Data (Use and Access) Bill

The bill was re-introduced by the new Labour Government with the aim to "harness the power of data for economic growth, support modern digital government, and improve people's lives". This bill is similar to the Data Protection and Digital Information Bill (DPDIB) introduced under successive Conservative Governments.


Key messages

Councils hold a unique position within the public sector technological eco-system where they hold information on every resident, exchange data with nearly every branch of government, and enable the digital economy in the places they serve.

This bill to improve data use and access and the support for the modernisation of digital government needs to give due consideration to the role Local Government can play and the support it needs to be able to improve people's lives.

The Local Government Centre for Digital Technology (LGCDT) will support the empowerment of local authorities to harness the potential of digital technology, driving innovation efficiency and improved services for communities across the UK.

Automated Decision Making

  • Regulatory certainty: In order to innovate responsibly and to maintain trust with communities, local government needs clarity on what is required to be compliant with statutory duties, such as data protection and the public sector equality duty. The legislation needs to provide certainty regarding ‘human involvement’ whilst allowing for councils to adopt a risk-based approach.
  • Compliance burden: Currently councils will be seeking assurance from the same big technology providers on their adherence to data protection - particularly throughout the development process. To save capacity and resources of both councils and vendors, a centralised assurance function, which would undertake assurance on data protection, equality considerations and other responsible innovation measures directly from vendors, should be introduced for the wider public sector.

Healthcare information

  • The LGA welcomes proposals to change how health and social care will share and access information across the system. This will ensure IT providers of council social care systems provide products based on technology and data standards that enable information to be accessed and shared more easily. However, the fragmented and vast size of the care market is not to be underestimated.
  • It is important that the proposed improvements to data flows in the health and care system put the person receiving health or social care at the centre. Technical standards should reflect this.

Legitimate interest reforms

  • We are concerned about powers that allow the secretary of state to add new categories as and when required. Councils will need to be resourced (including adequate briefing) to deal with any changes in their systems and processes as required.

Customer and business data

  • Councils will need to be adequately supported with sufficient resources to maintain levels of data maturity to establish strong foundations upon which to build ‘smart data’ models.
  • Some councils store their data in cloud services hosted within the EU. It is important that the Bill does not negatively impact the EU’s adequacy decision for the UK in 2025 in order to allow councils (and other organisations) continuous access to their data hosted there.

Online safety and child protection

  • The LGA strongly supports moves to require service providers to co-operate and assist with investigations into the deaths or other harms to children or young people, including where there may be links to material or interactions online. The retention of data in such cases could be of high importance, including to bodies with safeguarding responsibilities.

National Underground Asset Register (NUAR)

  • We recognise the importance of NUAR in bringing together information from many organisations, including local authorities. The resulting register will become a key piece of national infrastructure, but it will be essential to support councils in meeting this new duty through providing new burdens funding.

Digital verification services

  • The Bill misses the opportunity to take a positive, inclusive step and codify a right for members of the public to use non-digital ID where it would be reasonably practicable to use. Such a right is vital to protect privacy and equality in the digital age.
  • The framework currently lacks important safeguards and human rights principles that prevent the broad sharing of the public’s identity data beyond its original purpose. Consistency of approach between organisations is important to maintain standards.
  • Local government will need additional support to ensure they are able to support digital verification roll outs. As more services move online, digital inclusion must continue to be considered a strategic policy priority.
  • We look forward to working with the government on plans to update and modernise the current Digital Inclusion Strategy.

Births and deaths register

  • S62 requires local authorities to provide and maintain equipment and facilities that the registrar general considers necessary for registrars to carry out their functions on records retention. If implemented, councils will need to be adequately resourced to carry out this duty.

Cyber security

  • Cyber security demands continuous investment to address legacy IT and manage and mitigate new vulnerabilities. If the investment is not continuously prioritised, there are concerns that councils will fall under the ‘cyber poverty line’ and no longer invest in what should be regarded as essential security measures. It is crucial that funding continues to be made available for sector-led improvement.

Overview

The bill was re-introduced by the new Labour Government with the aim to "harness the power of data for economic growth, support modern digital government, and improve people's lives". This bill is similar to the Data Protection and Digital Information Bill (DPDIB) introduced under successive Conservative Governments.

