Regulatory Policy Committee
class="gem-c-govspeak govuk-govspeak gem-c-govspeak--direction-ltr govuk-!-margin-bottom-0">
The Data (Use and Access) Bill was introduced on 23 October 2024 and seeks to update and simplify the UKs data protection framework, It includes measures relating to areas such as digital identity and smart data covering areas of policy responsibility from a number of government departments.
The RPC previously issued a fit for purpose opinion on the impact assessment (IA) relating to the DPDI Bill introduced in the previous parliament (in March 2023) - here.
The current IA sets out the differences between the present Data (Use and Access) Bill and the Data Protection and Digital Information (DPDI) Bill. The IA provides sufficient evidence and analysis for the RPC to be able to validate a revised EANDCB figure. The assessment of impacts on small and microbusinesses is sufficient.
There are some areas for improvement in the wider analysis. The IA notes that indicative analysis of those measures in the current Bill that formed part of the DPDI Bill has been updated to reflect consultation responses, discussions with cross-government experts and external consultants, and assessment of the latest available literature. The new IA notes that the current Bill includes new measures not in the DPDI bill and makes substantial changes to previous measures. The present IA also assesses the impact of these changes and new measures. These changes include:
- Previously separate proposed legislation in the last parliament to establish a National Underground Asset Register (NUAR) has been included in this Bill. An IA related to the previous measure was rated fit for purpose by the RPC in October 2023; the present IA updates the analysis for this.
- The removal of measures reforming the accountability framework, subject access requests, data minimisation and anonymisation policies and high-risk processing.
- Revisions to proposed Home Office measures, including the addition of processing in reliance on relevant international law, power to add categories of sensitive processing, supporting police to retain biometrics received as part of international cooperation and clarifying conditions on the use of international processors by UK competent authorities.