This article explores the ongoing journey of the data protection landscape in the UK. From its initial introduction in the House of Commons to its recent evolution in the House of Lords, we explore the key developments and amendments of the UK Data Protection and Digital Information Bill, unravelling their implications for data protection and digital governance. Investigating changes proposed by the Department for Science, Innovation and Technology and scrutinised in both parliamentary houses, we shed light on crucial aspects such as benefit fraud prevention, social media data retention, and biometric data use for national security. As many eagerly await the conclusion of this latest data protection legislation, we keep you updated on this dynamic journey and its potential impact.
The Data Protection and Digital Information Bill (Bill) was initially introduced in the House of Commons on 18 July 2022. The Bill was scheduled to have its second reading on 5 September 2022. However, following changes to the UK’s political landscape, the Bill was withdrawn on 8 March 2023. The Data Protection and Digital Information Bill (No. 2) Bill was introduced on the same date and much of the new Bill is the same as the withdrawn one.
On 7 November 2023, King Charles III announced in the King's Speech a carry-over motion for the Data Protection and Digital Information Bill (No 2) – which is now renamed as just the Data Protection and Digital Information Bill (DPDI Bill). A carry-over motion allows the DPDI Bill to continue its progress from one parliamentary year into the next. Bills that have not been passed by the end of the session in which they were introduced would otherwise fail.
The DPDI Bill received its first and second readings in the Houses of Commons on 08 November and on 23 November 2023, the Department for Science, Innovation and Technology (DSIT) announced that a raft of “common-sense changes” to the DPDI Bill.
Such changes include:
- Giving powers to the Department for Work and Pensions (DWP) to request data from third parties, particularly banks and financial institutions with the aim of reducing of benefit fraud by allowing regular checks on the bank accounts of benefit claimants. Currently, DWP can only undertake fraud checks on a claimant on an individual basis where there is already a suspicion of fraud.
- Introducing a “data preservation process” which compels social media companies to retain relevant personal data that may be required for investigations or inquests. This is to ensure that information vital to coroner investigations is not deleted during routine maintenance.
- Expanding the use of biometric data such as fingerprints to enhance national security such as allowing Counter Terrorism Police to retain biometrics of individuals posing a potential threat. The amendments align with INTERPOL's retention rules, enabling the retention of biometric data for individuals with foreign convictions, similar to those with UK convictions.
- Changing the requirement for the Secretary of State to approve any Code of Practice released by the UK’s Data Protection Regulator, the Information Commissioner’s Office (ICO) – as in the initial Bill – to instead requiring the ICO to consider recommendations by the Secretary of State on such Codes of Practice. Where it does not accept a recommendation, the ICO must provide reasons.
- A new legal basis for UK-based telecommunications companies processing personal data, special category data and criminal record data for the purposes of complying with orders issued under the UK-US Data Access Agreement.
- Clarifying that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request. This builds on the Bill's original proposals to replace the "manifestly unfounded or excessive" threshold for refusing data subject rights requests with a "vexatious or excessive" threshold.
The amendments were tabled and considered by the House of Commons at report stage on 29 November 2023 along with the 3rd reading.
The 1st reading at the House of Lords took place on 06 December 2023 with the 2nd reading on 19 December 2023. The date for the Committee Stage at the House of Lords is yet to be announced.
On 18 December, the ICO published its updated response to the DPDI Bill and stated that at the House of Commons Committee Stage, government made some positive changes in response to ICO's comments. Notable changes that the ICO has expressed support for include:
- the definition of vexatious requests;
- the drafting of safeguards for processing for research purposes; and
- the extension of the reporting period for personal data breaches under PECR from 24 to 72 hours to align with UK GDPR.
The ICO acknowledges these changes but underscores that the majority of their initial comments remain unaddressed. These include:
- the proposed power to require information for social security purposes citing that the measure lacks sufficient safeguards as currently drafted in the DPDI Bill and calls for clearer limitations on the scope of power, specification of covered organisations, and improved use restrictions.
- the potential for use of automated decision-making and processing of special category data under the basis of social security – particularly in the context of giving powers to DWP to obtain financial details of claimants from banks in cases of benefit fraud, urging government transparency and appropriate safeguards.
- the lack of a requirement for data controllers to protect data subjects' rights in cases of disproportionate effort exemption.
On 20 December 2023, an overview of the expected impact of changes arising from the DPDI Bill following Committee Stage and Report Stage were published.
An example of one of the changes reviewed for impact includes the framework for Digital Verification Services (DVS) in the UK which aims to ensure digital identities and attributes match the reliability of paper documents. This is to assist HMRC’s information sharing, prohibiting unauthorised disclosure, and stipulating criminal penalties for wrongful disclosure. Amendments extend these safeguards to cover data shared by Revenue Scotland (RS) and the Welsh Revenue Authority (WRA), introducing criminal offenses for unauthorised disclosure. The aim is to bolster confidence in Welsh and Scottish tax systems, aligning protections with those in place for HMRC.
We wait eagerly to see whether this continued momentum behind the DPDI Bill means that Royal Assent will be received before the next general election expected in 2025 and before the expiration of the UK’s adequacy status in June 2025.
If you would like to keep up to date on the latest in data protection, please get in touch to subscribe to our newsletter, The Data Download.