The fourth and final session of the House of Lords’ Grand Committee’s scrutiny of the Data (Use and Access) Bill took place on 18 December 2024, when peers continued and concluded their consideration of the provisions of Part 5 of the Bill relating to Data protection and privacy, as well as Parts 6-8, examining clauses 90 - 138 Data (Use and Access) Bill:

• Clause 90 Duties of the Commissioner in carrying out functions

• Clause 91 Codes of practice for the processing of personal data

• Clause 92 Codes of practice: panels and impact assessments

• Clause 93 Manifestly unfounded or excessive requests to the Commissioner

• Clause 94 Analysis of performance

• Clause 95 Notices from the Commissioner

• Clause 96 Power of the Commissioner to require documents

• Clause 97 Power of the Commissioner to require a report

• Clause 98 Assessment notices: removal of OFSTED restriction

• Clause 99 Interview notices

• Clause 100 Penalty notices

• Clause 101 Annual report on regulatory action

• Clause 102 Complaints by data subjects

• Clause 103 Court procedure in connection with subject access requests

• Clause 104 Consequential amendments to the EITSET Regulations

• Clause 105 Protection of prohibitions, restrictions and data subject’s rights

• Clause 106 Regulations under the UK GDPR

• Clause 107 Further minor provision about data protection

• Clause 108 The PEC Regulations

• Clause 109 Interpretation of the PEC Regulations

• Clause 110 Duty to notify the Commissioner of personal data breach: time periods

• Clause 111 Storing information in the terminal equipment of a subscriber or user

• Clause 112 Emergency alerts: interpretation of time periods

• Clause 113 Commissioner’s enforcement powers

• Clause 114 Codes of conduct

• Clause 115 The Information Commission

• Clause 116 Abolition of the office of Information Commissioner

• Clause 117 Transfer of functions to the Information Commission

• Clause 118 Transfer of property etc to the Information Commission

• Clause 119 Information standards for health and adult social care in England

• Clause 120 Grant of smart meter communication licences

• Clause 121 Disclosure of information to improve public service delivery to undertakings

• Clause 122 Retention of information by providers of internet services in connection with death of child

• Clause 123 Information for research about online safety matters

• Clause 124 Retention of biometric data and recordable offences

• Clause 125 Retention of pseudonymised biometric data

• Clause 126 Retention of biometric data from INTERPOL

• Clause 127 The eIDAS Regulation

• Clause 128 Recognition of EU conformity assessment bodies

• Clause 129 Removal of recognition of EU standards etc

• Clause 130 Recognition of overseas trust products

• Clause 131 Co-operation between supervisory authority and overseas authorities

• Clause 132 Time periods: the eIDAS Regulation and the EITSET Regulations

• Clause 133 Power to make consequential amendments

• Clause 134 Regulations

• Clause 135 Extent

• Clause 136 Commencement

• Clause 137 Transitional, transitory and saving provision

• Clause 138 Short title

Lord Clement-Jones had proposed an amendment to introduce a new provision to restrict the ICO from issuing repeated reprimands within a three year period to the same controller or processor (Amendment 144), and a further amendment to require the ICO to publish an annual report on its regulatory enforcement activities in each part of the UK (Amendment 144A), albeit these were ultimately not moved. Lord Clement-Jones also proposed to introduce a right of appeal for data subjects against the regulator’s decisions in respect of their complaints (Amendment 151) and to require Tribunal Procedure Rules specific to data protection disputes to be introduced (Amendment 152), accompanying his proposal to transfer jurisdiction for data protection disputes from the courts to the First-Tier Tribunal (Information Rights). He further proposed an amendment to impose a framework for decision-making in relation to Schedule 2 Data Protection Act 2018 exemptions, including the exemption for processing for the purposes of journalism, art or literature which would contradict the regulator’s current guidance on its application (Amendment 154) and similarly in respect of exemptions under Schedule 3 (Amendment 155) and Schedule 4 (Amendment 156). 

