But does it deliver transformative change, or is it merely a pragmatic iteration of its predecessor, the lapsed Data Protection and Digital Information Bill (“DPDI Bill”)?

Rather than scrutinising the DUA Bill’s sweeping ambitions and deviations from the DPDI Bill in their entirety, this article hones in on four key areas: legitimate interests, special category data, scientific research and automated decision-making.

Legitimate interests

The DUA Bill takes a notable step in simplifying the application of legitimate interests, offering organisations clearer guidance and reducing some of the administrative hurdles they face under UK GDPR. This is done via an amendment to Article 6 of the UK GDPR, which allows controllers to rely on “recognised legitimate interests” that are listed in Annex 1 of the DUA Bill.

If a recognised legitimate interest applies, the organisation processing the data can then skip the often-onerous legitimate interest assessment (LIA) entirely. While this is a win for practicality, the scope of application is limited to specific circumstances.

The recognised legitimate interests are designed for relatively discrete situations, such as disclosures to controllers for tasks carried out in the public interest or in the exercise of official authority (when the controller requests the data), safeguarding national security, protecting public safety and safeguarding vulnerable individuals.

The inclusion of these narrowly defined interests offers a clear, usable framework for organisations in critical areas of public interest. But it’s not all gain. One key omission stands out: “democratic engagement”, which featured in the DPDI Bill, has been dropped from the recognised legitimate interests list, which hints at a more cautious legislative approach in the DUA Bill.

The DUA Bill also includes a forward-looking aspect in the form of empowering the Secretary of State to amend the list of recognised legitimate interests. While this flexibility allows the framework to adapt to evolving priorities, it does come with safeguards. Any additions must align with specific public objectives under Article 23 of the UK GDPR and go through a structured approval process.

The result of all these changes? A more user-friendly approach to legitimate interests, particularly in critical areas of public interest and widely accepted business practices.

 Practicality is certainly at the forefront, but it comes at the cost of some of the broader ambitions we saw in the DPDI Bill. Still, for organisations looking for clarity in navigating legitimate interests, the DUA Bill offers a more predictable, streamlined path forward.

Special category data

The DUA Bill approaches special category data with an emphasis on flexibility and future adaptability, introducing provisions that empower the Secretary of State to designate additional categories of sensitive personal data.

 This extends the scope of the prohibition on processing under Article 9(1) of the UK GDPR, while also allowing for the definition of specific activities that could fall under this heightened protection.

Importantly, the DUA Bill also grants the Secretary of State the authority to determine how organisations might rely on the exemptions outlined in Article 9(2) for these new special categories. This could include stipulating specific conditions under which processing might be permissible, which creates a tailored framework for handling emerging types of sensitive data or activities that require stricter oversight.

For example, as technology evolves and new types of personal data (such as biometric identifiers or advanced health metrics) become more prevalent, this mechanism ensures the UK’s data protection framework can adapt. By allowing for the creation of additional special categories, the DUA Bill provides a route to future-proof the legal framework without the need for further primary legislation.

This approach signals a shift from the DPDI Bill, which focused more on clarifying existing rules rather than expanding their scope. While this flexibility offers a proactive means of addressing future challenges, it also places significant power in the hands of the Secretary of State. Ensuring that this authority is exercised transparently and proportionately will be key to maintaining trust and balance between innovation and privacy.

Scientific research

While the DUA Bill doesn’t turn the world of research upside down, it does give the sector a few tweaks to smooth out some of the bumps in the road. By clarifying and broadening the rules for using personal data in research, the DUA Bill promises greater flexibility while holding onto the protections that researchers have grown used to under the UK GDPR.

First up is the reworking of what constitutes scientific research. The DUA Bill provides a catch-all definition, covering anything that “can reasonably be described as scientific,” whether it’s public or private, commercial or non-commercial.

It’s deliberately broad (perhaps a little too broad?) but the idea is to make it clear that all kinds of legitimate research are included. It also adds precision by bringing some previously scattered ideas into one place. For example, technological development, applied research and genealogical studies are now explicitly acknowledged as part of the scientific research family.

When it comes to consent, the DUA Bill introduces a practical solution to a common headache. Researchers can now seek consent for broad research purposes, even if the finer details aren’t nailed down yet. This flexibility reflects the reality of most research projects: they evolve. As long as ethical standards are respected and participants can opt out of parts they’re not comfortable with, it’s game on for organisations wanting to keep things moving without constant re-approvals.

For sensitive data, the DUA Bill simplifies things without losing sight of the need for safeguards. Sensitive data processing is fine as long as it’s necessary, anonymisation is the end goal or there’s no other way to fulfil the research’s purpose. However, causing harm or distress (or making decisions about individuals based on this data) remains a firm no unless it’s approved medical research.

Finally, the DUA Bill addresses the thorny issue of further processing. If your new use of personal data ties back to the original purpose or aligns with research or statistical goals, you’re likely in the clear. For researchers, this added clarity will be a welcome relief as it cuts down on the guesswork about whether a project can move forward.

Automated decision-making

The DUA Bill revamps the rules on automated decision-making (“ADM”), replacing the EU GDPR’s Article 22 with a more adaptable framework. The new rules aim to broaden the use of ADM involving personal data while tightening restrictions only when special category data is involved.

It also introduces the concepts of “meaningful human involvement” and “significant decisions.” ADM decisions are considered “solely automated” if there is no meaningful human input, with the definition requiring consideration of factors like profiling. Significant decisions, which echo the EU GDPR’s definition, refer to those with legal or similarly significant effects on individuals.

For ADM involving special category data, stricter safeguards apply. Such decisions are only permitted if:

• the individual provides explicit consent;

• the processing is necessary for a contract and serves substantial public interests under English law; or

• the decision is authorised or required by law.

A key divergence from the EU GDPR is the looser approach to ADM involving non-special category personal data, which may proceed based on legitimate interests, provided adequate safeguards are in place. The DUA Bill outlines safeguards for all significant ADM decisions and requires organisations to provide individuals with information, allow representations, ensure human intervention and enable decision contests.

As with the above aspects, the DUA Bill also empowers the Secretary of State to issue regulations defining meaningful human involvement, significant decisions and safeguard requirements.

Concluding thoughts

The DUA Bill sets its sights on data as a tool for societal progress, leaving behind the DPDI Bill’s preoccupation with legal reform. By focusing on accessibility and infrastructure, it offers a roadmap for making data work better - not just for businesses and researchers, but for public services and individuals.

While it doesn’t overhaul the rules for areas set out in this article, the DUA Bill does make strides in enabling their application. It’s pragmatic, purpose-driven and built for impact. The question is whether this foundation will be enough to meet the challenges of an increasingly complex data landscape - or whether more radical interventions will be required down the line.