The UK’s Data Protection and Digital Information Bill (No. 2): For universities

19 April 2023

The UK Government relaunched its efforts to reform the UK’s data protection regime on 8 March by reintroducing the Data Protection and Digital Information (‘DPDI’) Bill, along with a new set of explanatory notes. Although the Bill builds on the UK’s existing data protection framework, the proposed legislative changes should help reduce the administrative burden on universities and make the processing of personal data more straightforward.

Defining personal data

The Bill seeks to clarify the circumstances in which an individual may be considered ‘identifiable’. The new definition will provide universities with greater certainty by categorising personal data as:

Where the person is identifiable by the controller or processor by reasonable means at the time of the processing; or
Where the controller or processor ought reasonably to know that another person will likely obtain the information because of processing, and such individual will likely be identifiable by reasonable means at the time of processing.

Legitimate interests

One of the most significant changes is the clarification regarding legitimate interests. The Bill proposes to replace the balancing test by creating a new lawful ground which recognises particular legitimate interests. These include, among other things, processing for the purposes of national security, preventing crime, safeguarding vulnerable persons and democratic engagement. The Bill also enables the Secretary of State to add new categories.

Universities need to be aware that they will still be required to carry out a legitimate interest assessment when processing other types of personal data. The Bill does, however, include some examples of the types of processing that may be considered necessary for the purposes of a legitimate interest (such as internal administration purposes), which provides a helpful guide for universities when trying to identify a legal basis for the processing.

Scientific research

Of particular relevance to universities is the new definition of “scientific research”, which will cover “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”.

Data subject access requests

The Bill proposes to amend the threshold for charging a reasonable fee or refusing subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. Universities need to determine for themselves whether a request will meet this threshold, and consider the nature of the request and the relationship between the university and the individual in question. The Bill provides guidance on requests that could reasonably be considered ‘vexatious’.

Records of processing

Under the Bill, universities will now only need to keep records of processing where the processing is likely to result in a high risk to the rights and freedoms of individuals. This should help to ease the administrative burden on universities created by the existing requirement to maintain records of all processing activities.

Removal of Data Protection Officers

Universities will no longer need to appoint a Data Protection Officer but must instead designate a "senior responsible individual" who will be accountable for data protection compliance. In contrast to the existing regime, the person must be part of the organisation’s senior management.

Automated decision-making

In response to the consultation, the Government said it was considering how to amend Article 22 of the UK GDPR to clarify the circumstances in which it would apply, reframing it as a right to specific safeguards rather than as a general prohibition on solely automated decision-making.

The Bill proposes to introduce the new concept of ‘no meaningful human involvement’. The inclusion of an additional safeguard ensures that a decision is only deemed ‘significant’ if a decision produces a legal effect on the data subject or it has a similarly significant adverse effect for the data subject. A significant decision involving special category personal data cannot be taken based solely on automated processing unless the following exceptions apply:

The data subject provides explicit consent; or
It is required or authorised by law.

Cookies and tracking technology

The Bill seeks to widen situations in which tracking technology can be used without the data subject’s consent. Consent for the use of cookies is currently required unless such use is strictly necessary. The amended law would theoretically extend the circumstances under which cookies could be used to store or access information on people’s devices without their express consent.

By broadening the list of exemptions to when consent is required for placing cookies on a user’s terminal equipment, universities will be able to improve their services. Its important to note that universities will still be required to provide users with clear information on the storage of information, along with a clear option to opt-out of such service.

Summary

Although the Bill proposes some significant changes, it does not represent a radical departure from the current law. As universities are already compliant with the UK GDPR, few changes will be necessary (except for designating a senior responsible individual). The Bill does however provide universities with the opportunity to review their current policies and procedures, as well as allowing for greater flexibility over the use of personal data going forwards.