Lord Holmes proposed Amendment 156A which was framed as incorporating a new definition of unauthorised access to computer programs or data under the Computer Misuse Act 1990, but which would have the effect of introducing a carve out to the offences under that Act if they reasonably believed that the owner would have consented. This was coupled with Amendment 156B which would introduce new defences to offences under the Computer Misuse Act 1990 if the conduct was “necessary for the detection or prevention of crime” or otherwise in the public interest. The introduction of a carve out or defence to offences under the Computer Misuse Act 1990 has been the subject of intense lobbying over several years by parts of the industry who want to be able to conduct vulnerability scanning, other penetration testing activities and even wider conduct without the consent of network, system and device owners, any obligation to maintain records, to notify the owner of any vulnerabilities identified, standards of conduct or minimum qualification requirements, obligations in relation to any data accessed and/or downloaded etc. When the government consulted on potential changes, we submitted a response to the consultation arguing that whole we were in favour of efforts to boost the UK’s cyber resilience and grow the cyber security sector, we strongly objected to the proposals. Having participated in the roundtables hosted by the Home Office on the matter, we understand that the proposals are not supported by the law enforcement community. Lord Holmes argued that these amendments were “desperately and urgently” needed and was supported by Lord Clement-Jones, Lord Arbuthnot, Lord Bethell and Viscount Camrose. The government responded indicating that “engagement to date has not produced a consensus on the issue, even within the industry, and that is holding us back at this moment—but we are absolutely determined to move forward with this and to reach a consensus on the way forward”. Consequently, Amendment 156A was withdrawn and Amendments 156B and 157 were not moved. 

Viscount Camrose proposed a new provisions requiring the Secretary of State and data protection regulator to carry out a risk assessment of genomics and DNA companies headquartered in countries deemed to be systemic competitors or hostile actors (Amendment 199). In light of the Government’s position that a risk assessment had been conducted under the auspices of the UK Biological Security Strategy of 2023 and intended to brief the Joint Committee on the National Security Strategy, the Government requested that the amendment be withdrawn and Viscount Camrose obliged. 

Baroness Kidron proposed a new provision to create an offence of using personal data or digital information to facilitate the creation of AI or computer generated CSAM (Amendment 203). This was supported by Baroness Owen who also put forward the Private Members Bill, the Non-Consensual Sexually Explicit Images and Videos (Offences) Bill. Baroness Owen also proposed an amendment drawn from her Bill to create offences for the non-consensual digital creation of sexually explicit photographs and video (Amendment 211G).and a further amendment in relation to digital creation of sexually explicit audio (Amendment 211H). The Government indicated that it intended to brig forward its own legislation to address these amendments in the current Parliamentary session. 

Baroness Kidron proposed an amendment requiring the Secretary of State to make regulations on compliance with the Copyright, Designs and Patents Act 1988 by operators of web crawlers and generative AI models (Amendment 204). Further amendments addressed transparency of crawling for web scraping. Lord Vallance, on behalf of the Government, asserted that “we have a system where it is unclear what the rights are and how they are being protected” on the issue of copyright and web scraping and rejected the proposition that such conduct is “theft”. 

Baroness Kidron further proposed an amendment to revise the presumption as to the reliability of computer evidence in light of the Post Office Horizon scandal (Amendment 207).The Government stated that it was “actively considering this matter and will announce next steps in the new year”. 

Finally, Baroness Kidron proposed to establish the concept of sovereign data assets in respect of data held by public bodies and arms-length bodies and a special licensing system in connection with such assets (Amendment 211), concerned that “The speed at which the Government are giving access to our data is swifter than the plans to protect its financial or societal value”. The Government asserted that this was an “active area of policy development for the Government”.

Lord Holmes proposed an amendment requiring a consultation on the energy and resource use and efficiency of data centres (Amendment 211B), among others, and the Government committed to writing to him in relation to them.

Clause 90 Duties of the Commissioner in carrying out functions

Clause 90 Data (Use and Access) Bill would introduce new obligations on the data protection regulator when carrying out its duties, establishing a principal objective not only to secure an appropriate level of protection for personal data but also to promote public trust and confidence in the processing of personal data, supplemented by other factors such as the “desirability of promoting innovation”, expanding on the existing obligation under section 108 Deregulation Act 2015 to “have regard to the desirability of promoting economic growth”.in the exercise of its functions. Clause 90 would also require the regulator to prepare and publish a strategy and consult with other regulators.

