News / Blog

The consequences of ignoring time in the UK Data Use and Access Bill #DUABill

Blog / January 21, 2025

The law must be fair, and foreseeable. Even the most informed data ‘subject’ (parent or child) cannot be clairvoyant to have seen that decisions they made around data permissions given, say, five years ago, would be revoked by the forthcoming Data Use and Access Bill.

Policy shifts, such as in this Bill, can change how data is categorised and handled over time by recategorising it as of the law’s commencement date. Such changes affect its characteristics and governance.

If the new law applies to any public administrative datasets, collected or processed, before the commencement date, how will it affect what people were told and their reasonable expectations?

Changing the definition of “research” is not only about what the data is used for. 
It entirely rewrites the foundations of the relationship between the person the data is from and re-users, and seeks to trump the fundamental human right of personal privacy with data use and access by companies.

As-is, these changes will adversely affect the rights of data subjects, destabilise public trust and create legal ambiguity to what went before. Simply put, the new law should not be applicable to any public administrative datasets that were collected or processed before the commencement date, especially for sensitive data.

Bill recommendations summary

To address these challenges, the Data Use and Access Bill must uphold core data protection principles that prioritise protection of the data subject above use and access:

  • Transparency and Accountability: Ensure ongoing communication duties with data subjects to maintain trust and respect rights. Scrap the changes around fair processing (Clause 77) and extending consent (Clause 70-71), and keep the balancing test in Recognised Legitimate Interests, with no Henry VIII powers to further expand the list in the future.
  • Data Minimisation and Quality Control: Focus on creating purpose-built datasets rather than relying on large, unverified ones that decay over time and are subject to contextual collapse.
  • Children’s Data and Vulnerabilities
    Special protections for what is labelled “children’s data” being discussed raises new questions. “Do these protections apply only at the time of collection because the person the data is about is aged under 18, or do they persist as a characteristic of the data even after the person it is from, ages into adulthood? Data from a sector as defined by other laws work around this problem e.g. covering the collection of data pertaining to the definition of a pupil in other laws, rather than a child. The concept of a “clean slate,” as proposed by the High-Level Expert Group on AI (HLEG), go some way to solving this issue. However, current practices fail to provide such safeguards as the law states are necessary, of which the National Pupil Database is the prime case study of cumulative failure to tell the public what was done with data about them over time.”
  • Strengthen safeguards on the face of the bill: Strengthen safeguards for sensitive data, ensuring people live free from lifelong profiling or misuse. Ensure that no additional privacy-intrusive data is made necessary to process by accident, for data controllers to determine who is ‘vulnerable’ or who is ‘a child’ (DUA Bill schedule 4) solely to comply with the new law (respect for the GDPR Recital 57 applies here).
    “If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. “
  • Reject the Commodity Model: Resist the U.S. framing of data as a tradable asset and changing public interest research definitions to encourage wider commodification of our lives in data (Clause 67). Instead, recognise the contextual and temporal nature of data, and the importance of the European human rights based regime that we have upheld for 75 years for good reason.
  • Set time constraints for the new regime to uphold public trust: the new law should not be applicable to any public administrative datasets that were collected or processed before the commencement date, especially for sensitive data.

If its changes go ahead as planned, the underpinnings in key areas of two out of seven fundamental principles of data protection law, namely fair processing and purpose limitation, fall away. Some changes in this bill go even further, particularly applied in combination.

Re-defining any personal data re-use as “research” that was not research in the past, grants further additional research exemptions to data users from obligations to further data protection principles, namely (Article 89) all those that routinely apply to research: right to object, storage limitation, obligations to respect Subject Access Requests, and accountability obligations. Those exemptions would not apply today to the same personal data. These exemptions, “shall be subject to appropriate safeguards for protecting the rights and freedoms of the data subjects involved” but this bill doesn’t detail meaningful safeguards, for example to protect people from commercial exploitation against their will without permission. Where is an obligatory opt-in or out process? Where are research protections like time limited use and metadata requirements?

The new Bill should also require for example ethics committee oversight, or considerations of a duty of confidentiality as public interest research would and underpin reasonable expectations that should carry across in time, from one regime to the next.

  1. Defend Digital Me Briefing for Second Reading (For 19 November 2024) download .pdf 319kB v2.0
  2. Hansard Committee Stage Day 2 (December 10, 2024) https://hansard.parliament.uk/lords/2024-12-10/debates/0FC43302-4C6D-4676-A6B5-E369366CA99F/Data(UseAndAccess)Bill(HL) and our write up
  3. Hansard Second Reading (November 19, 2024)  https://hansard.parliament.uk/lords/2024-11-19/debates/6B196F71-312C-4957-AF14-98B66C5DBEE4/Data(UseAndAccess)Bill(HL)
  4. DPDI Bill (relevant on research and Legitimate Interests) Legal Opinion from Stephen Cragg KC. [download as pdf]
  5. The Bill page on the Parliament Website and the House of Lords Briefing page and Explanatory Notes