The Data (Use and Access) Act receives Royal Assent: What does this mean for your organisation?

The Data (Use and Access) Bill (“the Bill”) received Royal Assent on 19 June and is now the Data (Use and Access) Act ("the Act").

We have outlined some key changes for you below.

Data subjects’ rights

The Act aligns the DSAR provisions with existing Information Commissioner's office ('ICO') guidance.

It clarifies that controllers need only to carry out a ‘reasonable and proportionate’ search for information and personal data in response to a DSAR. This reflects current case law but does not clarify further on what this means in practice.

Another example of aligning provisions is the idea of ‘stopping the clock’ where the controller cannot proceed with the response without further information from the data subject/proof of their identity.

The proposal from the Data Protection and Digital Information Bill ('DPDI Bill') (under the previous Government) that controllers will be able to refuse a DSAR on the ground that is it ‘vexatious’, did not make it through. Controllers will have to continue to demonstrate that a request is ‘manifestly unfounded or excessive’ when refusing to comply.

Both provisions come into force immediately upon Royal Assent.

Changes to lawful bases for processing: examples of legitimate interests

The Act introduces a non-exhaustive list of examples of processing activities that can constitute a legitimate interest of the controller (for the purposes of Article 6(1)(f) of the UK GDPR). These include processing that is necessary for the purposes of employees, or other individuals’ personal data for internal administrative purposes.

New Article 6(1)(ea) provides for lawful processing for the purpose of a ‘recognised legitimate interest’ where such processing meets a condition in Annex 1 of Schedule 4 of the Bill. The recognised legitimate interests includes where processing is necessary for detecting, investigating, or preventing crime or apprehending offenders.

The Secretary of State is entitled to add, omit, or vary the list of legitimate interest, as long as certain safeguards are met.

Clarification of the purpose limitation principle

Act details when further processing is compatible with the original purpose of processing for which personal data was collected. Article 8A(3) lists these conditions, including:

• where the data subject has given new consent to the new purpose;
• where archiving is in the public interest;
• where the processing is for scientific or historical research; and
• where the processing is necessary for any of the purposes stated in Annex 2.

Purposes specified in Annex 2 include where processing is necessary for disclosure to a person carrying out a public interest task, public security, crime detection, investigation and prevention, protection of a data subject’s vital interests, and safeguarding vulnerable individuals.

Data transfers

The Act provides a more flexible approach to data transfers. It replaces Chapter V of the UK GDPR requiring the SoS, when assessing adequacy, to consider whether the standard of data protection in the country under consideration is materially lower than the UK. A ‘data protection test’, must also be considered.

Looking forward…

The Act retains many of the changes proposed by its predecessor, the DPDI Bill, but some of the more controversial proposals have not been carried through. For example; proposed replacement of data protection officers (DPOs); changes to the definition of personal data; amendments to data protection impact assessments (DPIAs); extending the requirement to maintain a record of processing activities (ROPA); and abolishing the requirement to appoint a UK representative.

Businesses will need to revisit their internal policies as even though some of the changes are not ground breaking, they need to still to be taken into account. There will also be higher fines to the ICO for breaches of the Privacy Electronic Communications Regulations 2003 ('PECR') (aligning with maximum fines for UK GDPR).

We will continue to update you so please watch this space. For further information, please contact Hetal Ruparelia or Georgia Maskell.