Lord Clement Jones’ Amendment 134 which would have required the regulator to ensure that UK data protection legislation was “fully enforced with all due diligence” was considered during the debate on 16 December. Baroness Kidron proposed Amendment 135 to replace the proposed requirement for the regulator to have regard to “the fact that children may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing” with an obligation to have regard to “the fact that children are entitled to a higher standard of protection than adults with regard to their personal data”.

Lord Lucas proposed to replicate the regime introduced in respect of Ofcom’s online safety duties under the Online Safety Act 2023 by establishing a mechanism for the Secretary of State to designate a statement of strategic priorities for the regulator (Amendment 135A), but ultimately this amendment was not moved.

Clause 90 was agreed as introduced without further debate.

Clause 91 Codes of practice for the processing of personal data

Clause 91 Data (Use and Access) Bill would replace section 128 Data Protection Act 2018 with a power for the Secretary of State to require the regulator to prepare additional codes of conduct, over and above the data-sharing code, direct marketing code, age-appropriate design code and data protection and journalism code currently required by sections 121 - 124 Data Protection Act 2018, and to consult with the Secretary of State before preparing such a code. 

Clause 91 was agreed as introduced without further debate.

Clause 92 Codes of practice: panels and impact assessments

Clause 92 Data (Use and Access) Bill would require the regulator to establish a panel comprised of experts, those likely to be affected by the code and their representatives, to consider and report upon drafts of all new or amended codes of practice. The regulator would also be required to publish impact assessments in respect of any code or amended code.

As we highlighted in our comprehensive briefing on the Data (Use and Access) Bill, while the regulator is already subject to public law duties to consult, the panel process and the requirement that the regulator publicly justify any failure to implement a proposed amendment is in relation to the data protection and journalism code of conduct in particular is likely to result in more detailed analysis and calls for more stringent measures to be implemented by vocal proponents of a more accountable press, with the process used to leverage concessions.

The government proposed an amendment to its own Bill (Amendment 136) to provide that the Secretary of State could disapply the panel process by making regulations in respect of codes or amendments to codes made under the proposed new section 124AData Protection Act 2018.

Baroness Kidron proposed Amendment 137 to introduce an additional provision requiring a code on children and AI to be prepared, but this was not moved. Lord Clement-Jones proposed an amendment requiring a code to be prepared on the processing the personal data of children or pupils in education (Amendment 138) and Baroness Kidron proposed an alternate amendment with the same aim (Amendment 141). Both proposals were driven by particular concern regarding the need for clarity, the impact of edtech and AI on children and young people, as well as use of the national pupil database. In principle, the proposal secured support from peers from all major parties and none. Nevertheless, the Government rejected the proposals with the justification that “The Government are open-minded about exploring the merits of this further with the ICO, but it would be premature to include these requirements in the Bill”. Ultimately, Amendment 138 was withdrawn and Amendments 139 - 141 were not moved.

Clause 92 was agreed as amended by Amendment 136.

Clause 93 Manifestly unfounded or excessive requests to the Commissioner

Clause 93 was agreed as introduced without debate.

Clause 94 Analysis of performance

Clause 94 Data (Use and Access) Bill would introduce a requirement on the regulator to report at least annually on its own performance based on key performance indicators.

Clause 94 was agreed as introduced without debate.

Clause 95 Notices from the Commissioner

Clause 95 Data (Use and Access) Bill would replace section 141 Data Protection Act 2018 with a new clause 141A and would for the first time permit official notices to be served by the regulator by email. Viscount Camrose had proposed Amendments 142 and 143 to prevent this, but were ultimately not moved.

Clause 95 was agreed as introduced without debate.

Clause 96 Power of the Commissioner to require documents

The effect of clause 96 Data (Use and Access) Bill is to permit the regulator to require the provision of documents as well as information.

Clause 96 was agreed as introduced without further debate.