Alongside the bill, on 10 October, the government published a policy paper Next Steps to Make Work Pay. This outlined its wider approach to employment rights, including some reforms outside of this bill, and set out the government’s intentions for future consultations and implementation of some of the measures in this bill.

This bill is less compromising to EU data protection frameworks than previous iterations of the bill. There has been removal of changes to the independence of ICO and requirements for DPOs, whilst DPIAs have been retained in this new iteration.

State of data in councils

  • Councils hold a unique position within the public sector technological eco-system where they hold information on every resident, exchange data with nearly every branch of government, and enable the digital economy in the places they serve.
  • Councils face challenges in effectively utilising their data due to quality issues, availability limitations, and difficulties in sharing data with other organisations. These challenges stem from data silos, varying data formats, conflicting data sharing agreements or interpretations, and differing risk appetites across councils and services. There’s also limited adoption of data standards in systems by suppliers which acts as a further barrier. This fragmented data landscapes as well as a lack of regulatory coherence is hindering digital adoption by impeding the development and deployment of digital solutions, potentially leading to duplicated efforts and increased costs.
  • Councils are facing increasing cyber risks. The digitalisation of data across the public sector outlined in this bill highlights the enhanced cyber security support need for local government. If the investment is not continuously prioritised, there are concerns that councils will fall under the ‘cyber poverty line’ and no longer invest in what should be regarded as essential security measures. It is crucial that funding continues to be made available for sector-led improvement with local accountability and collective responsibility at its heart.
  • This bill to improve data use and access and the support for the modernisation of digital government needs to give due consideration to the role Local Government can play and the support it needs to be able to improve people's lives. There also needs to be investment to ensure that the sector is digitally ready by offering support to strengthen data foundations.
  • The Local Government Centre for Digital Technology (LGCDT) will support the empowerment of local authorities to harness the potential of digital technology, driving innovation efficiency and improved services for communities across the UK. The LGCDT will provide a collaborative focus for local authorities, central government, industry experts and community stakeholders, to address unique challenges and opportunities facing Local Government in the digital age. By sharing knowledge, co-creating solutions, and driving innovation, the LGCDT will enable local authorities to overcome shared challenges, and unlock new opportunities through collective action. Specifically, a data-sharing and standards function within the Centre would revolutionise Local Government operations. This would establish protocols for data handling, build a secure exchange platform, and champion a data-sharing culture that enables a better use of digital technology, wider service reform, and greater value for money.

Automated decision making (ADM) (S80 and Schedule 6)

The bill introduces regulatory changes that should make it easier to use ADM. The bill seeks to reduce the scope of application of Article 22 under GDPR, to allow wider use of ADM in all but cases where special category data is used. Within the bill, associated safeguards have been put in place to reduce the risks to individuals.

Under new article 22A, a decision would qualify as being “based solely on automated processing” if there was “no meaningful human involvement in the taking of the decision”. A decision would qualify as being a “significant decision” if it produced “a legal effect for the data subject” or had a “similarly significant effect for the data subject”. New article 22D would give the secretary of state the power to make regulations to describe cases that are or are not to be taken to have meaningful human involvement, or what is or is not to be taken as a significant decision.

LGA view: Automated decision making (ADM) (S80 and Schedule 6)

It is expected Article 80 of the bill would facilitate the greater use of ADM in councils alleviating some of the data restrictions that prevent wider AI use and presents opportunities for transformative AI and digital solutions to be embedded in public services. To do so safely, councils need clarity in what constitutes compliance with data protection law and the public sector equality duty. Councils are independent political bodies and play a part in setting the local level of scrutiny and accountability needed for their local context. Many councils are establishing governance mechanisms and frameworks to embed ethics and define the level of human involvement expected. A clearer direction should include allowances for individual council discretion to ensure councils can adapt the level of human involvement to match risk appetite depending on use case application and the council’s assessment of local need.

