What does the Bill do?

While the Bill seems to focus more on matters such as the introduction of smart data schemes, unlocking the power of data to improve public services and legislating on digital verification services, it does propose making various changes to the UK’s framework for regulating the processing of personal data as set out in the UK GDPR and Data Protection Act 2018. Among other things, this will include changes relating to:

• processing for research purposes;
• the lawful grounds for processing personal data;
• automated decision-making;
• international data transfers; and
• a new corporate structure and stronger enforcement powers for the Information Commissioner’s Office, replacing it with an ‘Information Commission’.

A new lawful ground for processing personal data will be created, where processing is necessary for the purposes of a ‘recognised legitimate interest’. This will include important public interest grounds such as safeguarding vulnerable adults and children, safeguarding national security, public security and defence, or where a public authority requests information that may include personal data. This stems from the government’s desire to encourage personal data processing and sharing for important public interest scenarios, amid concerns that the current rules may result in delay or failure to process and share.

Unlike its predecessor, this new Bill doesn’t propose changes to the requirements for organisations to appoint a data protection officer and keep processing records.

The Bill also proposes changes to the Privacy and Electronic Communications Regulations 2003, including increasing the fines for breaches to align with the UK GDPR.

In his response, the Information Commissioner welcomed the Bill as ‘a positive and balanced package of reforms’. In addition to commenting on the proposed changes to the data protection framework, which he described as ‘pragmatic and proportionate’, the Information Commissioner also welcomed ‘the renewed focus on broader measures distinct from the data protection framework that will support growth, trust and engagement with the digital economy and improved delivery of public services’.

The Information Commissioner says that a top priority is the certainty provided by a positive EU adequacy decision. His view is that the proposed reforms should not present a risk to the UK’s adequacy status.

Data reform: How we can support you

As we said at the outset, this new Bill is in its infancy and may be subject to change before it becomes law, so this is very much a first cut of the government’s ambitions and desires for change in the UK’s data protection framework and wider data reform. We’ll be monitoring and reporting on developments as the Bill progresses. In the meantime, if you have any queries about how the proposed legislation might affect your organisation, or you need help with any data protection compliance matter, please contact Andrew Northage, Nick Stubbs or Sally Mewies.