There are bold claims in the government’s communication about the - newly renamed - Data Use and Access Bill, laid in the House of Lords last night. Among the promised outcomes from the measures contained in the Bill are:
- Cutting down on police bureaucracy - saving 1.5 million hours of officers’ time and saving £42.8 million each year.
- Making patients’ data easily transferable across the NHS, freeing up 140,000 hours of NHS staff time annually.
- Boosting the UK economy to the tune of £10bn a year.
Overall, the Bill represents a shift in approach to data policy, aiming to "harness the power of data for economic growth, support modern digital government, and improve people's lives" although opinions vary as to how different it is - in real terms - to the previous Data Protection and Digital Information Bill (DPDIB).
Importantly for the ODI - as members of the Smart Data Council - the Bill lays out the conditions to support the future of open banking and the growth of new smart data schemes. These are models that allow consumers and businesses to safely share information about them with regulated and authorised third parties. The Bill gives the Science and Technology Secretary and HM Treasury (HMT) the power to introduce new schemes through regulations that will specify a scheme's scope. These include:
- Who is required to provide data.
- What data they are required to provide.
- How and when they must provide that data.
- How that data is secured and protected, including who authorises access to the data.
The UK General Data Protection Regulation (GDPR) allows individuals to obtain and reuse their personal data. Smart data takes this further by allowing consumers to request data about them be directly shared to authorised and regulated third parties, while establishing a supporting framework to ensure data security.
It’s hoped that this will create the conditions to expand smart data schemes in sectors including energy, housing, and transport, with consequent growth in the UK economy. This builds on the success of open banking, where 82 firms alone raised over £2 billion of private funding and created over 4,800 skilled jobs in the financial year 2022-2023.
Other measures
NHS data
There’s an acknowledgement of a need to strengthen the digital and data infrastructure of the NHS: “To unlock the full potential of the NHS, we need to strengthen the underlying infrastructure, improve data quality, and radically enhance the user experience. Only then can we leverage innovative technologies and ensure the long-term sustainability of the NHS.” This builds on the announcement - on Monday - of a consultation on a 10-year reform plan for the health service, although some question whether the provisions contained within the Bill differ significantly from what was previously contained in the DPDIB.
Speaking on Monday, the ODI’s co-founder and executive chair, Sir Nigel Shadbolt responded to the announcement of the NHS consultation, saying that:
- The NHS has a complex history with large IT solutions; it requires consensus and multiple voices for effective implementation.
- Strong data governance is essential to ensure proportionate and appropriate access to sensitive health data.
- There is a need to address the ‘unfashionable’ topic of the necessary data infrastructure for interoperability and usability.
- Investment is needed in open standards for data access - to overcome the problem of standards being locked down by the owners of proprietary systems.
- An emphasis on high standards of governance and modern security measures is essential.
- Multiple providers are needed to build and maintain the data infrastructure, not just one company.
- We must agree on data discovery, access, and interoperability principles.
- Potential benefits include providing insights across the entire population's health data.
To be welcomed in the Data Use and Access Bill are the acknowledgement that data is infrastructure and the introduction of the concept of “information standards”. In relation to the health and adult social care sector, these are set out - in the Bill - to be focused on the processing of patients’ information.
Allowing information to be shared easily and in real time between organisations that use different systems would be a huge step forward for the NHS and the wider public sector. However, as we have said, multiple providers, not just one company or organisation, are needed to build and maintain this data infrastructure. An example of successful data access initiatives in health is the OpenSAFELY project at Oxford, led by Ben Goldacre. In this initiative, research queries are processed through linked patient records with transparency and accountability in design and operation.
Above all, data use and access must be designed and delivered in the national interest and according to our values, not in ways that disproportionately benefit the owners of proprietary systems. So, specifically, how the provisions in the Bill are enacted will be crucial.
