The Data (Use and Access) Bill ("DUA Bill") sets out the new Government's vision for reform of data protection legislation in the UK, although it is still making its way through the legislative process and so unlikely to come into force until early 2026. The DUA Bill proposes to amend both the UK General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronic Communications Regulations 2003 (“PECR”) and, in this briefing, we focus on the implications of the Bill for those in the public sector.
Lawful bases
The concept of lawfulness under the UK GDPR will be familiar to controllers of personal data, including public bodies, by now but by way of brief reminder all controllers must satisfy a lawful basis under Article 6 UK GDPR in order to use, share and/or receive personal data. In the case of special category data, such as data concerning health, they must also satisfy an additional lawful basis under Article 9 UK GDPR.
The DUA Bill does not propose wholesale changes to the lawfulness regime but instead a few tweaks and clarifications which may affect public bodies (whether directly or indirectly):
- Public bodies regularly and routinely rely on Article 6(1)(e) to process personal data in connection with the discharge of their duties and functions, as it allows processing of data necessary to perform a task in the public interest or in the exercise of official authority. The DUA Bill proposes to clarify that the 'task' must be "of the controller" meaning that public bodies cannot rely on the duties or functions of another public body in order to legitimise their use of personal data, and
- Article 6(1)(f) applies to processing of personal data which is necessary in order to pursue legitimate interests. This is the lawful basis routinely relied upon by non-public bodies and currently the scope of what those legitimate interests could be is not set out in the UK GDPR itself. However, the DUA Bill proposes to recognise certain legitimate interests, and pursuant to which data can be shared without having to undertake a legitimate interests assessment (which would otherwise be required). Those recognised legitimate interests include disclosing data to a public body who needs it in connection with their legal functions as well as safeguarding children and vulnerable adults and national and public security.
While public authorities are explicitly excluded from relying on the Recognised Legitimate Interest ground (Article 6(1)(ea)) or the existing legitimate interest basis (Article 6(1)(f)) for their processing activities, the Bill may have indirect advantages for them through improved data sharing from non-public bodies.
Non-public entities now have clearer legal assurances when disclosing data to public bodies. This increased confidence can lead to greater cooperation and smoother data exchanges, addressing long-standing issues of hesitation or legal ambiguity. By simplifying the legal framework for data sharing, the Bill encourages better collaboration across sectors. For example, a local authority working with a private housing association to address safeguarding issues may now access relevant data more efficiently.
Automated decision-making ("ADM")
The UK GDPR already contains fairly stringent restrictions on ADM, and the DUA Bill builds upon those.
ADM refers to the process of decisions being taken based on solely automated processes and without human involvement. One potentially key change under the DUA Bill relates to the need for human interaction with any ADM; the background recitals to the GDPR refer to the need for 'human intervention' in ADM but the DUA Bill proposes to clarify that this should be 'meaningful human involvement'.
This is arguably a higher threshold and it is incumbent on the relevant public authority to demonstrate that there has been meaningful human involvement. It will therefore be particularly important for public bodies to scope out their proposed use cases for AI, and then design processes which incorporate them in such a way as to allow for meaningful human involvement.
Health information standards
The Bill amends the Health and Social Care Act 2012 and introduces new standards for health data to make patient data easily transferrable and accessible in real-time across those delivering healthcare and social services to the public. These are designed to ensure greater interoperability across a sector which has become increasingly fragmented due to local implementation of different systems and platforms.
It is hoped that these particular provisions will be helpful to public bodies operating in the health sector, as they will enable the Secretary of State to issue information standards which IT providers will need to comply with when offering their platforms to the market. The Secretary of State will also have a range of enforcement powers if there are concerns that a particular IT provider is not complying, which include public rebuke of the provider in question.
It is fair to say, however, that it will likely be some time before we see meaningful benefits as a result of these standards, as they will need to be worked up, published and then time allowed for IT providers to ensure compliance.
Research
Finally, the DUA Bill proposes amendments which will be of specific interest to those involved in scientific research. In particular:
- The most notable changes are to the form of consent which needs to be taken in order to use an individual's personal data for research purposes. As most will be aware, the UK GDPR standard of consent is prescriptive and includes a requirement for it to be highly specific to the particular purposes for which the data will be used. This has, to date, meant taking consent for granular research activities. However, the DUA Bill proposes to allow consent for research to be much broader than is currently the case and in particular to enable a participant to agree to forms or types of research which are not necessarily known at the outset (provided that research ethical standards are met), and
- The definition of research will be widened to cover any reasonably describable scientific research, regardless of funding source or commercial status.
Our thoughts
The DUA Bill largely, as far as public bodies are concerned, builds on the fundamentals already in place and so will not implement a significant step change in how to ensure compliance against data protection obligations. The true extent of the impact may depend on the nature of the public body in question, for instance whether they are involved in research and/or using AI to assist with or otherwise make decisions. However, all public bodies should prepare for implementation well ahead of the DUA Bill coming into force.
DACB has a specialist team of information lawyers who advise a broad range of public sector bodies and so would be able to assist with any current data protection compliance issues but also any anticipatory work in advance of the DUA Bill coming into force.
