First we had the Data Protection and Digital Information Bill, introduced by the last government and lost when the general election was called. Then came the Digital Information and Smart Data Bill, announced in the King’s speech in July but never enacted. And now we have the latest version, which has reached the House of Lords – now known as the Data Use and Access Bill.
Though much of the meat is recognisable throughout, each bill has differed, without necessarily developing, up to the present point. We are just starting committee stage of the latest Data Bill and I thought it was time to set out some of what the bill intends and some of how myself and others are hoping to amend it.
The government has set out variously that the Data Bill will pave the way for the “smart data” model to be used in more sectors; establish a trust framework for digital verification services; place the national underground asset register (NUAR) on a statutory footing; enable births and deaths to be registered electronically; apply information standards to IT services within health and social care to make patients’ data more easily transferrable across the NHS; and remove the requirement for police to log a justification each time they access someone’s personal data.
The government has also been keen to express the bill’s potential to “harness the power of data for economic growth, support a modern digital government, and improve people’s lives”. Putting a number on this, they believe the bill will bring an estimated £10bn boost to the UK economy across 10 years.
In particular, the government says the innovative use of the new smart data powers and the NUAR will drive economic growth across the UK by improving the way consumers, businesses and asset owners can safely share data to help workers, and the public make more informed decisions.
New smart data schemes
At present, open banking is the only example of a smart data scheme in the UK. Open banking was created here, and the measure of its success is that it has been replicated in well over 60 jurisdictions around the world – many of which have seized the initiative and gone much further and faster than the UK in developing open banking.
The UK must not lose our early advantage and move faster not just with open banking but, at pace, progress open finance, not least in obvious adjacent sectors such as energy.
As the government put it, this legislation will pave the way for the smart data model to be used in more sectors, as well as finance. Customers could be able to compare prices between energy providers, for example, allowing them to find better deals and reduce their energy use, boosting competition and ultimately the UK’s economy.
As an example, authorised third parties could act as an intermediary service for our data, allowing us to cancel one service and sign up for another with form filling becoming just a click of a button.
Generative AI, data protection, privacy and trust
If the government is to succeed with its stated ambitions, public trust will be essential to foster, at least more than partly through this legislation. Public confidence, business confidence, investor and innovator confidence fortunately flow from the self-same sources – clarity, consistency, coherence, and the safeguarding of fundamental rights, not least privacy.
Aligned to all of this, there are more than a mile of column inches devoted, daily, to the subject of AI. But what is AI without data, what is data without protection, privacy and citizens empowered to assert their data rights? As mentioned, much of the bill has survived its title changes – however, what has changed since the first bill was drafted is the advent of high-profile, general-purpose generative AI foundation models – you know the names.
It seems clear that recent developments in general-purpose AI have not been reflected, or considered, in relation to all that remains in the bill. One obvious example is the proliferation of automated decision-making across our economy and society in areas where no sectoral regulation and thus no redress exists – recruitment being but one example.
Thinking also of large language models (LLMs) and the voracious need for training data – so often scraped from the internet. The current approach is stretching existing data protection concepts – and law – well beyond their natural elasticity. Recurring research continually demonstrates that the public expects appropriate regulation of their data and appropriate information on how it will be used. The public expects – this bill must deliver.
In contrast to this public expectation, the bill currently contains provisions which would weaken safeguards for personal data, rendering enforcement more difficult as a consequence. If enforcement is more difficult, public trust will not be enhanced and public trust is essential – for data use, for smart data use, and for an effective data-driven economy that fulfils the ambition of improving people’s lives.
Does it go far enough?
That is the Bill as it is now. I will be setting out some of the suggested changes and the reasons for their inclusion. It is highly likely it will be this Data Use and Access Bill that will eventually pass. It is in all our interests that, on signing into law, it is in the best shape to protect citizens, promote innovation, drive forward the digital identity debate and enable and empower. It’s fair to say, at this stage, there is some distance to travel.
Lord Chris Holmes of Richmond is a member of the House of Lords. He is an advocate for the potential of technology and the benefits of diversity and inclusion and is co-chair of parliamentary groups on fintech, artificial intelligence, blockchain, assistive technology and the Fourth Industrial Revolution. An ex-Paralympic swimmer, he won nine gold, five silver and one bronze medal across four Games, including a record haul of six golds at Barcelona 1992.