Clause 97 Power of the Commissioner to require a report

Clause 97 Data (Use and Access) Bill effectively permits the regulator to outsource its investigations at the controller or processor’s cost by directing a controller or processor subject to an assessment notice to nominate a person to prepare a report about the controller or processor’s processing activities, and if that person is deemed to be suitable by the regulator, for that person to prepare the report and provide it to the regulator in accordance with the regulator’s instructions as to the preparation of the report, its content and presentation and time for delivery.

Clause 97 was agreed as introduced without further debate.

Clause 98 Assessment notices: removal of OFSTED restriction

The effect of clause 98 Data (Use and Access) Bill would be to remove the exemption at section 147(6)(b) Data Protection Act 2018, which prevents the regulator from issuing an assessment notice to the Office for Standards in Education, Children’s Services and Skills (Ofsted) in so far as it is a controller or processor in respect of information processed for the purposes of functions exercisable by Her Majesty’s Chief Inspector of Education, Children’s Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.

Clause 98 was agreed as introduced without further debate.

Clause 99 Interview notices

Clause 99 Data (Use and Access) Bill would grant the regulator a new enforcement power to require an individual (being themselves the controller or processor, or an employee or staff member of a controller or processor, or otherwise concerned in their management or control) to attend an interview, usually on at least 24 hours’ notice but with less in cases deemed by the regulator to be urgent, to answer questions in circumstances where the regulator is investigating whether an offence has been committed under the Data Protection Act 2018 or a failure by the controller or processor under section 149(2) Data Protection Act 2018, i.e. a breach of the data protection principles, data subject rights, the obligations of controllers or processors, the obligations to communicate a data breach or restrictions on international data transfers.

It would be an offence in and of itself for an individual to make a statement knowingly or recklessly which is false in a material respect in response to an interview notice. The Bill would propose to prevent the regulator from relying on a statement made during an interview subsequent to an interview notice in ensuing criminal proceedings unless the individual gave evidence inconsistent with the earlier statement the earlier statement is the subject of evidence adduced by or a question relating to it is asked by or on behalf of the individual. Given that the individual may not themselves be the controller or processor, and would therefore not necessarily be adducing any evidence or have questions posed by legal representatives on their behalf, it isn’t clear whether this provision is intended to or, if it is, whether it would be sufficient to, enable inconsistent statements relied upon by the controller or processor and made by their staff to be relied upon.

The Bill is silent as to whether individuals subject to an interview notice would be entitled to be accompanied by a legal or other representative, or whether such notices are required to be treated as confidential. The Bill does not propose to make such interviews subject to the safeguards imposed by the Police and Criminal Evidence Act 1984 or its related codes of practice, such as the right to remain silent, to give suspects a caution or requirements relating to the recording of interviews.

Individuals would not be required, however, to answer questions where the answer: would infringe a privilege of the Houses of Parliament; relate to communications protected by legal advice privilege and concerning data protection; relate to communications protection by litigation privilege and concerning proceedings related to data protection; or, would incriminate the individual except where the offence would be under the Data Protection Act 2018, would involve the offences of perjury other than on oath and its equivalent in Scotland and Northern Ireland.

The Bill would prohibit the regulator from issuing interview notices in respect of processing for the special purposes of journalism, art or literature or where the controller or processor under investigation is a body dealing with security matters.

Clause 99 was agreed as introduced without further debate.

Clause 100 Penalty notices

Clause 100 Data (Use and Access) Bill would remove the time limit under Schedule 16 paragraph 2 Data Protection Act 2018 on the regulator to issue a penalty notice within 6 months of the notice of intent and, instead, the regulator would be entitled to impose a penalty notice or provide written notice that no penalty notice will be issued within 6 months or as soon as reasonably practicable thereafter.

Clause 100 was agreed as introduced without further debate.

Clause 101 Annual report on regulatory action

Clause 101 Data (Use and Access) Bill would require the regulator to during the relevant reporting period, detailing: the number of investigations it has opened, continued or completed; the acts and omissions that were the subject of the investigation, including the investigations which related to processing under Parts 3 and 4 Data Protection Act 2018 respectively; the enforcement powers exercised in the investigations; the length of investigations; the outcomes of investigations; the number of penalty notices issued more than 6 months after the notice of intent was issued and the reason(s) for it; and, how the regulator had regard to its regulatory action guidance.

