Title
|
Replaced/Amended Provision(s)
|
DUAA Provision(s)
|
Scope
|
Value Addition
|
| Meaning of Research and Statistical Purposes |
Amends UK GDPR Article 4 |
Section 67 |
Clarifies the scope of "scientific research" to encompass any research that can reasonably be described as scientific, regardless of public or private funding, or commercial/non-commercial nature.
Adds that historical research includes genealogical research.
Specifies that research for statistical purposes includes processing for surveys where the output is aggregate (non-personal) data, not used for decisions about specific data subjects.
|
Section 67 of the DUAA clarifies the scope of different research categories. Previously, the UK GDPR did not set out research categories, as they were only briefly mentioned in its recitals. The UK GDPR recital 159 states that “the processing of personal data for scientific research purposes should be interpreted in a broad manner.” |
| Consent to Processing for Scientific Research Purposes |
Amends UK GDPR Article 4(11) |
Section 68 |
Explicitly allows for "broad consent" in scientific research under the following conditions, giving legal certainty for researchers using consent:
- Consent is given for personal data processing for the purposes of an area of scientific research.
- The precise processing purposes cannot be fully identified at the time of consent.
- The consent sought aligns with generally recognized ethical standards for that research area.
- The data subject is allowed to consent to process for only a portion of the research, where consistent with the intended purposes.
|
DUAA Section 68 brings the concept of “broad consent” for research purposes from the UK GDPR recitals to the main text of the legislation, which will raise awareness of the concept and give researchers greater clarity. |
| Introduction of “Recognized Legitimate Interest” |
Amends UK GDPR Article 6 |
Section 70; Schedule 4 (inserts new Annex 1 in the UK GDPR) |
Introduces a new lawful ground for non-public bodies to process personal data for "recognized legitimate interests" (e.g., crime prevention, safeguarding vulnerable people) specified in Schedule 4 of DUAA, removing the need for a detailed legitimate interests assessment in these specific cases. |
Since the amendment now allows processing personal data for recognized legitimate interests, the need for a detailed legitimate interests assessment, which balances the data controller’s interest against the individual’s interest, has been removed to prevent potential negative impacts of delays. |
| Clarification on Purpose Limitation: Further Processing |
Amends UK GDPR Articles 5(1)(b), 6
Inserts new UK GDPR Article 8A
|
Section 71 |
Clarifies when "further processing" or data re-use is compatible with the original purpose, especially for public interest purposes (e.g., scientific or historical research, research for statistical purposes, archiving in public interest).
Introduces five factors to be taken into account when processing personal data for a new purpose, which are the link between the purposes, context of data collection, nature of processing, possible consequences for data subjects, and existence of appropriate security safeguards.
|
The language of the previous legislation did not clarify whether personal data could be further processed for a very different purpose from which it was originally collected. |
| Public Interest Processing in Reliance on International Law |
Amends UK GDPR Articles 6(3), 8A(3), 9(2)(g), (5), 10(1), (2)
Inserts DPA Section 9A; Schedule A1 (new)
|
Section 72
|
Clarifies that data controllers can process personal data on the grounds of public interest under Article 6(1)(e) and Article 9(2)(g) UK GDPR, where the basis of such processing is set out in relevant international law. This relevant international law requirement refers to the UK-US Data Access Agreement. |
This clarifies UK GDPR's "public interest" data processing: it can now be based on relevant international law, not just domestic law. |
| Clarification on Rules Surrounding Data Subject Access Requests |
Amends UK GDPR Articles 12, 13, 14, 15
Inserts new UK GDPR Article 12A
Amends DPA Sections 45, 53, 54, 94
Inserts new DPA Section 180A
|
Section 75-78; 104 |
These measures clarify rules for subject access requests, defining response time limits and codifying existing case law on reasonable data searches. |
DUAA reforms Subject Access Requests (SARs). It adds a "stop the clock" rule, letting organizations pause the one-month deadline if they need more information from requesters. It also codifies that SAR searches must be ‘reasonable and proportionate,’ a standard previously only set by case law. |
| Introduction of “Legal Professional Privilege” Exemption |
Amends DPA Sections 43, 44, 51
Inserts DPA Section 45A
Insert UK GDPR new Article 12A(5)
|
Section 79 |
Introduces a clear exemption for “legal professional privilege” to data subjects’ right to information within the law enforcement regime. This measure makes it clear that data controllers are not required to release confidential communication between a lawyer and their client, aligning it with UK GDPR and the intelligence services regime. |
Previously, there was no exemption for “legal professional privilege.” Data controllers had to rely on other exemptions for this purpose, which required them to balance the necessity and proportionality of applying the exemption against the rights and freedoms of the data subject. |
| Relaxation of Rules on Automated Decision-Making |
Amends UK GDPR Article 22 (Replaces with Article 80 of DUAA)
Amends DPA Section 14 (Replaces with new Articles 22A-D of UK GDPR)
|
Section 80; Schedule 6 |
With stringent safeguards in place, it creates a more permissive framework for making decisions based solely on automated processing with legal or similarly significant effects on individuals.