NUAR
Also included in the Bill are plans to put the National Underground Asset Register (NUAR) on a statutory footing. This would mandate the owners of underground infrastructure, such as water companies or telecom operators, to register their assets on the NUAR - a complete map of underground pipes and cables. The government anticipates that this could reduce the risk of accidents on underground water and energy pipes and broadband cables, which currently amount to 60,000 annually and cause prolonged disruption of roadworks and access to essential amenities like energy and broadband to homes.
Digital Verification
The Bill also includes legislation for digital verification services - meaning that companies providing tools for verifying identities will need to get certified against the government’s trust framework of standards and receive a ‘trust mark’, via the UK digital identity and attributes “trust framework”. The government expects this to lead to efficiency gains and a boost to the UK economy of £4.3 billion over 10 years. The new Office for Digital Identities and Attributes (OfDIA) will manage this process, which involves agreeing:
- Not to ‘profile’ users for third-party marketing purposes
- Not creating large datasets that could risk revealing sensitive data about users
- Explicitly confirming that users understand how their data is being shared, whenever this happens.
What the Bill does not do is to mandate national digital ID cards. Using digital ID will be voluntary and people will still be able to prove their identity using physical documents. At the ODI we see potential in rolling out digital verification services that enable individuals to maintain control over data about them, while authorising it to be shared with digital identity services. A new category of Privacy Enhancing Technologies (PETs) could make this possible. For example, Solid, which the ODI now stewards, provides a user-centric data model where individuals control data about them through personal online data stores - Pods. The approach gives data holders greater transparency over who accesses their data and builds trust in its use. This user-empowered model could be key to designing public data infrastructure that citizens trust.
Online harms
The Bill also aims to boost the UK’s approach to tackling online harms through a power that creates a researcher data access regime. This aims to support researchers in accessing data held by online platforms so they can conduct robust and independent research into trends. The intention is to increase transparency and evidence on the scale of online harms and to analyse the efficacy of measures for tackling them.
Our early view
The Bill document is 262 pages long - so we might need a bit more time to read through it in detail! - but on first reading, we broadly welcome this fresh start. The focus on smart data schemes shows promise, building as it does on the success of open banking—which we helped catalyse. These schemes could (and, done well, should) enable secure, consumer-controlled data sharing across sectors, driving innovation while maintaining trust.
We are pleased that the Information Commissioner’s Office (ICO) will retain its independence. This is in contrast to the previously proposed DPDIB - which fell just before parliament dissolved ahead of the General Election - where there was a proposal to bring the ICO under ministerial control.
As expected, early commentary has pointed out that, done badly, the changes in data laws could compromise the security and protection of public sector data, vesting it in the hands of big tech firms, who might leverage too much control in their roles as proprietors of the systems that might be used. This opens up the risk that the infrastructure is not run in the national interest but in the interests of private companies. There are also concerns that automating data protection tasks could lead to unintended consequences, including the sharing - or mis-sharing - of personal data. Campaigners have warned that there must be ongoing human oversight of this work. This is something that the ODI repeatedly advocates for, and will continue to do so.
Overall, the success of this legislation will depend on its implementation. Key areas we'll be watching - and contributing to - beyond our recent Policy Roadmap - as the Bill progresses include:
- Specific provisions around ICO independence and powers
- Details of data protection reforms
- Frameworks for algorithmic transparency
- Support for data intermediaries
- Implementation plans for smart data schemes
- Technical standards for digital verification services
- Integration opportunities with existing open standards
- Requirements for interoperability and data portability
- The balance between open and smart data approaches
- The interplay between the UK’s Internal Market legislation and areas of devolved competencies in the UK’s nations and regions.
This Bill represents an opportunity to shape a data ecosystem that works for everyone. Building on proven successes like open banking, leveraging existing technical standards like Solid, and maintaining a balanced approach to open and smart data could help deliver innovation and trust—as well as potentially aid the Government in delivering some of its five Missions.
The principles underlying smart data schemes and user-centric technologies show how we can empower individuals while enabling innovation. Combining clear legislative frameworks and robust technical standards could create a data ecosystem serving everyone's interests.