Baroness Kidron proposed an amendment to require the regulatory action report to also separately address actions related to children, its enforcement of the Age Appropriate Design Code and compliance with its child-related duties (Amendment 145), but this amendment was not moved.

Clause 101 agreed as introduced without further debate.

Clause 102 Complaints by data subjects

Clause 102 Data (Use and Access) Bill would implement a new formal right of complaint for data subjects to the relevant data controller where they believe that there has been an infringement of the UK GDPR or Part 3 Data Protection Act 2018, and controllers wud be required to facilitate such complaints as well as acknowledge the complaint within 30 days of receipt, albeit that there would be no statutory timeline for providing a substantive response to the complaint. Controllers would be obliged to take appropriate steps in relation to the complaint and inform the data subject of the outcome. The Secretary of State would be entitled to make regulations requiring controllers to report the number of complaints received to the regulator. The right to make a complaint to the Commissioner is required to be included in the informafion to be provided to data subjects.

Clause 102 was agreed as introduced without debate.

Schedule 10 Complaints: minor and consequential amendments

Schedule 10 was agreed as introduced without debate.

Clause 103 Court procedure in connection with subject access requests

Clause 103 Data (Use and Access) Bill would make provision for courts determining subject access requests to require the controller to provide the disputed information for the court’s review but preventing the court from ordering disclosure to the claimant unless and until it rules in the claimant’s favour.

Lord Clement-Jones proposed several amendments that would result in jurisdiction to determine data protection disputes being transferred from the courts to the First-Tier Tribunal (Information Rights)(Amendments 146-150), but these were not moved. 

Clause 103 was agreed as introduced without debate.

Clause 104 Consequential amendments to the EITSET Regulations

Clause 104 Data (Use and Access) Bill would amend the regulator’s enforcement powers under the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696).

Clause 104 was agreed as introduced without debate.

Clause 105 Protection of prohibitions, restrictions and data subject’s rights

Clause 105 was agreed as introduced without debate.

Clause 106 Regulations under the UK GDPR

Clause 106 was agreed as introduced without debate.

Clause 107 Further minor provision about data protection

Clause 107 was agreed as introduced without debate.

Schedule 11 Further minor provision about data protection

Schedule 11 Data (Use and Access) Bill was agreed as introduced without debate.

Clause 108 The PEC Regulations

Clause 108 Data (Use and Access) Bill was agreed as introduced without debate.

Clause 109 Interpretation of the PEC Regulations

Clause 109 Data (Use and Access) Bill would extend the application of the Privacy and Electronic communications (EC Directive) Regulations 2003 to attempts, e.g. attempted phone calls and sent emails regardless of whether they were received, and would introduce a definition of direct marketing as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. 

Lord Lucas proposed an amendment seeking to clarify that communications necessary for, for example, compliance with the Financial Conduct Authority ‘s (FCA’s) Consumer Duty, to the extent that such messages would not fall within the definition of service messages, would not fall within the definition of direct marketing (Amendment 158).

Amendment 158 was not moved and clause 109 was agreed as introduced without debate.

Clause 110 Duty to notify the Commissioner of personal data breach: time periods

Clause 110 Data (Use and Access) Bill would align the reporting period for data breaches under PECR with the UK GDPR, i.e. reports of notifiable breaches should be made within 72 hours and, if later, accompanied with an explanation for the delay.

Clause 110 was agreed as introduced without debate.

Clause 111 Storing information in the terminal equipment of a subscriber or user

Clause 111 Data (Use and Access) Bill would extend the application of PECR to device fingerprinting (which is particularly pertinent in light of Google’s decision that with effect from 16 February 2025, it will no longer prohibit organisations using its advertising products from employing fingerprinting techniques, something that has been criticised by the ICO), as well as introducing new exemptions from the restrictions on cookies and other storage/access where the sole purpose is to collect information for statistical purposes, for functionality or user preference, and for emergency assistance, and would also grant the Secretary of State power to introduce further exemptions.

