Insights UK Data Protection and Digital Information Bill update


As reported by Wiggin previously (here, here and here), the Data Protection and Digital Information Bill, which seeks to create a new UK data rights regime post-Brexit, is making its way through the legislative process. On 19 December 2023, it had its second reading in the House of Lords where it was debated. It will now move on to Committee stage in the House of Lords (date to be confirmed) when amendments can be proposed.

On 18 December 2023, the Information Commissioner published comments on aspects of the Bill and the amendments proposed by the House of Commons. The Commissioner notes that the Government has taken on board some of the comments he made at the House of Commons Committee Stage in November 2023, but that most of his comments remain unaddressed and, in particular, the Commissioner would like to the Government to further consider his comments on defining high risk processing.

The Commissioner notes that the Government introduced a significant number of amendments at Report Stage (29 November 2023) on which the Commissioner was consulted. The Commissioner points out that some of these amount to substantive new policy that has not been subject to public consultation or line-by-line scrutiny at Committee Stage, meaning that scrutiny in the House of Lords will be particularly important. The Commissioner is content with the majority of the substantive amendments including further changes to safeguard the independence of the ICO (namely removing the Secretary of State approval over statutory ICO codes of practice), changes to allow the ICO to serve information, enforcement and penalty notices electronically, the amendment to clarify that, when responding to subject access requests, organisations need only conduct reasonable and proportionate searches which reflects the ICO’s current position and Guidance, and the extension of the reporting period for personal data breaches under the Privacy and Electronic Communications Regulations 2023 from 24 to 72 hours, to align with UK GDPR.

Areas where the Commissioner wants to see further changes, and for which he provides detailed comments, include powers to require information for social security purposes, processing in reliance on relevant international law, court procedure in connection with subject access requests, retention of biometric data in relation to law enforcement and national security, archiving, information to be provided to data subjects in relation to processing for research purposes, and the role of the ICO in approving Codes of Conduct from expert public bodies.

For more information, click here and here.