Data (Use and Access) Act comes into force

The Data (Use and Access) Act has received royal assent and has now become law, with its various provisions coming into force over the next 12 months.

Updating the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications Regulations (PECR), it sets out how personal information can be used for research.

It loosens restrictions on some automated decision making, makes provisions for using some cookies without consent, and allows charities to send people electronic mail marketing without consent in certain circumstances. It also requires organisations to have a data protection complaints procedure and introduces a new lawful basis of recognised legitimate interests.

"For too long, previous governments have been sitting on a goldmine of data, wasting a powerful resource which can be used to help families juggle food costs, slash tedious life admin, and make our NHS and police work smarter," said technology secretary Peter Kyle.

"These new laws will finally unleash that power for hardworking people – putting cash back in pockets and boosting vital public services, all part of our Plan for Change."

The government is pushing the benefits to the NHS, saying it will ensure that healthcare information, such as a patient's pre-existing conditions, appointments, and tests, can easily be accessed in real time across all NHS trusts, GP surgeries, and ambulance services, no matter what IT system they're using.

Enabling data sharing across platforms, it said, will save NHS staff 140,000 hours a year in admin tasks.

"No longer will patients be left waiting needlessly for treatment as NHS staff battle 'computer says no' bureaucracy," said secretary of state for health and social care Wes Streeting.

"We're making it easier for GPs, nurses, and paramedics to access the information they need, when they need it, safely, securely, and at speed."

The Act gives the Information Commissioner's Office (ICO) new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under Privacy and Electronic Communications Regulations (PECR).

The ICO has published a catalogue of resources to help explain what this new legislation means for businesses.

"Over the coming months we will launch new guidance, open consultations, and provide practical tools to help embed the Act's principles into everyday operations," said information commissioner John Edwards.

"Our goal is to ensure that data can be used confidently and responsibly to deliver better services, drive economic growth, and uphold public trust."

Organizations, said the ICO, should prepare by familiarizing themselves with the changes, making sure they're doing enough to satisfy the new explicit requirements for online services that children are likely to use and, if necessary, overhauling their complaints procedures.

There's more information from the government here.