Ashurst Data Bytes 1: The UK's new Data (Use and Access) Act – The data privacy changes

RHIANNON:
Hello, I am Rhiannon Webster, a partner in Ashurst Digital Economy team, and head of our UK data protection and cyber practice. Welcome to the first in our new Ashurst Data Bytes podcast. This is the latest spin off from our monthly bulletin, where we consolidate the latest data and cyber breach developments for you into bite sizes. We are going to use this podcast series to cover the UK's new data law, the new Data (Use and Access) Act into bite sizes chunks. In the first in this series, we are going to concentrate on the more traditional data protection changes that this new law brings in. But, spoiler alert, this new law is more than just data privacy changes and in future podcasts in this series, we will be deep diving into the other, arguably more ambitious parts of the law: open data frameworks, digital verification, IP and AI just to name a few.

But first lets set the scene – why are we looking at a new data law in the UK and where did it come from? Well it's checkered history dates back to Brexit and a desire for the previous government to cast free of the shackles of EU data protection legislation with a law that would foster data innovation in the UK. The Conservative Government produced the Data Protection and Digital Information Bill which went under various iterations under different prime ministers and ultimately died with a change of government. But like a phoenix from the ashes it came to life under the current government, and ignoring the political rhetoric around it, it mirrors plenty of the provisions in the original DPDI bill.

It doesn’t replace existing UK legislation, instead it amends the UK GDPR, the Data protection Act and the Privacy and Electronic Communications Regulations. Unfortunately that means that we have in the UK an ever-growing patchwork of data protection legislation.

Implementation of the new Act is going to be staggered, some provisions are already in force and much of it is going to require secondary legislation to bring in the operative provisions and most provisions are expected to come into force in 2-6 months but some might take up to a year. The Information Commissioner has made it clear that he will update his existing guidance over time and introduce new guidance as the changes come into effect.

So enough from me at the moment! I am delighted to be joined by Senior Associates in my London data protection team, Shehana Cameron-Perera and Tom Brookes.

Thank you very much both of you for joining me.

Shehana, for those of us who have been following the progression of this legislation what notably didn’t make the cut, and therefore we don’t need to worry about any more?

SHEHANA:
Thanks, Rhiannon. I'm really happy to be here today. So to answer that question, this requires casting our minds and our memories back to the different forms of the Act that you talked about and it's ping-ponging throughout Parliament. Essentially there were a number of changes which didn't make it into the Act, and many of which were introduced under the guise of "simplifying the UK GDPR and cutting that red tape post-Brexit", including the removal of the role of a DPO and the introduction of a new requirement to appoint a senior responsible individual. Instead, now the DPO role will remain as is. There was also a reform of the accountability framework to what was referred to as a new Privacy Management Programme. As part of this, there had been proposed amendments to the ROPA requirement to reduce the burden on smaller businesses, similar to the European Commission's recent proposal to simplify ROPA obligations under the EU GDPR, and DPIAs were going to be replaced with leaner and less prescriptive assessments of high-risk processing, but those changes haven't been carried across.

Of a more controversial nature, shall we say, was a proposal of an expanded definition of personal data and that would've provided further clarification as to when data is related to an identified or identifiable individual, thereby directly correlating to when data should be considered anonymous. That's been dropped, along with the proposal to remove a requirement on non-UK businesses to appoint a representative.

Finally, some of the reform to the ICO has not survived, including the requirement for the ICO to take into account the Government's strategic priorities and a mechanism which would've otherwise allowed the Secretary of State to set binding priorities for the Information Commissioner.

But what did survive was a name change for the ICO and they're now going to be known as the Information Commission. This is a change to reflect the new modern structure of the regulator, which is brought in by the Act and the Information Commission will also have new powers such as requiring expert reports to be produced and issuing interview notices.

RHIANNON:
Thanks, Shehana. So having done away with what didn't make the cuts despite many of those years of negotiations and then ping-pongs in Parliament, let's turn to Tom to look at what are the wider changes that this piece of legislation brings in. So things which might be of wider remit than just traditional data protection compliance and ones which would have much more far-reaching consequences.

TOM:
Thanks, Rhiannon. So, in some respects, the new Act is a bit of a mongrel, and what I mean by this is that it criss-crosses over several areas, which broadly fall under the scope of data use, so not just your traditional data protection provisions. Now, you mentioned in your introduction that we're intending to deep dive into some of these issues with other members of the Ashurst Digital Economy team in further podcasts. So for the time being, I'll mention three areas of change to give you a flavour of what to expect.

The first one is digital verification. The Act establishes a framework for trusted providers of digital verification services, and we'll be looking at how this compares with the EU's own digital identity plans, which are rapidly coming around the corner.

Secondly, smart data schemes relating to the sharing of customer and business data. The point to note here is that this extends beyond personal data and what will require in-scope data holders to provide access to their data. There are again some intriguing parallels with the EU data act to explore here.

And finally, the rather thorny topic of IP and artificial intelligence. This sparked the most controversy during the passage of the bill through Parliament. A particular point of contention was the rights awarded to copyright holders whose works are being used to train AI models. We'll be dedicating a whole podcast to drill into what was and what was not agreed on this topic.

