procedure for data subjects; and
    • A new structure, a new board, and a new name for the regulator itself – the "Information Commission".
  • (More to follow)