Skip to main content
CLOSE

Charities

Close

Corporate and Commercial

Close

Employment and Immigration

Close

Environmental, Social, and Corporate Governance

Close

Fraud and Investigations

Close

Individuals

Close

Litigation

Close

Planning, Infrastructure and Regeneration

Close

Public Law

Close

Real Estate

Close

Restructuring and Insolvency

Close

Energy

Close

Entrepreneurs

Close

Private Wealth

Close

Real Estate

Close

Tech and Innovation

Close

Transport and Infrastructure

Close
Home / News and Insights / Insights / Data Protection and Digital Information (No.2) Bill – Key Changes

This will be the first in a series of short updates on the Government’s proposed Data Protection and Digital Information (No.2) Bill (the Bill). This series will consider: what key changes to the UK’s data protection laws are envisioned in the Bill; what those changes might mean for data controllers; and some practical steps to ensure data processes are compliant when the Bill is enacted.

The Data Protection and Digital Information (No.2) Bill is the Government’s second attempt at these reforms. It is a replacement for a bill of the same name that was introduced to Parliament last year and then withdrawn, hence this Bill being ‘No. 2’. The Bill is mostly the same as the previous bill, but there are a handful of important differences, which we will highlight in this series.

The Bill comes off the back of the Government’s consultation titled ‘Data: a New Direction’. The consultation proposed a wide range of changes, and this new Bill would bring some of those into law. The title of the consultation might have suggested a sharp turn away from the existing regime. In fact, the Bill focuses on renovating parts of the existing structure, rather than pulling it down and starting again.

The Data Protection and Digital Information No. 2 Bill as currently drafted covers a lot of ground. In this series, we will be focusing on the changes that are likely to have the most immediate impact on data controllers. The first of those is a change to the definition of ‘personal data’.

A new definition of personal data:

The UK GDPR currently defines ‘personal data’ as:

‘Data which relates to an identified or identifiable natural person (‘data subject’)’.

The recitals of the UK GDPR explain that ‘to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly’.

This means that when deciding whether data qualifies as personal data, a data controller currently has to consider not only the chance that the controller could identify someone from the data, but also the chance that ‘another person’ could. Who is ‘another person’ for those purposes? The UK GDPR does not currently explain, which means it is not always straightforward deciding how wide to cast the net. The ICO’s guidance, for example, suggests that:

‘You should assume that you are not looking just at the means reasonably likely to be used by an ordinary person, but also by a determined person with a particular reason to want to identify individuals. For example, investigative journalists, estranged partners, stalkers, or industrial spies.’

The Data Protection and Digital Information (No.2) Bill tries to clarify the position, by further defining when an individual is ‘identifiable’. A data controller would only need to treat an individual as ‘identifiable’ if one of the following conditions applied to the data:

  1. Where the living individual is identifiable… by the controller or processor by reasonable means at the time of processing; or
  2. Where the controller or processor knows, or ought reasonably to know, that:
    1. another person will, or is likely to, obtain the information as a result of the processing (including where the controller or processor fails to implement appropriate technical and organisational measures to mitigate the risk); and
    2. the living individual will be, or is likely to be, identifiable… by that person by reasonable means at the time of processing.

This change would limit the range of third parties that the controller has to consider when deciding whether an individual could be identified.

The scope of ‘personal data’ is further limited by the fact that the controller only has to consider whether the individual could be identified by ‘reasonable means at the time of processing’. The concept of ‘reasonable means’ is already found in the UK GDPR and the relevant ICO guidance, but the Bill codifies the concept. What is considered to be ‘reasonable means’ considers the time, effort, and cost involved in working out who the individual is. If it would be extremely costly and overly onerous for an organisation to identify an individual, then, under the Bill, that data would no longer be considered personal data.

The Data Protection and Digital Information (No.2) Bill would also make clear that controllers do not need to speculate about what means might become available in future to identify the individual. Controllers would only need to consider the methods available at the time they process the data.

In most cases it is already obvious whether data qualifies as ‘personal data’, and the Bill will not change that. However, the Bill would make it easier to answer this question in edge cases where the answer is less obvious. It should also make it easier to anonymise data, because the situations in which data is ‘identifiable’ will be narrower.

Key takeaways:

If the Bill becomes law, then it will be an opportunity for controllers to consider whether any of the data they are processing would no longer qualify as ‘personal data’. If data no-longer qualifies as personal data then it would be exempt from the data protection laws altogether.

In the next article we will focus on changes to the rules on using data for a new purpose, including use for research purposes. To learn how our data protection team could assist you, please visit the Information Law and Data Protection homepage.

Related Articles

Our Offices

London
One Bartholomew Close
London
EC1A 7BL

Cambridge
50/60 Station Road
Cambridge
CB1 2JH

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

 

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

  • Lexcel
  • CYBER ESSENTIALS PLUS

© BDB Pitmans 2024. One Bartholomew Close, London EC1A 7BL - T +44 (0)345 222 9222

Our Services

Charities chevron
Corporate and Commercial chevron
Employment and Immigration chevron
Environmental, Social, and Corporate Governance chevron
Fraud and Investigations chevron
Individuals chevron
Litigation chevron
Planning, Infrastructure and Regeneration chevron
Public Law chevron
Real Estate chevron
Restructuring and Insolvency chevron

Sectors and Groups

Private Wealth chevron
Real Estate chevron
Transport and Infrastructure chevron