The Information Commissioner’s response to the Data (Use and Access) Bill

The Information Commissioner's Office (ICO) has issued a comprehensive response to the Data (Use and Access) Bill (the Bill) currently advancing through the legislative process in the House of Lords.  This response not only highlights the ICO's support for various provisions aimed at modernising its data governance and enhancing individual rights but also underscores areas where the Bill could be further refined to ensure robust data protection and public trust.  By examining the ICO's perspectives, we can better understand the Bill's potential impact on the UK's data protection landscape.

This analysis outlines the ICO’s areas of endorsement and examines its recommendations for clarification and improvement before reflecting on the wider implications for the UK's data framework.

The ICO’s Areas of Endorsement

The ICO has expressed support for several key aspects of the Bill, highlighting initiatives that align with its objectives of modernising UK’s data protection law.

Independence, Modernisation and Regulatory Effectiveness

Whilst the Bill retains familiar elements of the previous Data Protection and Digital Information Bill (DPDI Bill), the ICO endorses the proposal to modernise the ICO with a new governance structure by introducing a Board and chief executive model, to mirror the corporate structure of other key regulators.

The ICO also appreciates the Bill's provision enabling the new Board to select the chief executive, which is different from the current appointment of the Commissioner by the Secretary of State, thereby strengthening its independence from governmental appointments.

The ICO appreciates the Bill's provisions aimed at strengthening its enforcement powers, including such as increased fines for breaches of the Privacy and Electronic Communications Regulations (PECR), to mirror those issued under the UK GDPR. It is also supportive of the introduction of new powers to require organisations to produce reports on specified matters particularly when the Commissioner may require organisations to comply with an assessment notice under S.146 Data Protection Act 2018.

Strengthening Data Subjects Rights

The Bill also seeks to strengthen the rights and freedoms of Data Subjects by requiring organisations to establish processes for responding to information rights requests and handling data-related complaints. Perhaps unsurprisingly the ICO supports the fact that organisations will be the first port of call for dealing with complaints before these are escalated to the regulatory body. The ICO welcomes this approach, as it encourages organisations to take greater responsibility in addressing data subjects' concerns.

Generally, the ICO views these changes as strengthening consumer protections and bolstering its regulatory capabilities.

Support for Smart Data Initiatives and Digital Verification Services

The ICO welcomes Part One of the Bill, which focuses on customer and business data, commonly referred to as Smart Data. These initiatives aim to empower individuals by providing greater control and access to the personal information an organisation may hold about them. The ICO underscores the importance of a privacy-by-design approach, urging data controllers to identify and mitigate data protection risks from the outset. It is difficult to assess at this point in time how far this will strengthen the government’s open data approach.  However, the ICO does consider that enabling people to access their data may act as a lever for innovation and economic growth.

The development of a digital verification trust framework is another aspect of the Bill that the ICO feels is a positive development. Designed as an alternative to physical identity verification, this scheme is anticipated to enhance privacy protections while delivering economic benefits. The ICO emphasises the necessity of building public trust and confidence in these systems, advocating for appropriate safeguards for individuals' information rights.

ICO's Recommendations for Improvement

While the ICO expresses overall support for the DUA Bill, it also identifies areas requiring further clarification and improvement to ensure the legislation's effectiveness and the protection of individuals' rights.

Concerns Over Automated Decision-Making (ADM)

The Bill introduces significant revisions to provisions on ADM, permitting such processes irrespective of an organisation’s lawful basis, provided appropriate safeguards are in place. While the ICO acknowledges the potential benefits of automation, particularly in enhancing efficiency and innovation, it underscores the necessity of maintaining robust protections, especially when processing special category data. The ICO cautions that the shift away from a default prohibition on ADM resulting in legal or similarly significant effects, except in cases involving special category data, represents one of the more impactful reforms of the UK GDPR. Please see our previous article for initial insights.

There is significant concern on the implications of such change in conjunction with the uptake of AI tools relying on ADM. It is awareness of the negative effect caused by past incidents involving the use of ADM tools with algorithm systems left “unchecked” – including lack of transparency, loss of public trust in artificial intelligence (AI), and infiltration of bias and racism in unregulated decision-making systems.

This shift has drawn significant concern, particularly when considered alongside the growing adoption of AI tools that depend on ADM. Past incidents in the UK such as the 2020 A-level and GCSE grading fiasco, involving unchecked ADM systems have highlighted substantial risks, including a lack of transparency, erosion of public trust in artificial intelligence (AI), and the proliferation of biases and discriminatory outcomes within unregulated decision-making frameworks. These examples underscore the need for a cautious and measured approach, ensuring that safeguards are not only theoretical but effectively operationalised to protect individuals' rights and freedoms.

The ICO's position signals the importance of balancing the opportunities presented by ADM with the ethical and legal obligations to safeguard data subjects, particularly as ADM becomes increasingly integrated into AI-driven systems.

The Standardisation of England’s Health and Social Care Data

The ICO also comments on the Bill’s aim to amend the Health and Social Care Act 2012 to standardise the functionality, portability, security and access of the IT systems in the health and social care sector.  Given the recent spate of high profile cyber attacks on hospitals and other healthcare based organisations and the need to ensure interoperability of systems across the healthcare sector it is unsurprising to see the ICO welcome this initiative within the healthcare sector. 

However, given the sensitivity of the data being targeted, the ICO was keen to emphasise the need to ensure that providers take a “privacy-by-design” approach and for organisations to prioritise data protection at the outset when considering new technologies, whether developed “in house” or provided by third party vendors. It calls for transparency in how medical information is used and insists that data protection principles be integrated into all new initiatives from the beginning.

Conclusion

The ICO's response to the Data (Use and Access) Bill reflects a balanced perspective, acknowledging the Bill's potential to modernise data protection, generating social and economic benefits and enabling innovation at the same time, while highlighting areas that require careful consideration. The Annex published alongside its response lists some minor technical changes but no substantive amendments to the draft Bill.  The ICO’s supportive response to the legislative proposals will be welcomed by the Government and should ease the Bill’s passage through the Parliamentary process. 

By addressing the ICO's recommendations, the government can ensure that the Bill not only drives innovation and economic growth but also strengthens protections for individuals' rights and maintains public confidence in the UK's data protection framework.

Related content

Article

Caught in the net? Understanding the EU Digital Services Act’s regulation of user interactivity

05/02/2025

Article

Developments in low exposure to asbestos litigation: Bannister, Johnstone, and Kerr

05/02/2025

Article

The UK Government’s consultation on proposals for new ransom payment prevention and reporting regime

04/02/2025

Article

The evolving ways in which cybercriminals are leveraging AI in early 2025

04/02/2025

View more

Services

Locations