Lord Clement-Jones had proposed an amendment that would have the effect of prohibiting paywalls (Amendment 159) but withdrew this prior to the debate. By contrast Viscount Camrose proposed an amendment making clear that so-called ‘Pay or OK’ cookie paywalls are permitted (Amendment 159A), but this was not moved. Lord Clement-Jones proposed a further amendment which would have rendered cookies for the purpose of measuring the performance of advertising services as being strictly necessary (Amendment 160), but this was also not moved.

Clause 111 was agreed as introduced without debate.

Lord Lucas had proposed a new provision to extend the so-called 'soft opt-in to communications pertaining to workplace pensions (Amendment 161), and Lord Clement-Jones proposed to extend it to charities (Amendment 162), but neither was moved.

Schedule 12 Storing information in the terminal equipment of a subscriber or user

Schedule 12 was agreed as introduced without debate.

Clause 112 Emergency alerts: interpretation of time periods

Clause 12 Data (Use and Access) Bill would amend ethe period during which a public electronic communications service provider should disregard their obligations under PECR for the purpose of being permitted to send emergency alerts from 7 days to 7 days from being directed to convey the information by a public authority.

Clause 112 was agreed as introduced without debate.

Clause 113 Commissioner’s enforcement powers

Clause 113 Data (Use and Access) Bill would update the PECR enforcement provisions from the current modified reading of the Data Protection Act 1998, to rely on modified provisions of the Data Protection Act 2018, with the expansion of the enforcement powers to interview notices being exttended to PECR. The scope of information notices issued in connection with PECR would be expanded, however, to enable the regulator to require third parties provide information in relation to the subject o an investigation, in particular by requiring not only communications providers to provide information regarding third party’s use of a public communications network or electronic communications service in order to determine whether that person had complied with PECR, but also any person to provide the regulator with information about suspected infringements of PECR. The Bill would introduce a basis for such notices to be designated confidential, preventing disclosure subject to exemptions for the obtaining of legal advice, with the permission of the regulator or to another person within the organisation on which the notice is served.

Clause 113 was agreed as introduced without debate.

Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers

Schedule 13 was agreed as introduced without debate.

Clause 114 Codes of conduct

Clause 114 Data (Use and Access) Bill would import the UK GDPR obligation on the regulator to encourage representative bodies to produce codes of conduct which would contribute to compliance with PECR, which it is suggested could address out of court dispute resolution, and codes pertaining to PECR compliance could be part of codes of conduct for the purposes of Article 40 UK GDPR. Adherence to such a code would demonstrate compliance with PECR. The regulator would not be permitted to approve a code of conduct unless it made provision for monitoring (provided by an accredited monitoring body in relation to non-public bodies) as to whether those who undertake to apply the code comply with its provisions. Ofcom would be required to co-operate with the regulator in connection with its role in relation to codes of conduct under PECR, in addition to its enforcement. Criteria are established for the regulator to accredit monitoring bodies according to their independence and ability to demonstrate no conflict of interest, expertise, procedures for assessing eligibility for and monitoring of compliance with the code, as well as reviewing the code itself periodically, having procedures to handle complaints about infringements and arrangements for publishing details of the procedures. Accredited bodies would be obliged to take appropriate action in respect of infringements of the code by entities it is monitoring. The regulator would be required to publish guidance about its accreditation process, and would be obliged to revoke accreditation if the body no longer met the requirements for accreditation or if it failed to take appropriate action in respect of an infringement.

Clause 114 was agreed as introduced without debate.

Clause 115 The Information Commission

Clause 115 Data (Use and Access) Bill would establish a new corporate body, the Information Commission.

Clause 115 was agreed as introduced without debate.

Schedule 14 The Information Commission

Schedule 14 Data (Use and Access) Bill provides for the Information Commission to have between 3 and 14 executive and non-executive members (albeit that non-executive members must outnumber executive members), including a chief executive who would usually be appointed by the non-executive members after consultation with the Secretary of State but in respect of the first chief executive would be appointed by the chair of the Commission, after consultation with the Secretary of State, for a maximum period of 2 years. One non-executive member would be appointed as Chair by the King, having been recommended by the Secretary of State after being selected on merit following fair and open competition and in circumstances where the Secretary of State is satisfied that no conflict of interest exists. Other executive members of the Information Commission would be appointed by the non-executive members after consulting with the chief executive. Another non-executive member could be appointed as deputy chair. The maximum term of all non-executive members would be 7 years.