There are concerns related to the role of the Secretary of State (SoS) for the Department for Science, Innovation and Technology (DSIT) being able to legally change what constitutes ‘human involvement’. If any changes are to be made, the LGA would need to reflect on these individually and assess the potential impact on local authorities. Where necessary, the LGA will work with DSIT to raise concerns. Councils are accountable for compliance with data protection law which is vital in ensuring safe and responsible deployment of ADM. There needs to be clarity and support for councils to ensure that it doesn’t undermine public trust, and political discretion may not provide that clarity.

This proposal risks contravening the Convention on AI that the UK government signed up to earlier this year, creating further regulatory uncertainty and incoherence for councils. Concerns have been raised by a number of significant data rights and advocacy groups as to the implications of article 80. There is a risk that if there is a loss of trust in AI and ADM technologies, through concerns related to human rights, equity and justice, this will significantly impact trust in councils, trust in decision making and councils ability to deliver public services that respond to local needs.

The DUA's widening of the permitted use of personal data in automated decision-making technologies could, if passed in its current form, open the door for organisations to more easily leverage AI systems and therefore could result in AI products coming to market quicker in the UK in comparison to the EU. However, councils are already struggling with the assessment of safe and trustworthy private sector tools and need significant support to be able to responsibly procure and deploy AI tools that are coming into the market. We would welcome clear direction and for the regulator or Government to undertake coordinated assurance of key suppliers to ensure that developers are adhering to legal duties in the development and training of models and are integrating meaningful human oversight at all stages of deployment. There is a significant compliance burden on councils to assure meaningful oversight which is made more challenging by the significant power imbalance, and information and capabilities asymmetry that often exists between councils and technology companies. Undertaking this centrally in a coordinated way across the public sector would address the compliance burden and provide greater assurance for councils.

Healthcare information (S119 and Schedule 15)

The bill proposes changes to how health and social care will be better ready to share and access information across the health and social care system.

LGA view: Healthcare information (S119 and Schedule 15)

This is welcome news as this will ensure the IT providers of council social care systems provide products based on technology and data standards that enable information to be accessed and shared with relevant health systems more easily (and, potentially, to be used more effectively within the council). Although considerable work has already been done across the sector to establish Minimum Operational Data Sets (MODS), this proposal will be a step change in improving data flows further.

However, we have some concerns that the bill reads as a power to regulate rather than defined actions. The fragmented and vast size of the care market is not to be underestimated and therefore we recommend the following:

  • Proposed changes should build upon existing infrastructures and information standards and involve sector and stakeholder co-production, engagement and consent to standards.
  • Assuming there is an expectation that the health and social care sector (including local government) refines its existing data to fit the new standards, then central funding and resource must be made available for implementation, the cost of which has been validated by the sector.
  • Significantly, a strategic programme for interoperability and systems infrastructure overall, with the technical and data standards as core to this, should be developed: this will provide a clear picture and roadmap for health and care providers, local government and IT suppliers. This work should be adequately resourced.

Finally, it should not be forgotten that the proposed improvements to data flows in the health and care system should put the person receiving health or social care at the centre, since it is their data. Technical standards should reflect this.

Legitimate interest reforms (S70 and Schedules 4 and 5)

The bill proposes to revise what is meant by legitimate interests. There will be a new annex into GDPR that would set out what would qualify as a recognised legitimate interest.

LGA view: Legitimate interest reforms (S70 and Schedules 4 and 5)

We would welcome research into the proposed increases, and therefore new burdens, this reform would have on councils with an increase of requests for data.

There also needs to be cross-reference to definitions within the Care Act for those receiving care and support. The Care Act made an effort to remove the term 'vulnerable individuals'. We would suggest the proposed wording should take account of the CDDO’s workstream on defining vulnerability.

We are concerned about powers that allows the secretary of state to add new categories as and when required. Councils will need to be resourced (including adequate briefing) to deal with any changes in their systems and processes as required.

Customer and business data (Part 1)

The bill proposes to roll out the ‘smart data’ model that is currently used in open banking within the finance sector. This requires industries to follow data standards and organisations face financial penalties for failing to comply with regulations.

The bill will create the conditions to support the future of open banking and the growth of new smart data schemes. These models allow consumers and businesses who want to safely share information about them with regulated and authorized 3rd parities to generate personalised market comparisons and financial advice to cut costs. 

