The Data (Use and Access) Act

The Data (Use and Access) Act has had a chequered past. Its origins lie in the previous government’s attempts to revise data protection legislation following Brexit which never quite made it over the line and now, two dropped bills later, we finally have the Data (Use and Access) Act.

While much of the original interest in the legislative changes was focussed on data protection, the emphasis latterly has been on the use of material protected by copyright to train AI and the batting of the Bill between the Houses of Commons and the Lords to try to formulate an acceptable solution.

In terms of data protection, the regime changes introduced by the Act are far less revolutionary than those originally intended by the Act’s failed predecessors, the Data Protection and Digital Information Bills.

Many of the changes introduced by the Act revise existing best practice and give statutory effect to existing guidance from the Information Commissioner’s Office. For those who already follow ICO guidance, many of the changes should not require extensive recasting of existing policies and procedures. However, the Act does introduce a requirement for data controllers to have in place a complaints policy relating specifically to data subject requests.

At present data subjects can (and are generally required by the ICO) to complain to the data controller before making any complaint to the ICO. At present, what that complaints process involves is entirely at the discretion of the controller. However, the new requirement will involve the creation of a procedure specifically for the “facilitation” of data protection complaints and for many controllers, particularly smaller organisations, this will involve the creation of a new process once the Act takes effect.

While the impact of the cost of living crisis and public funding constraints continues, there is some good news for charities who will now be able to take advantage of the “soft opt-in” which allows business to avoid the need to obtain consent for marketing when contacting an existing customer or contact about provision of goods or services. This should allow charities to carry out digital marketing to a much wider audience without having to obtain consent.

The Act has, however, raised alarm bells for some with provisions to facilitate the use of artificial intelligence. Perhaps not surprisingly, some changes have been made to relax the restrictions on automated decision making using personal data without human oversight. Whereas individuals could previously insist that a human was involved in the process at some stage, that right now only applies where special category (sensitive) personal data is being processed.

The Act also facilitates the use of data scraping and the collection of data available online which can be used to train generative AI. This proved to be a controversial issue with the House of Lords pushing for amendments to the Bill to ensure tech companies are transparent about how data is being used. The amendments were proposed amid concerns that material which was protected by copyright could be used to train AI unless rights owner opted out. The proposed amendments were ultimately rejected however, and instead, the government undertook to publish a report on the wider copyright and AI issues raised. While the Act is now law, the copyright v AI question looks set to continue for some time yet.

STAY INFORMED