Parliamentary.ai
by Munro Research

Data Protection and Digital Information Bill

Official Summary

A Bill to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about access to customer data and business data; to make provision about privacy and electronic communications; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about the disclosure of information to improve public service delivery; to make provision for the implementation of agreements on sharing information for law enforcement purposes; to make provision about the keeping and maintenance of registers of births and deaths; to make provision about information standards for health and social care; to establish the Information Commission; to make provision about oversight of biometric data; and for connected purposes.

Summary powered by AnyModel

Overview

The Data Protection and Digital Information Bill aims to reform the UK's data protection laws, making them simpler and more proportionate while maintaining a high level of data protection. It also introduces provisions to regulate digital verification services and improve access to customer and business data.

Description

The Bill significantly amends the UK GDPR and the Data Protection Act 2018. Key changes include:

  • Data Protection Principles: Clarifies the "legitimate interest" grounds for processing data and introduces a new Annex 1 specifying recognised legitimate interests.
  • Purpose Limitation: Strengthens the purpose limitation principle, requiring clearer justification for further processing of data for purposes other than those for which it was originally collected. A new Annex 2 specifies circumstances where further processing is deemed compatible with the original purpose.
  • Data Subject Rights: Introduces provisions allowing controllers to refuse vexatious or excessive data subject requests, and extends time limits for responding to such requests.
  • Automated Decision-Making: Replaces Article 22 of the UK GDPR with new provisions to regulate automated individual decision-making, providing safeguards for data subjects’ rights and freedoms.
  • Obligations of Controllers and Processors: Simplifies compliance requirements by amending the definition of “appropriate measures”, removing the requirement for representatives for controllers and processors outside the UK and introducing a requirement for a senior responsible individual.
  • International Transfers of Personal Data: Amends the UK GDPR’s rules on international data transfers, providing the Secretary of State with powers to approve specific transfers rather than relying solely on adequacy decisions or safeguards.
  • Research Data: Introduces new safeguards for processing personal data for research purposes, emphasising data minimisation and restricting identification.
  • National Security: Clarifies and strengthens the national security exemption to data protection requirements.
  • Intelligence Services: Allows for joint processing of personal data between intelligence services and competent authorities under specific circumstances.
  • Information Commissioner's Role: Changes the Information Commissioner's Office to the Information Commission, outlining new strategic priorities and a duty to consult with other regulators.
  • Digital Verification Services: Establishes a framework for regulating digital verification services, including a trust framework, register, information gateway, and trust mark.
  • Customer and Business Data: Grants powers to the Secretary of State and Treasury to regulate access to customer and business data.
  • Privacy and Electronic Communications: Amends the Privacy and Electronic Communications Regulations (PECR), updating rules on storing information on subscriber devices and introducing provisions on direct marketing for democratic engagement.
  • Trust Services: Amends the eIDAS Regulation, removing references to EU conformity assessment bodies and standards, and introducing powers to recognise overseas trust services.
  • Oversight of Biometric Data: Transfers oversight of biometric data to the Investigatory Powers Commissioner, abolishing the separate Commissioner role.

Government Spending

The bill doesn't provide specific figures for government spending, but it is likely to involve costs associated with implementing the new regulatory framework, supporting the Information Commission, and potentially providing financial assistance to certain organizations.

Groups Affected

  • Businesses: Will face changes to data processing requirements, potentially affecting compliance costs and strategies.
  • Data subjects: May experience changes to their rights concerning data access, correction, and erasure, and potentially increased fees for excessive requests.
  • Researchers: Will be subject to new rules for processing data for research purposes.
  • Law enforcement agencies: May see changes in how they transfer personal data internationally.
  • Digital verification service providers: Will be subject to a new regulatory framework.
  • Public authorities: Will face changes in data sharing responsibilities.
  • Information Commissioner's Office (ICO): Will undergo a significant restructuring into the Information Commission.
Full Text

Powered by nyModel

DISCLAIMER: AI technology is not 100% accurate and summaries may contain errors, use at your own risk. Munro Research holds the copyright for all summaries found this website. Reproduction for non-commercial purposes is permitted but must be displayed alongside a link to this website. Contact info@munro-research to license commercially.