Search

How can we help?

Icon

The Data Protection and Digital Information Bill  

In September 2021, the government launched a consultation – ‘Data: a new direction’ – as part of its proposals to reform the UK’s data protection laws following Brexit, the responses to which were published in June this year (see our previous article here).   

These responses fed into the new Data Protection and Digital Information Bill which was introduced into Parliament on 18 July 2022.    

The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. 

As the Bill is still working its way through Parliament it may be amended before it is given Royal Assent and becomes an Act but we have highlighted some of the key provisions for employers, as they currently stand, below. 

Amended Definition of ‘Personal Data’ 

The Bill limits the definition of personal data by focussing on the knowledge of the controller or processor and not, arguably, the whole world.   

Currently, an identifiable living individual is defined as ‘a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual’. 

This is very wide.  However, the Bill seeks to limit this down by adding that the individual will only be identifiable if they are identifiable by the controller or processor through reasonable means at the time of the processing or where the controller or processor knows, or ought to know, that another person will (or is likely to) obtain the information as a result of the processing (for example if it is shared with them) and will be able to identify the individual using reasonable means at the time of the processing.   

In theory this may make it easier for businesses to anonymise data. In reality, it is unlikely to have much of an impact on employers with regard to the personal data they process on their employees which usually clearly identifies the employees by name, job title or employee number (all of which are known to the employer at the time of processing).   

Data Access Requests  

Vexatious and excessive requests 

The Bill changes the threshold for charging a reasonable fee (or refusing to comply with a request) from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’.  

The revised threshold is intended to capture a wider set of unreasonable and/or disproportionate requests.  The onus will be on the controller to show that the request is vexatious or excessive if challenged.  

The Bill provides some factors for organisations to consider when looking at whether a request is vexatious or excessive, although these are similar to factors already highlighted in ICO guidance.  They include: 

  • The nature of the request 
  • The relationship between the data subject and controller 
  • The resources available to the data controller  
  • The extent to which the request repeats an earlier request and how long ago any such request was made 
  • Whether the request overlaps with other requests made by the data subject 

The Bill highlights that requests intended to cause distress, not made in good faith and/or that are an abuse of process will be vexatious.  Some of these are already referred to, albeit to a limited extent, in ICO guidance (for example a request may be viewed as manifestly unfounded if the individual making it expressly states that they intend to cause disruption). 

The list is clearly helpful for organisations and may help employers who are faced with data access requests from ex-employees as part of Employment Tribunal proceedings (or the build up to these).  However, more guidance will be needed from the ICO on these factors to understand clearly what circumstances they cover.  

Requests for further information  

The Bill also adds wording to suggest that where an organisation needs more information to identify the personal data or processing activities it can request this.  This has the effect of pausing the time limit for compliance until the information is provided.  An example of when such information may be required is where the controller processes a large amount of information about the data subject.   

More guidance will be needed from the ICO on this point and when it can be used but it does suggest that employers who process a large amount of information on their employees could request further information and need not comply until such information is provided.  

The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. 

New Legal Basis – Recognised Legitimate Interests 

The Bill introduces a new legal basis for processing where processing is ‘necessary for the purpose of a recognised legitimate interest’.  

A list of recognised legitimate interests is provided within the Bill.  These are relatively limited and focus on matters of public interest but include, for example, where processing is necessary for the purposes of detecting, investigating or preventing crime which may be helpful to employers who need to complete checks such as those for anti-money laundering. 

Data Protection Officer (‘DPO’) 

The Bill removes the need for certain organisations to appoint a DPO and instead requires them to designate a ‘senior responsible individual’ who must be part of the organisations’ senior management.    As such this seems to be a departure from the original requirement under the UK GDPR for the DPO to be independent and many organisations who have already appointed external consultants may be concerned about this change.  Again, it would be useful to have further clarification on this point from the ICO.   

Accountability – Record Keeping 

The Bill states that controllers must retain ‘appropriate records’ of processing.  Much of the information that should be included in these records remains unchanged but the emphasis seems to be on controllers now to assess the nature, scope and processing of their activities, the risks to individuals rights and freedoms and their resources in deciding what is appropriate here. 

The Bill confirms that the exemption for organisations with less than 250 employees remains in place but says that those with less than 250 employees will need to comply if processing is likely to result in a high risk to individuals’ rights and freedoms.  This is slightly narrower than the current position which says those with less than 250 employees also need to comply if the processing is not occasional or involves the processing of special category of criminal convictions data. 

For those smaller organisations that have already retained records based on the broader current wording, it’s likely to be helpful to maintain this in any event to enable them to identify data flows which assists with compliance with wider data protection obligations.   

  

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 16 April 2025
  • Employment

End of the Line for Fire and Rehire? What Employers Need to Know

The Employment Rights Bill, introduced in October 2024, aims to restrict the practices of ‘fire and rehire’ and ‘fire and replace’.

art
  • 14 April 2025
  • Employment

Consistency is Key: Strategies for Harmonising Disciplinary Processes

It is an unfortunate reality that occasionally employers will find themselves in a position where it is necessary to proceed with a disciplinary process.

Pub
  • 28 March 2025
  • Employment

Talking Employment Law: Redundancy and settlement agreements – What you need to know

In this podcast, Lucy White and Shauna Jones, members of the employment team at Clarkslegal, will guide you through the complex topics of redundancy and settlement agreements.

art
  • 28 March 2025
  • Employment

Injury to feelings awards: Updates to Vento Bands 2025

Injury to feelings awards: Updates to Vento Bands 2025 For discrimination and detriment cases, compensation can also cover non-financial losses, which, in most cases, will include an injury to feelings award.

Pub
  • 24 March 2025
  • Employment

Talking Employment Law: The Employment Rights Bill – Part 1

In part 1 of the Employment Rights Bill podcast in the ‘Talking Employment Law’ series, Louise Keenan and Lucy White, members of the employment team, will discuss some of the main provisions of the Bill, including unfair dismissal and family rights.

art
  • 21 March 2025
  • Employment

Increase to Tribunal Award Limits Effective from 6 April 2025

As of 6 April 2025, the Employment Rights (Increase of Limits) Order 2025 will increase the compensation limits which apply to various Employment Tribunal awards as well as other statutory payments.