How can we help?


The Data Protection and Digital Information Bill  

In September 2021, the government launched a consultation – ‘Data: a new direction’ – as part of its proposals to reform the UK’s data protection laws following Brexit, the responses to which were published in June this year (see our previous article here).   

These responses fed into the new Data Protection and Digital Information Bill which was introduced into Parliament on 18 July 2022.    

The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. 

As the Bill is still working its way through Parliament it may be amended before it is given Royal Assent and becomes an Act but we have highlighted some of the key provisions for employers, as they currently stand, below. 

Amended Definition of ‘Personal Data’ 

The Bill limits the definition of personal data by focussing on the knowledge of the controller or processor and not, arguably, the whole world.   

Currently, an identifiable living individual is defined as ‘a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual’. 

This is very wide.  However, the Bill seeks to limit this down by adding that the individual will only be identifiable if they are identifiable by the controller or processor through reasonable means at the time of the processing or where the controller or processor knows, or ought to know, that another person will (or is likely to) obtain the information as a result of the processing (for example if it is shared with them) and will be able to identify the individual using reasonable means at the time of the processing.   

In theory this may make it easier for businesses to anonymise data. In reality, it is unlikely to have much of an impact on employers with regard to the personal data they process on their employees which usually clearly identifies the employees by name, job title or employee number (all of which are known to the employer at the time of processing).   

Data Access Requests  

Vexatious and excessive requests 

The Bill changes the threshold for charging a reasonable fee (or refusing to comply with a request) from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’.  

The revised threshold is intended to capture a wider set of unreasonable and/or disproportionate requests.  The onus will be on the controller to show that the request is vexatious or excessive if challenged.  

The Bill provides some factors for organisations to consider when looking at whether a request is vexatious or excessive, although these are similar to factors already highlighted in ICO guidance.  They include: 

  • The nature of the request 
  • The relationship between the data subject and controller 
  • The resources available to the data controller  
  • The extent to which the request repeats an earlier request and how long ago any such request was made 
  • Whether the request overlaps with other requests made by the data subject 

The Bill highlights that requests intended to cause distress, not made in good faith and/or that are an abuse of process will be vexatious.  Some of these are already referred to, albeit to a limited extent, in ICO guidance (for example a request may be viewed as manifestly unfounded if the individual making it expressly states that they intend to cause disruption). 

The list is clearly helpful for organisations and may help employers who are faced with data access requests from ex-employees as part of Employment Tribunal proceedings (or the build up to these).  However, more guidance will be needed from the ICO on these factors to understand clearly what circumstances they cover.  

Requests for further information  

The Bill also adds wording to suggest that where an organisation needs more information to identify the personal data or processing activities it can request this.  This has the effect of pausing the time limit for compliance until the information is provided.  An example of when such information may be required is where the controller processes a large amount of information about the data subject.   

More guidance will be needed from the ICO on this point and when it can be used but it does suggest that employers who process a large amount of information on their employees could request further information and need not comply until such information is provided.  

Louise Keenan


View profile

+44 118 960 4614

The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. 

New Legal Basis – Recognised Legitimate Interests 

The Bill introduces a new legal basis for processing where processing is ‘necessary for the purpose of a recognised legitimate interest’.  

A list of recognised legitimate interests is provided within the Bill.  These are relatively limited and focus on matters of public interest but include, for example, where processing is necessary for the purposes of detecting, investigating or preventing crime which may be helpful to employers who need to complete checks such as those for anti-money laundering. 

Data Protection Officer (‘DPO’) 

The Bill removes the need for certain organisations to appoint a DPO and instead requires them to designate a ‘senior responsible individual’ who must be part of the organisations’ senior management.    As such this seems to be a departure from the original requirement under the UK GDPR for the DPO to be independent and many organisations who have already appointed external consultants may be concerned about this change.  Again, it would be useful to have further clarification on this point from the ICO.   

Accountability – Record Keeping 

The Bill states that controllers must retain ‘appropriate records’ of processing.  Much of the information that should be included in these records remains unchanged but the emphasis seems to be on controllers now to assess the nature, scope and processing of their activities, the risks to individuals rights and freedoms and their resources in deciding what is appropriate here. 

The Bill confirms that the exemption for organisations with less than 250 employees remains in place but says that those with less than 250 employees will need to comply if processing is likely to result in a high risk to individuals’ rights and freedoms.  This is slightly narrower than the current position which says those with less than 250 employees also need to comply if the processing is not occasional or involves the processing of special category of criminal convictions data. 

For those smaller organisations that have already retained records based on the broader current wording, it’s likely to be helpful to maintain this in any event to enable them to identify data flows which assists with compliance with wider data protection obligations.   


About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Louise Keenan


View profile

+44 118 960 4614

About this article

Read, listen and watch our latest insights

  • 01 June 2023
  • Employment

Facts employees should know about their personal data

We previously published an article on facts an employer should know about holding personal data, so it is only fair that we also write about the other side of the coin – facts employees should know as individuals whose personal data is held by their employer.

  • 26 May 2023
  • Employment

Avoiding discrimination in flexible working requests

The right to request flexible working is currently available to employees with at least 26 weeks’ service and is set to be extended further under new Government reforms.

  • 25 May 2023
  • Employment

Carer’s Leave Bill set to become law

On 19 May 2023, the Carer’s Leave Bill had its third reading in the House of Lords, and upon receiving Royal Assent, will become law. There is not yet a date for the implementation of this bill, however it is likely that this will happen relatively quickly upon receiving Royal Assent, so is definitely one to keep an eye on.

  • 16 May 2023
  • Employment

10 facts an employer should know about holding personal data

Personal data is any information that can be used to identify an employee.

  • 11 May 2023
  • Employment

Employment Law Changes – Spring 2023

The government has just announced that it plans to scrap the Sunset Clause, which would have revoked almost all retained EU law at sunset at the end of 2023.

  • 10 May 2023
  • Employment

Reasonable adjustments for mental health in the workplace- FAQs

Acas has recently released guidance for employers and employees on reasonable adjustments for mental health in the workplace.