Dozens of amendments were laid addressing issues including the independence of the Information Commission, appointment of the Information Commissioner and Board, and the functions of the Board (Amendments 163 - 192). None were moved.

Schedule 14 was agreed as introduced without debate.

Clause 116 Abolition of the office of Information Commissioner

In light of the establishment of the Information Commission, clause 116 Data (Use and Access) Bill would abolish the office of the Information Commissioner and all of its functions would be transferred to the Information Commission.

Clause 116 was agreed as introduced without debate.

Clause 117 Transfer of functions to the Information Commission

Clause 117 was agreed as introduced without debate.

Clause 118 Transfer of property etc to the Information Commission

Clause 118 was agreed as introduced without debate.

Clause 119 Information standards for health and adult social care in England

Clause 119 was agreed as introduced without debate.

Schedule 15 Information standards for health and adult social care in England

The scope of the Secretary of State’s or NHS England’s power to prepare and publish information standards in connection with the processing of information under section 250 Health and Social Care Act 2012 would be expanded to extend to include the information technology or IT services used for such processing, including hardware, software, networks, devices and services and, relating to the design, quality, capabilities or other characteristics of such technology or services as well as contracts or other arrangements under which such technology or services are marketed, supplied, provided or otherwise made available. The Secretary of State would be empowered to issue a written notice to a relevant IT provider suspected of not complying with an applicable information standard, requiring the provider to comply and provide evidence of compliance within a specified period and permitting the Secretary of State or a public body at his direction to publicly censure IT providers. No provision appears to be made to render such statements automatically protected by qualified privilege, by amending Schedule 1 Defamation Act 1996 for example, and they would presumably be sought to be protected as publications on a matter of public interest under section 4 Defamation Act 2013. The Secretary of State would also be permitted to make regulations relating to schemes for the accreditation of IT and IT services.

Lord Clement-Jones had proposed amendments to make clear that the provisions should apply not only to future but also to existing IT providers (Amendment 193), to make clear that they apply to NHS patient records (Amendment 194) and to extend their application to primary care services including GPs (Amendment 195), but none were moved.

Schedule 15 was agreed as introduced without debate.

Clause 120 Grant of smart meter communication licences

Clause 120 was agreed as introduced without debate.

Schedule 16 Grant of smart meter communication licences

Schedule 16 was agreed as introduced without debate.

Clause 121 Disclosure of information to improve public service delivery to undertakings

Clause 121 was agreed as introduced without debate.

Clause 122 Retention of information by providers of internet services in connection with death of child

Clause 122 Data (Use and Access) Bill would impose an obligation on Ofcom to provide a notice to the relevant regulated service provider under the Online Safety Act 2023 and to any other relevant person to retain information relating to a child’s use of the service, which includes an obligation to take all reasonable steps to prevent the deletion of information in circumstances where Ofcom receives a request from a senior coroner or equivalent investigating the death of a child where a regulated service is of interest in connection with the child’s death. The requested information would be required to be retained for 12 months, and extendable by a further 6 months. Ofcom would then be obliged to share any information it received in response to a request with the investigating authority. Various consequential amendments would be made to extend the enforcement provision of the Act to apply to this circumstance.

Clause 122 was agreed as introduced without debate.

Lord Clement-Jones had proposed a new provision requiring the Secretary of State to report to Parliament on the operation of the interaction between clause 122 and provisions of the Online Safety Act 2023 applicable to Category 1 services (Amendment 196), but this was not moved.

