LEGAL & REGULATORY COMPLIANCE CONSULTANTS

Handley Gill Limited

Our expert consultants at Handley Gill share their knowledge and advice on emerging data protection, privacy, content regulation, reputation management, cyber security, and information access issues in our blog.

Peer Review - Part I

Parts 1 - 4 of the Data (Use and Access) Bill survived their first detailed scrutiny unscathed, albeit not without significant efforts - particularly by Viscount Camrose - to seek to ensure that appropriate security standards were baked into every proposition.
— Handley Gill Limited

At the conclusion of the Second Reading of the Data (Use and Access) Bill in the House of Lords on 19 November 2024, the Bill was committed to a Grand Committee, where it was determined that the provisions of the Bill would be considered in the following order:

  • Clauses 1 to 56, i.e. the provisions dealing with ‘Smart Data’, Digital Verification Services and part of the National Underground Asset Register (NUAR);

  • Schedule 1, i.e. the National Underground Asset Register (NUAR) monetary penalties (England and Wales;

  • Clauses 57 and 58, i.e. part of the National Underground Asset Register (NUAR);

  • Schedule 2, i.e. the National Underground Asset Register (NUAR) monetary penalties Northern Ireland);

  • Clauses 59 to 65, i.e. part of the National Underground Asset Register (NUAR) and the Register of Births and Deaths;

  • Schedule 3, i.e. Register of Births and Deaths minor and consequential amendments;

  • Clauses 66 to 70, i.e. Chapter 1 Data Protection Terms used in this Chapter, Definitions in the UK GDPR and the 2018 Act and, Data protection principles Lawfulness of processing;

  • Schedule 4, i.e. Lawfulness of processing: recognised legitimate interests;

  • Clause 71, i.e. Data protection principles - The purpose limitation;

  • Schedule 5, i.e. Purpose limitation: processing to be treated as compatible with original purpose;

  • Clauses 72 to 80, i.e. Data protection principles -  Processing in reliance on relevant international law, Processing of special categories of personal data, Data subject’s rights and, Automated decision-making;

  • Schedule 6, i.e. Automated decision-making: minor and consequential amendments;

  • Clauses 81 to 84, i.e. Logging of law enforcement processing, Codes of conduct and, International transfers of personal data;

  • Schedules 7 to 9, i.e. Transfers of personal data to third countries etc: general processing, Transfers of personal data to third countries etc: law enforcement processing and, Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision;

  • Clauses 85 to 102, i.e. Safeguards for processing for research etc purposes, National security, Intelligence services, Information Commissioner’s role, Enforcement - Power of the Commissioner to require documents, Enforcement - Power of the Commissioner to require a report, Enforcement - Assessment notices: removal of OFSTED restriction, Enforcement - Assessment notices: removal of OFSTED restriction, Enforcement - Interview notices, Enforcement - Penalty notices, Enforcement - Annual report on regulatory action and, Enforcement - Complaints by data subjects;

  • Schedule 10, i.e. Complaints: minor and consequential amendments;

  • Clauses 103 to 107, i.e. Enforcement - Court procedure in connection with subject access requests; Enforcement - Consequential amendments to the EITSET Regulations; Protection of prohibitions, restrictions and data subject’s rights; and, Miscellaneous;

  • Schedule 11, i.e. Further minor provision about data protection;

  • Clauses 108 to 111, i.e. Privacy and Electronic Communications - The PEC Regulations; Privacy and Electronic Communications - Interpretation of the PEC Regulations; Privacy and Electronic Communications - Duty to notify the Commissioner of personal data breach: time periods; and, Privacy and Electronic Communications - Storing information in the terminal equipment of a subscriber or user;

  • Schedule 12, i.e. Storing information in the terminal equipment of a subscriber or user;

  • Clauses 112 and 113, i.e. Privacy and Electronic Communications - Emergency alerts: interpretation of time periods; and, Privacy and Electronic Communications - Commissioner’s enforcement powers;

  • Schedule 13, i.e. Privacy and electronic communications: Commissioner’s enforcement powers;

  • Clauses 114 and 115, i.e. Privacy and Electronic Communications - Codes of conduct; and, The Information Commission - The Information Commission;

  • Schedule 14, i.e. The Information Commission;

  • Clauses 116 to 119, i.e. The Information Commission - Abolition of the office of Information Commissioner; The Information Commission - Transfer of functions to the Information Commission; The Information Commission - Transfer of property etc to the Information Commission; and, Information standards for health and adult social care in England;

  • Schedule 15, i.e. Information standards for health and adult social care in England;

  • Clause 120, i.e. Grant of smart meter communication licences;

  • Schedule 16, i.e. Grant of smart meter communication licences;

  • Clauses 121 to 138, i.e. Disclosure of information to improve public service delivery to undertakings; Retention of information by providers of internet services in connection with death of child; Information for research about online safety matters; Retention of biometric data and recordable offences; Retention of pseudonymised biometric data; Retention of biometric data from INTERPOL; The eIDAS Regulation; Recognition of EU conformity assessment bodies; Removal of recognition of EU standards etc; Recognition of overseas trust products; Co-operation between supervisory authority and overseas authorities; Time periods: the eIDAS Regulation and the EITSET Regulations; Power to make consequential amendments; Regulations; Extent; Commencement; Transitional, transitory and saving provision; and, Short title; and,

  • Title.

