Overview

The Data Protection and Digital Information Bill aims to reform the UK's data protection laws, making them simpler and more proportionate while still protecting individuals' rights. It also introduces a framework for digital verification services and provisions for access to customer and business data.

Description

Data Protection

The bill makes several changes to the UK GDPR and the Data Protection Act 2018. It clarifies the definition of "identifiable living individual," introduces a new concept of "recognised legitimate interests" for data processing, and alters the purpose limitation principle. It also addresses vexatious data subject requests, allowing controllers to refuse or charge fees for excessive requests. Time limits for responding to data subject requests are clarified and standardized. The requirement for UK representatives for controllers outside the UK is removed. A senior responsible individual must be designated for large organizations and public bodies. The definition of consent is clarified and new requirements and conditions for consent are specified. The bill also simplifies data protection impact assessments, and modifies the requirements for international data transfers.

Digital Verification Services

The bill creates a trust framework, register, and trust mark for digital verification services (DVS), aiming to ensure the reliability of such services which ascertain and verify facts about individuals using online information. Public authorities may disclose information to registered DVS providers to facilitate service delivery, subject to data protection laws.

Customer and Business Data

The bill empowers the government to make regulations regarding access to customer and business data held by traders. These regulations will determine how and when data must be provided to customers, authorized persons, or third-party recipients, and the processes for resolving complaints and disputes. Provisions include safeguards to protect smaller businesses and to consider the impact on innovation and competition.

Other Digital Information Provisions

The bill amends the Privacy and Electronic Communications Regulations (PECR), particularly concerning the storage of information on user devices and direct marketing. It allows for exceptions to PECR for direct marketing relating to democratic engagement. It also streamlines trust service regulations, simplifies and modernizes regulations, and introduces changes to the registration of births and deaths. It also establishes new information standards for health and adult social care in England.

Government Spending

The bill's financial implications are not explicitly detailed in the provided text. However, it is likely to involve some costs associated with implementing the new regulatory framework, administering the DVS register, and supporting the Information Commission.

Groups Affected

• Individuals: Increased clarity around data rights, but also potential for more restrictions on access to data in some situations.
• Businesses: Changes to data processing obligations, requiring adjustments to practices and potentially incurring costs for compliance. Smaller businesses may face additional challenges.
• Public Authorities: New responsibilities related to data processing, DVS, and information sharing. More stringent regulatory oversight.
• Researchers: Changes to the rules surrounding processing data for research purposes.
• Digital Verification Service Providers: New regulatory framework to comply with, and potentially additional fees.
• Information Commissioner's Office (ICO): Transfer of its functions to the new Information Commission, alteration of its role and responsibilities.

Powered by nyModel