The bill will codify the principle that data controllers have an obligation to carry out reasonable and proportionate searches for personal data in response to subject access requests. The bill also provides a new right of complaint to the controller by the data subject.

LGA view: Customer and business data (Part 1)

The bill reads more as a power to regulate rather defined actions and duties. It would be useful to know what sectors and industries are earmarked for this transformation.

Councils will need to be adequately supported with sufficient resources to ensure sufficient levels of data maturity to establish strong foundations upon which to build ‘smart data’ models. Such examples include addressing the legacy systems used within councils.

We recognise the need for a centralised authority to develop data standards across different sectors and the proposed Local Government Centre for Digital Technology (LGDCT) outlined in the LGA’s white paper would fit the needs of councils.

Rights of data subjects

The bill will amend chapter 5 of the UK GDPR, which covers transfers of personal data to other countries and to international organisations. Changes to rules on data exports including the ability of the Secretary of State to approve third countries, and the introduction of a data protection test to assess whether the third country or international organisation has a standard of data protection not materially lower than that in the UK.

LGA view: Rights of data subjects

Some councils store their data in cloud services hosted within the EU. It is important that the Bill does not negatively impact the EU’s adequacy decision for the UK in 2025 in order to allow councils (and other organisations) continuous access to their data hosted there.

S85 also makes changes to safeguards for processing for scientific or historical research purposes. We would welcome clarity as to whether this power allows councils to use data for these purposes including, but not limited to, public health and epidemiology.

Information Commissioner

The Information Commissioner’s Office (ICO) will become the Information Commission (IC) and have a new corporate structure. It will also have additional information gathering and investigatory powers.

The bill proposes to confer a new power on the Information Commissioner to compel a person to attend an interview (including where the Commissioner suspects that a criminal offence has been committed) – this has been carried over from previous draft bills. It is a power that is unlikely to be used often but adds to the tools available to the Commissioner.

LGA view: Information Commissioner

There is a crucial need for strengthened regulation that compels organisations to act in the interests of protecting vital public services and resident data in the event of a cyber incident. This includes ensuring that customers are aware of any incidents and the risk posed as a result.

 

Public service delivery and research

The bill allows for personal data to be used to improve public service delivery and for research purposes, including online safety and child protection, in a similar way to the E.U.’s Digital Services Act. As part of this, internet service providers must retain information in specific cases, such as the investigation of minors’ deaths. New special category data flexibility.

LGA view: Public service delivery and research

The LGA strongly supports moves to require service providers to co-operate and assist with investigations into the deaths or other harms to children or young people, including where there may be links to material or interactions online. The retention of data in such cases could be of high importance, including to bodies with safeguarding responsibilities.

National Underground Asset Register (NUAR)

In the bill, NUAR, a digital service mapping underground infrastructure, will become mandatory for over 600 asset owners, streamlining data sharing and reducing accidental strikes on buried assets.

An initial private beta (development) version of NUAR is already live across England, Wales, and Northern Ireland. It includes data from over 200 asset owners, including most of the major energy and water providers, several major telecoms companies, and some smaller providers, transport organisations and local authorities.

LGA view: National Underground Asset Register (NUAR)

We recognise the importance of NUAR in bringing together information from many organisations, including local authorities. The resulting register will become a key piece of national infrastructure, but it will be essential to support councils in meeting this new duty through providing new burdens funding.

Local government organisations often have an added step of liaising across departments/teams for data in order to respond to requests or data requestors having to contact different parts of the same organisation for complete data. NUAR will help address this by enabling public bodies to upload data how they see fit. Organisations with central teams could assign one user to share all updates with NUAR. Alternatively, where data is held separately, different departments could be responsible for sharing different datasets, eliminating the need for this to be coordinated centrally. Furthermore, these organisations will no longer require the use of in-house teams or procured services to respond to requests for data for the purposes of safe digging, they could refer all requests to the NUAR service.

Digital verification services

The bill introduces a regulatory framework for the provision of digital verification services in the UK. This allows companies to get certified against the framework for verification tools. Clause 45 would allow public authorities to disclose information about an individual to a registered DVS provider if the individual had requested DVS from the DVS provider. However, clause 45 would not authorise a disclosure of information that would breach data protection legislation.

