Data (Use and Access) Bill: What Is It and How Does It Impact UK Businesses?

On Oct. 23, the Data (Use and Access) Bill was officially published and received its first reading in the U.K. House of Lords. By allowing broader access to consumer data for the improvement of public services, the bill will boost the economy by £10 billion, according to the government.

The legislation includes new rules around sharing data in sectors like healthcare, law enforcement, and utilities, which will improve efficiency, ultimately leading to cost savings. For example, utility companies now have to disclose the locations of their underground infrastructure for a national map of pipes and cables that will reduce the risk of accidents when digging.

Furthermore, data sharing will allow for the development of digital verification services, digitised birth and death records, and “smart data” schemes that allow businesses and consumers to securely share their information with third parties for, say, personalised financial advice. Researchers within online safety and child protection will also be given easier access to data from internet service providers.

This bill was expected to be named the “Digital Information and Smart Data Bill,” as this is how it was listed in the background notes of the King’s Speech from July. It came after a previous iteration put forward by the former Conservative government, the “Data Protection and Digital Information Bill,” was withdrawn.

Because the DUA bill impacts more than just a handful of sectors, U.K. businesses should be aware of whether they need to make any process changes relating to data. Indeed, the bill empowers authorities to impose penalties for non-compliance.

TechRepublic breaks down what regulatory changes have been made and how your business can comply.

What changes has the DUA bill made?

The 262-page bill establishes many new rules, but here are the key ones to know.

Access to customer and business data

The bill gives the Secretary of State and Treasury power to set regulations on accessing customer and business data. This includes:

• Providing data directly to customers or authorised third parties.
• Enforcing data processing standards and compliance through designated “interface bodies.”
• Imposing financial penalties on organisations that fail to comply with data access regulations.

Digital verification services

The DUA bill establishes a regulatory framework for services that verify digital identities, including:

• Creating a trust framework for digital verification and codes of conduct.
• Registration of approved services and issuance of a “trust mark” for verified providers.
• Allowing the Secretary of State to mandate standards for these services to ensure accuracy and privacy.

National underground asset register

The bill creates a national register of underground assets — such as power, water, and utility pipes — in England, Wales, and Northern Ireland to facilitate public safety and infrastructure maintenance.

Digitised registers of births and deaths

The bill updates methods for maintaining and accessing records of births and deaths, enabling digital formats rather than paper.

Data protection and privacy

New rules were established for lawful data processing, including special categories of data subject’s rights and automated decision-making, in compliance with the Data Protection Act 2018 and GDPR.

Businesses must be transparent about when relevant decisions are made by an AI system or algorithm, and must give individuals the option to request human oversight. Data subjects, anyone whose data is held by an organisation, also have the right to request access, corrections, deletion, or restrictions. Organisations must provide mechanisms for complaints about data processing.

Electronic communications

Regulations have been set around electronic communications to protect individual privacy, including rules on personal data breaches and device data storage. It revises the existing Privacy and Electronic Communications Regulations, for example, mandating specified periods within which organisations must report personal data breaches to the Information Commissioner.

Information Commission and coordination with other regulatory bodies

The Information Commission now oversees data regulation, replacing the Information Commissioner, and coordinates with other regulatory bodies such as the Financial Conduct Authority for the financial sector. This prevents any conflicts or overlaps in regulation.

Data use for public services and research

The bill allows for personal data to be used to improve public service delivery and for research purposes, including online safety and child protection, in a similar way to the E.U.’s Digital Services Act. As part of this, internet service providers must retain information in specific cases, such as the investigation of minors’ deaths.

SEE: Google, Meta Criticise U.K. and E.U. AI Regulations

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

What do businesses need to do to comply with the bill?