RHIANNON:
Thanks, Tom. So moving back to Shehana, what are the key data protection law changes the new law does bring in, and what does this mean practically for data protection practitioners?

SHEHANA:
A key change impacts how organisations deal with data subjects, and this is in two particular circumstances, complaints and DSARs.

Turning first to complaints. A data subject now has a legislative right under the Data Protection Act to complain to controllers where they think that they've infringed the UK GDPR. These complaints need to be facilitated by controllers, acknowledged within 30 days, and then responded to without undue delay. What does this mean in practical terms? Well, frankly, now there's an obligation on controllers to facilitate data subjects making complaints such as providing a complaint form, and this is really akin to what we see with DSARs where organisations have created their own DSAR form.

So some tips to take away is: build this into your privacy notices; consider what a complaints form could look like for your organisation; run training for the teams who will be dealing with such requests to make sure that they're aware of those new timeframes and what the escalation process should be; and finally keep an eye out for the guidance which will be issued by the ICO on how to handle such complaints and the tracking for the end of the year on that one.

Our data protection practitioner listeners will be happy to hear that under a DSAR, an individual is now only entitled to personal data that a controller is able to provide based on a reasonable and a proportionate search. Now this has been the approach which has been codified in case law, but it's now reflected in the statute and that's a very welcome change. So in practical terms, being able to refer to the limitations of a DSAR and being able to support it and cite legislative references should really bolster responses to vexatious data subjects.

And finally, just to put you on notice that the ICO's Act Guidance Tracker is also indicating that they're drafting new DSAR detailed guidance and that's going to be published in the summer, so watch this space.

I'm now going to turn to Tom who's going to walk us through his two key changes.

TOM:
Thanks, Shehana. So two changes I wanted to touch on concern scientific research and purpose limitation. We now have a new definition of scientific research set out in the app. This refers to processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded, and whether carried out as a commercial or non-commercial activity.

From a practical perspective, this will give greater certainty to organisations using personal data commercial scientific research. This helps with a practical challenge where consent was obtained for a particular scientific purpose and then the research project evolves. Prior to the broadening of this consent condition, data controllers would technically need to go back and get refreshed consents explaining new purposes of processing.

One other related change concerning purpose limitation and the reuse of personal data is that we now have a list of assumed compatible purposes under Schedule 5 of the Act. If a processing activity fits into one of the nine purposes included in the act, then you can reuse the data without having to undertake a formal compatibility assessment. This includes processing necessary for compliance with a legal obligation and the protection of vital interest.

Rhiannon, what are the changes you mentioned?

RHIANNON:
There's two main changes that I've picked up on and they are data transfers and legitimate interest, and I'll take each of them in turn.

So data transfers, the overall structure and the approach to data transfers, it's going to broadly remain the same as it always was, but the Act now creates what's called a "data protection test". Importantly, this isn't to be applied by organisations, it's to be applied by the Secretary of State assessing whether a third party or an international organisation has set a standard that's not materially lower than that in the UK. I think that's quite interesting because it could lead to, a... Well, it's essentially a different standard than what you have in the EU for adequacy decisions. So it could mean that adequacy decisions are different from the UK and the EU, although I think in all reality they're likely to remain the same. So practically in that sense, there's not a lot which will change for organisations when doing data transfers, but it'll be interesting to watch how that plays out when the Secretary of State is making adequacy decisions.

And then the final point, which is one of the bigger changes in the Act, is that it introduces the concept of "recognised legitimate interests". Now that's a new lawful basis for processing personal data and builds on the existing lawful basis of legitimate interest. And so this new basis will allow for businesses to process data for specific purposes defined under the Act without conducting a traditional legitimate interest assessment. They're quite confined processing activities. It's national security and defence and responding to emergencies and safeguarding vulnerable people. So in those situations, a legitimate interest assessment doesn't need to be conducted.

Additionally, the Act also sets out a list of processing activities which may, crucially may, be processed under the existing legitimate interest lawful basis. So these activities are not recognised legitimate interests. They will still require a legitimate interest assessment, but it gives some guidance to business that these may be. So you still need to conduct a legitimate interest assessment for these. But I think it's a bit more of a guidance note to say that these are, if I went as far as "likely to" satisfy the legitimate interest assessment. These activities include direct marketing, sharing data for intra-group for internal admin purposes, and also ensuring the security of network and information systems. So practically, to sum it up, data transfers, I don't think that's going to have a huge effect. Legitimate interest, I think it's going to mean that businesses will be able to act with more confidence when relying on that lawful basis.

So to bring this all to a conclusion, I think those who are familiar with data protection law in the UK will see that the changes are not significant. We're going to do, as Tom and I have mentioned, some more deep dives into the more significant changes that this Act will bring in. But as an overall concept, I think there's been very little appetite for changing data protection law in the UK.

And just to sum up in terms of timings for implementation, although we have bits of it which are in force straight away, most of it is going to require secondary legislation and is expected to come in over the next 12 months. So it's going to take some time to understand the real impact of the Act, namely as the provisions come into force, when the guidance is produced, and when secondary legislation is introduced.

Shehana and Tom, thank you so much for joining me and providing such practical insight. And thank you for listening to our podcast. Please do share the podcast with interested colleagues and look out for the upcoming podcasts on the Act, which we're aiming to release every week. Thank you.