News / news

Data Use and Access Bill: our view and call to action

news / November 17, 2024

“The Data Protection and Digital Information Bill is dead! Long live the Data Use and Access Bill!”

On Tuesday November 19th, the Data Use and Access Bill will be debated in Second Reading in the House of Lords. The new government Bill is less bad than its predecessor and we are glad many of the worst elements have been dropped. However, fundamentally, the framing of the Bill title sets out what it is about. Not more data protection for people, but more (re)use and access of data from all our everyday lives.

Stephen Cragg KC highlighted some of these key areas of concern, including on the legitimate interests condition in his Opinion in the last Bill.

In so far as there are key areas we see carried over from the last version, we will seek to have these six incorporate better safeguards:

  1. The new condition of Legitimate Interests for safeguarding the wellbeing of vulnerable persons, (Schedule 4—Lawfulness of processing: recognised legitimate interests, Safeguarding vulnerable individuals); dropping the Right to Object and the obligation on controllers for a balancing test creates foreseeable risks, this is unnecessary especially where use cases given in the Explanatory Notes may need the basis of Vital Interests instead;
  2. Secretary of State powers of additional processing affecting the purpose limitation principle; (Clause 71) this is dangerous territory altering a fundamental DP principle, and needs tight limitations;
  3. Secretary of State powers affecting the definitions of special category data; (Clause 74). Examples of when this would be used should be provided;
  4. Expanding on powers to not inform data subjects of additional processing or at scale; (Clause 77) A mistake. Informed processing is one of the few principles that underscores public trust;
  5. Explicitly permitting solely automated decision-making without human intervention; (Clause 80). This is the wrong direction of travel proportionate to the emerging harms;
  6. And we recommend caution on any change seeking to reframe definitions of research, or weaken oversight of who and how access to personal data is distributed. (Part V, Clauses 67 and 68). Use cases should be provided in debate. Everyone seems to want to claim ‘product development’ is research. Not only is this not what public engagement finds people want, but done badly, it will harm public trust in genuine public interest research.

If this legislative reform is about simplifying and clarifying UK practice, then why retain two UK data acts at all? The Retained UK GDPR and the UK Data Protection Act could be merged, to resolve much of the complexity it has created.

Furthermore, since the UK Data Protection Act was introduced in 2018, based on the 2016 GDPR, the education sector has seen enormous expansions of both State and commercial data collection, partly normalised in the pandemic, of increased volume, sensitivity, intrusiveness, and high risk processing.

If we have only the Act as it is, in a world in which see ever more automated decision-making and AI incorporated into edTech products, then we must at least make the existing law work in practice. It does not today, for families and learners, nor for the millions of former learners whose data are retained at national level on a named basis in the National Pupil Database. We can start with guidance to turn the law, into practice.

A Call to Action

Our briefing sets out the case for a Code of Practice in the education sector for all data going into, across and out of educational settings. Beyond this and more meaningful, dissuasive enforcement practices, then the sector needs a more radical reform than this Bill offers.

Current law fails children in practice where teachers might be assumed to be the rights bearers in loco-parentis, but in fact cannot replace parents in this regard, or staff wrongly assume ‘consent’ decisions on behalf of data subjects, the children.

We believe the education sector needs at least three things to start for all learners through change of policy, with legislative underpinning in an Education and Digital Rights Act— we set these out in manifesto proposals this year

  1. A family opt-in/out of today’s commercial reuses of national pupil records;
  2. Student equality monitoring must be kept only as statistics not named data at the Department for Education; and
  3. A National Digital Office responsible for quality, standards, and support for schools and families.

Take action today. Write to your MP and ask them to take action to call for a Code of Practice on education data in this Bill, and work towards the changes we need in the education sector to keep learners safe and flourish, not be held back by their digital shadow, now and into their futures.

#MyRecordsMyRights.

The Data Use and Access Bill 2024-

(1) Defend Digital Me Briefing for Second Reading (For 19 November 2024) policy page and briefing to download .pdf 319kB v2.0

(2) Event at the House of Lords: Children’s Data Use and Access in Educational Settings and a world of AI, November 18 2024. Registration via Eventbrite

(3) The Bill page on the Parliament Website and the House of Lords Briefing page

(4) Also relevant: November 2019 EdTech briefing (download .pdf). v1.8

(5) Watch our short animation on your digital shadow and ask your MP to take action #MyRecordsMyRights.

For Bill updates as it progresses, see our policy page.