Data Use and Access Bill: An attack on rights?

The UK’s Data (Use and Access) Bill recently passed and is now awaiting Royal Assent to become the Data (Use and Access) Act 2025. While many see this as a step forward and indeed there are some positive changes, there are some more concerning aspects of the bill that have the potential to undermine individual’s rights:

• Subject Access Requests
• Automated processing
• Legitimate “interest”
• Broad research consent
• Digital ID
• ICOs role and complaints

Subject Access Requests

The Act clarifies that organisations are only required to carry out “reasonable and proportionate” searches when responding to a Subject Access Request. On the surface, this might seem sensible to curb overly burdensome requests, but given my experience it seems likely this will be abused and organisations will find excuses to ignore the rights of individuals. Furthermore, there is now the ability for organisations to “stop the clock” on a request if they deem more information or clarification is needed.

When exercising my rights, I have had many issues, not least with the NHS and medical record access. I can only imagine what contrived excuses and bureaucratic hoops and hurdles are going to be used to obstruct individuals’ rights. It will be particularly interesting to see what the NHS makes of this as it relates to medical record access, something I have had significant headaches with previously.

Automated Processing

Prior data protection legislation protected against decisions based solely on automated processing that affect an individual. The new act appears to leave the door open to a significant relaxation of these rules making it easier for organisations to deploy automated systems (such as “AI”) without the same level of human oversight. Indeed, the definition of “meaningful human intervention” itself is open to interpretation.

The danger here is subtle but significant, as more aspects of our lives from credit scores to job applications, to waiting lists and treatment priorities become subject to algorithmic determination. It’s already increasingly difficult to speak to a human when something goes wrong or needs correcting. Now imagine this encroaches into every aspect of your life.

Relaxing these safeguards risks key decisions being made by opaque systems, with the potential for less transparency and when applied to more sensitive areas of your life such as healthcare, the potential for distress and harm is likely raised.

Broad Research Consent

Under the previous Data Protection law, consent for processing personal data, especially sensitive health information generally needed to be specific and informed. This is now watered down and allows for more generic consent to “scientific research”, even when the precise purposes are not yet possible to identify. While some might argue this flexibility is vital for scientific discovery, it fundamentally undermines the principle of informed consent.

Even under the current legislation, the NHS has fallen foul of data protection laws, for example the Royal Free shared data with Google DeepMind. Under the new Act individuals could consent to data being used for “research” and years down the line, find it being processed by a variety of previously unknown organizations for purposes they never envisaged or would have agreed to.

Watch this space for the next Cambridge Analytica or Care.Data scandal.

Digital ID

The Act lays the groundwork digital verification services and digital identities. While the government maintains that the use of digital IDs will be voluntary, a critical omission in the legislation is the protected right for individuals to opt out and use an alternative. Now imagine digital ID is tied to every facet of your life from work, banking, utilities, healthcare, etc. It’s not mandatory though, right?

Increasingly there are fewer and fewer alternatives to go about your life without the need to opt in to this digital world. While arguably it comes with some convenience we should ask at what cost and without protections, what road are we heading down? In its current form it will almost certainly come with consequences and with a lack of legal protections it is often the more vulnerable and disadvantaged in society who suffer the most.

ICOs role and complaints

To top it all, the ICO (Information Commissioner’s Office) has traditionally been the independent arbiter and enforcer of data protection law in the UK. The Data (Use and Access) Act will restructure the ICO, renaming it the “Information Commission,” and fundamentally alter its complaints handling process.

Under the new regime, individuals will generally be required to attempt to resolve their data protection complaints directly with the organisation concerned before they can escalate the matter to the Information Commission. It’s a shift towards “self-regulation” which history has already shown is not working properly under the current regime. So things are only going to get worse, with individuals left out on a limb.

Conclusion

While it will be interesting to see where this bill leads in terms of innovation and smart data, it certainly leaves the door open to a tough time for individuals, who may find their rights further trampled by organisations already prone to disregarding the protections set out under the Data Protection Act of 2018.

From personal experience, I’ve found many organisations, particularly larger corporations and public sector bodies have consistently failed to take their data protection duties seriously. Instead, they’ve often sought to deny or discredit individuals who’ve simply tried to exercise their rights or hold them to account.

Coupled with no protections around alternatives to digital, a world of AI, and a step towards “self-regulation”, we appear to be at a crossroads:

• one road leads to utopia, where our lives are simplified, automated and organisations treat us fairly;
• the other, a dystopian nightmare where we’re trapped in a digital matrix, powerless to change or control it.

References

• Data Protection Act 2018
• Data (Use and Access) Bill
• Smart Data
• The reality of NHS patient record access
• Royal Free breached UK data law in 1.6m patient deal with Google’s DeepMind
• ‘Kindling the fire’ of NHS patient data exploitations: The care.data controversy in news media discourses