1. Ensure customers can request access to their data and that authorised third parties can access the data upon customer approval.
2. Provide transparency on data relating to goods, services, and digital content provided by the business, including feedback, pricing, and terms of use.
3. Depending on industry requirements, companies may need to join or set up “interface bodies” that manage data access systems and enforce standards. For businesses in financial services, compliance with the Financial Conduct Authority interface rules may be required.
4. If the business provides digital verification services, it must adhere to a digital verification “trust framework” and codes of conduct outlined by the bill.
5. Ensure that the handling of customer and business data, especially that relating to health, biometrics, or finance, aligns with GDPR and respect data subjects’ rights.
6. If using automated decision-making, especially with personal data, verify that the process meets lawful requirements and include transparency and safeguards to allow data subjects to challenge decisions.
7. Maintain detailed records of all data collection, processing, and sharing practices and conduct internal audits to verify compliance to avoid violations.
8. Update privacy policies to clearly explain data usage, third-party sharing, and the rights customers have under the bill.
9. Prepare data sharing agreements for third-party providers that outline the responsibilities and compliance obligations of each party in accordance with the bill.
10. Establish structured processes for handling complaints related to data access and handling, which may include involving external adjudicators or legal appeals.
11. Some businesses may be subject to a levy to fund regulatory bodies or interface services. They must budget for and pay the applicable fees.
12. If your business determines fees for access to data or services related to data, ensure compliance with the bill’s fee-setting guidelines.

Note: Businesses in financial services or health and social care may have additional sector-specific rules and exemptions to follow.

Technologies to consider

Businesses may want to consider investing in new technologies to aid compliance with the DUA bill, such as:

• Data access and management platforms: These help manage data access requests and track compliance. For example, Informatica.
• Customer data platforms: These centralise customer data, aiding with transparency. For example, Salesforce Data Cloud.
• Digital identity verification systems: The government has provided a list of certified services. For example, Onfido.
• Data privacy and consent management solutions: These tools manage customer consent and ensure compliant data handling. For example, OneTrust.
• Data protection and encryption solutions: These protect data to ensure security compliance. For example, Microsoft Purview Information Protection.
• Data subject access request automation tools: These help manage requests for personal data. For example, OneTrust.
• Data compliance monitoring systems: Such tools continuously assess whether an organisation is adhering to regulatory requirements. For example, SAP Master Data Governance.
• Complaint resolution management tools: These do what they say on the tin! For example, Zendesk.

What is a digital identity?

A digital identity, or digital ID, is a digital representation of an individual’s information, such as their name, age, address, and biometrics, which can be used to confirm who is behind the screen. Digital IDs can be used to verify a person’s identity online without the need for presenting a copy of their passport or other physical ID.

Naturally, there is a risk of fraud that accompanies any form of ID, be it physical or digital. To help alleviate that, the DUA aims to establish a Digital Verification Service — a regulatory framework for services that verify digital IDs. The Service will assess companies that provide identity verification tools, ensuring they are secure and respect privacy rights, and provide them with a “trust mark.”

“Digital IDs have the potential to transform how we complete everyday tasks, such as purchasing age-restricted goods and services, collecting parcels, opening bank accounts, and even moving house.” Julie Dawson, the chief policy and regulatory officer for digital identity company Yoti, told TechRepublic in an email. “This Bill opens up further opportunities to make life simpler for U.K. citizens by expanding the practical applications of digital IDs.”

However, the government must move quickly to avoid falling behind other countries in this arena, Dawson said. She told TechRepublic: “To fully realise the growth benefits and convenience for citizens, it’s crucial that the Government sets a short timeframe to publish the DVS Register and ensures that more departments begin leveraging it for a variety of services.”

What do digital identity providers need to do to meet the government’s standards?

Companies that provide and verify digital identities must do the following to receive a trust mark by the Digital Verification Service:

• Register with the DVS: The DVS maintains records of compliant digital verification providers.
• Adhere to standards: They must hold a certificate from an accredited conformity assessment body that certifies their services comply with the rules set in the DVS trust framework.
• Meet application and compliance requirements: They must adhere to supplementary codes, pay applicable fees and comply with standards on an ongoing basis.

What’s next?

The DUA bill has been published but still has to go through several stages before full enactment. The date for the second reading in the House of Lords. The next step has yet to be announced.

However, the Data Protection and Digital Information Bill, upon which a lot of the DUA bill was based, had progressed a lot further before the Conservative party left power in July, suggesting there shouldn’t be any significant roadblocks.