Data (Use and Access) Bill: What Is It and How Does It Impact UK Businesses?

On Oct. 23, the Data (Use and Access) Bill was officially published and received its first reading in the U.K. House of Lords. By allowing broader access to consumer data for the improvement of public services, the bill will boost the economy by £10 billion, according to the government.

The new legislation includes new rules around sharing data in sectors like healthcare, law enforcement, and utilities, which will improve efficiency, ultimately leading to cost savings. For example, utility companies now have to disclose the locations of their underground infrastructure for a national map of pipes and cables that will reduce the risk of accidents when digging.

Furthermore, data sharing will allow for the development of digital verification services, digitised birth and death records, and “smart data” schemes that allow businesses and consumers to securely share their information with third parties for, say, personalised financial advice. Researchers within online safety and child protection will also be given easier access to data from internet service providers.

This bill was expected to be named the “Digital Information and Smart Data Bill,” as this is how it was listed in the background notes of the King’s Speech from July. It came after a previous iteration put forward by the former Conservative government, the “Data Protection and Digital Information Bill,” was withdrawn.

Because the DUA bill impacts more than just a handful of sectors, U.K. businesses should be aware of whether they need to make any process changes relating to data. Indeed, the bill empowers authorities to impose penalties for non-compliance.

TechRepublic breaks down what regulatory changes have been made and how your business can comply.

What changes has the DUA bill made?

The 262-page bill establishes many new rules, but here are the key ones to know.

Access to customer and business data

The bill gives the Secretary of State and Treasury power to set regulations on accessing customer and business data. This includes:

• Providing data directly to customers or authorised third parties.
• Enforcing data processing standards and compliance through designated “interface bodies.”
• Imposing financial penalties on organisations that fail to comply with data access regulations.

Digital verification services

The DUA bill establishes a regulatory framework for services that verify digital identities, including:

• Creating a trust framework for digital verification and codes of conduct.
• Registration of approved services and issuance of a “trust mark” for verified providers.
• Allowing the Secretary of State to mandate standards for these services to ensure accuracy and privacy.

National underground asset register

The bill creates a national register of underground assets — such as power, water, and utility pipes — in England, Wales, and Northern Ireland to facilitate public safety and infrastructure maintenance.

Digitised registers of births and deaths

The bill updates methods for maintaining and accessing records of births and deaths, enabling digital formats rather than paper.

Data protection and privacy

New rules were established for lawful data processing, including special categories of data subject’s rights and automated decision-making, in compliance with the Data Protection Act 2018 and GDPR.

Businesses must be transparent about when relevant decisions are made by an AI system or algorithm, and must give individuals the option to request human oversight. Data subjects, anyone whose data is held by an organisation, also have the right to request access, corrections, deletion, or restrictions. Organisations must provide mechanisms for complaints about data processing.

Electronic communications

Regulations have been set around electronic communications to protect individual privacy, including rules on personal data breaches and device data storage. It revises the existing Privacy and Electronic Communications Regulations, for example, mandating specified periods within which organisations must report personal data breaches to the Information Commissioner.

Information Commission and coordination with other regulatory bodies

The Information Commission now oversees data regulation, replacing the Information Commissioner, and coordinates with other regulatory bodies such as the Financial Conduct Authority for the financial sector. This prevents any conflicts or overlaps in regulation.

Data use for public services and research

The bill allows for personal data to be used to improve public service delivery and for research purposes, including online safety and child protection, in a similar way to the E.U.’s Digital Services Act. As part of this, internet service providers must retain information in specific cases, such as the investigation of minors’ deaths.

SEE: Google, Meta Criticise U.K. and E.U. AI Regulations

What do businesses need to do to comply with the bill?

1. Ensure customers can request access to their data and that authorised third parties can access the data upon customer approval.
2. Provide transparency on data relating to goods, services, and digital content provided by the business, including feedback, pricing, and terms of use.
3. Depending on industry requirements, companies may need to join or set up “interface bodies” that manage data access systems and enforce standards. For businesses in financial services, compliance with the Financial Conduct Authority interface rules may be required.
4. If the business provides digital verification services, it must adhere to a digital verification “trust framework” and codes of conduct outlined by the bill.
5. Ensure that the handling of customer and business data, especially that relating to health, biometrics, or finance, aligns with GDPR and respect data subjects’ rights.
6. If using automated decision-making, especially with personal data, verify that the process meets lawful requirements and include transparency and safeguards to allow data subjects to challenge decisions.
7. Maintain detailed records of all data collection, processing, and sharing practices and conduct internal audits to verify compliance to avoid violations.
8. Update privacy policies to clearly explain data usage, third-party sharing, and the rights customers have under the bill.
9. Prepare data sharing agreements for third-party providers that outline the responsibilities and compliance obligations of each party in accordance with the bill.
10. Establish structured processes for handling complaints related to data access and handling, which may include involving external adjudicators or legal appeals.
11. Some businesses may be subject to a levy to fund regulatory bodies or interface services. They must budget for and pay the applicable fees.
12. If your business determines fees for access to data or services related to data, ensure compliance with the bill’s fee-setting guidelines.

Note: Businesses in financial services or health and social care may have additional sector-specific rules and exemptions to follow.

Technologies to consider

Businesses may want to consider investing in new technologies to aid compliance with the DUA bill, such as:

• Data access and management platforms: These help manage data access requests and track compliance. For example, Informatica.
• Customer data platforms: These centralise customer data, aiding with transparency. For example, Salesforce Data Cloud.
• Digital identity verification systems: The government has provided a list of certified services. For example, Onfido.
• Data privacy and consent management solutions: These tools manage customer consent and ensure compliant data handling. For example, OneTrust.
• Data protection and encryption solutions: These protect data to ensure security compliance. For example, Microsoft Purview Information Protection.
• Data subject access request automation tools: These help manage requests for personal data. For example, OneTrust.
• Data compliance monitoring systems: Such tools continuously assess whether an organisation is adhering to regulatory requirements. For example, SAP Master Data Governance.
• Complaint resolution management tools: These do what they say on the tin! For example, Zendesk.

What’s next?

The DUA bill has been published but still has to go through several stages before full enactment. The date for the second reading in the House of Lords. The next step has yet to be announced.

However, the Data Protection and Digital Information Bill, upon which a lot of the DUA bill was based, had progressed a lot further before the Conservative party left power in July, suggesting there shouldn’t be any significant roadblocks.