These safeguards include: providing data subjects with information about significant decisions made about them; enabling data subjects to make representations about and to challenge them; as well as enabling them to obtain human intervention in the taking of the decision.
|
Previously, UK GDPR broadly prohibited solely automated decision-making with legal or similarly significant effects, with limited exceptions (i.e, consent, performance of contract, domestic law authorization)
Now, the DUAA permits automated decision-making using non-special category data. This means that organizations have greater flexibility to use automated decision-making using non-special category data/personal data for significant decisions, provided they implement the required safeguards.
|
| Relaxation of Rules of Automated Decision-Making [Law Enforcement] |
Amends DPA Sections 49, 50 (Replaces with Section 50A-D) |
Section 80; Schedule 6 |
Simplifies rules for solely automated decision-making in law enforcement, allowing wider use with robust safeguards and a new "active human review" exemption.
These safeguards include: providing data subjects with information about significant decisions made about them; enabling data subjects to make representations about and to challenge them; as well as enabling them to obtain human intervention in the taking of the decision.
|
The previous rules relating solely to automated decision-making in the law enforcement context were framed as a general prohibition on decision-making, except where certain limited conditions apply. They were complex and restrictive, hindering their beneficial use.
New reforms simplify these requirements, explicitly allowing wider automated decision-making with mandatory safeguards, clarifying rules for all, and boosting efficiency.
|
| Emphasis on the Protection of Children Using Information Society Services |
Amends UK GDPR Article 25 |
Section 81 |
Adds a new duty for information society services likely accessed by children to specifically consider "children’s higher protection matters" in their design.
Protecting children's data requires considering their lower risk awareness and varying developmental needs across different ages, ensuring appropriate support.
|
The original UK GDPR Article 25 required data protection by design, but lacked an explicit reference to children. This measure adds a new duty for online services accessed by children to account for their unique needs in service design. |
| Removal of Recording of Justification Obligation for Law Enforcement Processing |
DPA Section 62 |
Section 82 |
Removes the requirement for law enforcement agencies to record a justification for every personal data access/disclosure, reducing administrative burden. |
Previously, the law mandated written justification for every data consultation/disclosure by law enforcement agencies, creating a significant administrative burden. This is no longer required, streamlining operations for law enforcement agencies. |
| Relaxation of Data Protection Standard for International Data Transfers |
Amends UK GDPR Chapter 5
Amends DPA Chapter 5 of Part 3
|
Section 85; Schedules 7-9 |
Introduces a standard of data protection that is "not materially lower" than the standard in the UK for adequacy decisions and alternative transfer mechanisms; and removes the 4-year review for adequacy regulations. |
Before these reforms, the data protection test was not set out as clearly for data controllers in the legislation; there was a 4-year review period for adequacy regulations; and the Secretary of State did not have the power to update the list of appropriate safeguards that controllers may use to transfer personal data. |
| Consolidation of Safeguards for Processing for Research Purposes |
Inserts Article 84 A-D to new Chapter 8A of UK GDPR |
Sections 86-87 |
Unifies conditions concerning processing for research purposes, mandating safeguards like data minimisation and preventing processing that leads to decisions being made about, or substantial harm caused to, data subjects.
The Secretary of State can add safeguards, but not alter or remove existing ones.
|
Safeguards for research provisions are currently scattered across the UK GDPR, recitals, and DPA 2018. Unifying them will simplify the law, boosting clarity and consistency for researchers and data subjects. |
| Relaxation of Breach Notification Timeline under PECR |
Amends PECR Regulation 5A |
Section 111 |
Amends the time period within which communications providers need to inform the ICO of a personal data breach from without undue delay to “without undue delay and where feasible, not later than 72 hours after having become aware of it”. |
This aligns the timeline for notification of PECR security breaches with that of the UK GDPR. |
| Expansion of the List of Exemptions to the Prohibition of Storing or Accessing Information on Users’ Terminal Equipment |
Amends PECR Regulation 6 |
Section 112; Schedule 12 |
Amends the rules on storing or accessing information on people’s devices or terminal equipment. It adds to the list of exemptions to this prohibition through DUAA Schedule 12.
Exemptions include that user consent will not be required for use of cookies/other tracking technologies in some online services where they are used solely to collect statistical data to make improvements to services, or to improve the appearance or performance of a website, or adapt it to a user's preferences, or when user’s geographical location is required to fulfill their request of emergency assistance.
|
Previously, the law only allowed two exemptions from the prohibition. Exemption applied for the purposes of transmission of a communication over an electronic communications network, or where storage was necessary for the provision of services requested by the user. |