LGA view: Digital verification services

The framework currently lacks important safeguards and human rights principles that prevent the broad sharing of the public’s identity data beyond its original purpose. Further, the Bill misses the opportunity to take a positive, inclusive step and codify a right for members of the public to use non-digital ID where it would be reasonably practicable to use. Such a right is vital to protect privacy and equality in the digital age. The right to use a non-digital ID where practicable would protect accessibility, inclusion and people’s choice in how they choose to verify their identities when accessing public and private services, legally protecting the millions of people who cannot or do not want to hand over personal identity data online where an alternative is reasonably practicable.

The inclusion of local government and the reality of local service delivery must be considered by Government in the implementation of these proposed regulation. Local government will need additional support to ensure they are able to support digital verification roll outs. As more services move online, digital inclusion must continue to be considered a strategic policy priority. Councils play a key role in addressing digital inclusion in communities, particularly as they interact with the most vulnerable people in our society. We look forward to working with the government on plans to update and modernise the current Digital Inclusion Strategy. Specific design priorities should include the needs of those who are digitally excluded or who have concerns about their digital profile or are simply excluded for other reasons such as health, education, minority status, economic position, or language.

We welcome the proposal that public authorities could charge fees to the DVS provider for sharing the information, as this will help cover some of the costs councils may face.

It is equally important to note that Trading Standards teams have been significantly underfunded over recent years. Whilst standards for digital verification is welcome, it is essential that officers are trained and resourced effectively.

Births and deaths register

The bill removes the requirement for registers of births and deaths to be held in paper form which we welcome. S61 in particular gives power to the registrar general to determine the form in which registers are to be kept. This will also remove the 1953 requirement that require quarterly returns as these would not be needed with an electronic system.

LGA view: Births and deaths register

A point of concern is under S62, which requires local authorities to provide and maintain equipment and facilities that the registrar general considers necessary for registrars to carry out their functions on records retention. There will need to be adequate resource for councils to carry out this duty. We would welcome a report that assesses how ready the market is and the value for money councils can achieve through effective procurement.

 

Enhanced cyber risks

The bill includes overarching implications on data use that could have the potential to put increased strain on council's cyber security capabilities. The amount of digitalisation of public sector data such as through NUAR, and births and registers, could put increased strain on an already vulnerable local government sector facing increasing threats. Cyber security demands continuous investment to address vulnerabilities associated with legacy IT and manage and mitigate new vulnerabilities that may arise from increasing digitalisation. If the investment is not continuously prioritised, there are concerns that councils will fall under the ‘cyber poverty line’ and no longer invest in what should be regarded as essential security measures. It is crucial that funding continues to be made available for sector-led improvement with local accountability and collective responsibility at its heart.

LGCDT

In the run-up to the General Election, the LGA published its Local Government White Paper, which sets out councils' urgent priorities for a new Government. In it, we called for the establishment of a Local Government Centre for Digital Technology (LGCDT); one which would use technological innovation to deliver reform and promote inclusive economic growth across councils. The case for this is clear.

The financial strain on Local Government, exacerbated by years of reduced funding, has hindered investment in digital infrastructure and training. Legacy systems, often incompatible across central government departments, councils and public sector partners, impede data sharing and hinder service reform. Resistance to change and a shortage of digital skills among staff further complicate the adoption of new technologies. Meanwhile, cyber security threats and data privacy concerns loom large, demanding constant vigilance and compliance.

For it to be effective, the LGCDT must be a well-resourced, authoritative entity capable of spearheading change. This necessitates substantial investment, acknowledging the scale of the challenges and the potential rewards. Leveraging the LGA's existing capabilities, an expanded LGCDT could become a unified voice for Local Government, advocating for the resources and policies needed to create a truly digitally enabled sector.

By embracing digital transformation, Local Government can deliver more efficient and effective services, foster resident engagement, stimulate economic growth, and build a more inclusive society. If we seize this opportunity, we will not only empower Local Government, but we will also build a brighter digital future for the communities they serve.

 

Contact

Archie Ratcliffe, Public Affairs and Campaigns Advisor 

Email: [email protected]