Clause 123 Information for research about online safety matters

Clause 123 Data (Use and Access) Bill would give the Secretary of State power to make regulations requiring providers of regulated services under the Online Safety Act 2023 to provide information for purposes related to the carrying out of independent research into online safety matters, which could include mechanisms for making requests, fees payable, enforcement and appeals against refusal. While the Secretary of State’s discretion in relation to such regulations is proposed to be extremely broad, the Bill proposes that it would be limited in that the regulations could not require either the provision of material protected by legal professional privilege or the processing of personal data which would contravene the data protection legislation. The Secretary of State would be obliged to consult on such proposed regulations, but would be permitted to rely on a consultation undertaken prior to the passing of the Data (Use and Access) Bill.

Baroness Kidron proposed an amendment removing the Secretary of State’s discretion and instead requiring regulations to be made within 12 months of passage of the Data (Use and Access) Bill (Amendment 197) and a further amendment to require the information to be provided to be suitable to enable research to be conducted in relation to online safety as relates to people at different ages and stages of development, and people with different characteristics including gender, race, ethnicity, disability, sexuality, gender (Amendment 198). Lord Bethel proposed amendments to leave out the requirement for information to be made available pertaining to the enforcement of the regulations (Amendment 198A), to permit research to be carried out outside the UK (Amendment 198C and Amendment 198E), to make the obligations enforceable under section 131 Online Safet6y Act 2023 (Amendment 198D), and to disapply any contractual term that would otherwise prevent compliance with the information access regulations (Amendment 198F). These proposals were debated and received cross-bench support, but the Government’s position was that the provisions were either unnecessary or merited further consideration by the Government. Amendment 197 was therefore withdrawn and the remainder not moved. 

Clause 123 was agreed as introduced

Clause 124 Retention of biometric data and recordable offences

Clause 124 was agreed as introduced without debate.

Clause 125 Retention of pseudonymised biometric data

Clause 125 Data (Use and Access) Bill would permit the indefinite retention of pseudonymised biometric material other than DNA samples obtained or acquired from an overseas law enforcement authority.

Clause 125 was agreed as introduced without debate.

Clause 126 Retention of biometric data from INTERPOL

Clause 126 Data (Use and Access) Bill would permit the retention of section 18 material other than DNA samples where it was obtained via INTERPOL in connection with a request for assistance or notification of a threat until it is informed by the National Central Bureau that the request is withdrawn or threat notification cancelled.

Clause 126 was agreed as introduced without debate.

Clause 127 The eIDAS Regulation

Clause 127 was agreed as introduced without debate.

Clause 128 Recognition of EU conformity assessment bodies

Clause 128 was agreed as introduced without debate.

Clause 129 Removal of recognition of EU standards etc

Clause 129 was agreed as introduced without debate.

Clause 130 Recognition of overseas trust products

Clause 130 was agreed as introduced without debate.

Clause 131 Co-operation between supervisory authority and overseas authorities

Clause 131 was agreed as introduced without debate.

Clause 132 Time periods: the eIDAS Regulation and the EITSET Regulations

Clause 132 was agreed as introduced without debate.

Clause 133 Power to make consequential amendments

Clause 133 was agreed as introduced without debate.

Clause 134 Regulations

Clause 134 was agreed as introduced without debate.

Clause 135 Extent

The Government secured amendments to extend the power conferred by section 63(3) of the Immigration, Asylum and Nationality Act 2006 and the power conferred by section 239(7) of the Online Safety Act 2023 to the Bailiwick of Guernsey or the Isle of Man.

Clause 135 as amended was agreed.

Clause 136 Commencement

Clause 136 was agreed as introduced without debate.

Clause 137 Transitional, transitory and saving provision

Clause 137 was agreed as introduced without debate.

Clause 138 Short title

Clause 138 was agreed as introduced without debate.

Read about the previous Grand Committee scrutiny sessions on 03 December, 10 December and 16 December 2024.

Access our comprehensive briefing on the Data (Use and Access) Bill, and our unofficial Data (Use and Access) Bill Keeling schedules showing a mark up of the changes that the Bill (as introduced) would make to the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations 2003 (PECR) respectively.

Keep up to date with developments as the Data (Use and Access) Bill progresses through Parliament on our Data Protection Reform page in our Resources section.

Should you require support understanding how new data protection legislation and regulation will affect you or your organisation, please contact us.

Find out more about our data protection and data privacy services.