The first session of the Grand Committee’s scrutiny took place on 03 December 2024 and considered clauses 1 – 66 of the Data (Use and Access) Bill and tabled amendments, i.e. the provisions of the Bill dealing with ‘Smart Data’, Digital Verification Services, the National Underground Asset Register and the first provision of Part 5 of the Bill ‘Data Protection and Privacy’ on the ‘The terms used in this Chapter’ - The 2018 Act and the UK GDPR.

The provisions of the Bill relating to the Smart Data scheme at Part 1 of the Bill were passed unscathed, with Amendment 7 moved by Lord Arbuthnot of Edrom, who had adopted proposals published by ISACA to require third party recipients of customer data to publish information pertaining to their cyber resilience, was subsequently withdrawn in response to the government’s indication that the powers to make regulations imposing requirements on the processing of data would include measures relating to cyber security and that this would be supplemented by the promised Cybersecurity and Resilience Bill.

The provisions of the Bill relating to Digital Verification Services at Part 2 similarly passed unscathed, notwithstanding significant interventions from Viscount Colville, Viscount Camrose, Lord-Clement Jones and Baroness Kidron, to the effect that the regime proposed was somewhat half-baked, skeletal, lacked provisions for enforcement and failed to establish the grounds for public confidence in DVS and could discourage non-digital options for identity verification. Viscount Camrose’s proposal to require the Secretary of State to prepare and publish a set of cyber-security rules for Digital Verification Service providers and to update them annually was withdrawn after the Minister indicated that the forthcoming Cyber Security and Resilience Bill would provide an underpinning. Lord Clement-Jones’ proposals to introduce new criminal sanctions in relation to using a trust mark without permission, providing false information in response to an information notice or using a false digital identity document (effectively extending the application of the Identity Documents Act 2010 to digital ID documents) were also withdrawn, including after Baroness Jones indicated that misuse of digital identity was already addressed by other legislation including the Fraud Act 2006, the Computer Misuse Act 1990 and the Data Protection Act 2018, and that the Office for Digital Identities and Attributes already imposed requirements on digital verification service providers to adhere to the principle of truthfulness and accuracy.

In relation to the provisions at Part 3 of the Bill on the National Underground Asset Register, while Viscount Camrose again sought to ensure that appropriate security arrangements were in place in connection with access to the register and efforts were made to secure greater consultation with the operator of the incumbent LinesearchBeforeUDig (LSBUD) known utility networks' records, these provisions passed without amendment.

Part 4 of the Bill on Registers of Births and Deaths was again subject to Viscount Camrose’s efforts to ensure the security of digitised records but his amendment was withdrawn upon the government’s indication that this was already achieved by virtue of Articles 25 (Data Protection by Design and Default) and 32 (Security of Processing) UK GDPR. Lord Clement-Jones’ amendment, tabled at the urging of Marie Curie, to expand the Tell Us Once death registration service was withdrawn with a promise to keep the government under pressure on progress after the Minister indicated that the technology underlying the service was in desperate need of upgrade before any expansion of the service could be considered.

The only clause of Part 5 of the Bill on Data Protection and Privacy considered at the first session of the Grand Committee, clause 66 which merely serves to define references in the Bill to the 2018 Act as being the Data Protection Act 2018 and the UK GDPR as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, was passed. Although the definition of the UK GDPR might appear on first glance to define it by reference to the EU GDPR, this is not in fact an aggressive move by the Labour government to reset the European relationship by taking us back to pre-Brexit legislation, but must be read in light of section 20(3) Interpretation Act 1978, which means that the reference to the GDPR is not to the EU version of the GDPR but to the version of the GDPR as forms part of domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, i.e. the UK GDPR.

You can access our comprehensive briefing on the Data (Use and Access) Bill here, and our unofficial Keeling schedules showing a mark up of the changes that the Bill (as introduced) would make to the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations 2003 (PECR) respectively here.

Keep up to date with developments as the Data (Use and Access) Bill progresses through Parliament on our Data Protection Reform page in our Resources section.

Should you require support understanding how new legislation and regulation will affect you or your organisation, please contact us.

Find out more about our data protection and data privacy services.