How can we help?


The Data Protection and Digital Information Bill  

In September 2021, the government launched a consultation – ‘Data: a new direction’ – as part of its proposals to reform the UK’s data protection laws following Brexit, the responses to which were published in June this year (see our previous article here).   

These responses fed into the new Data Protection and Digital Information Bill which was introduced into Parliament on 18 July 2022.    

The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. 

As the Bill is still working its way through Parliament it may be amended before it is given Royal Assent and becomes an Act but we have highlighted some of the key provisions for employers, as they currently stand, below. 

Amended Definition of ‘Personal Data’ 

The Bill limits the definition of personal data by focussing on the knowledge of the controller or processor and not, arguably, the whole world.   

Currently, an identifiable living individual is defined as ‘a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual’. 

This is very wide.  However, the Bill seeks to limit this down by adding that the individual will only be identifiable if they are identifiable by the controller or processor through reasonable means at the time of the processing or where the controller or processor knows, or ought to know, that another person will (or is likely to) obtain the information as a result of the processing (for example if it is shared with them) and will be able to identify the individual using reasonable means at the time of the processing.   

In theory this may make it easier for businesses to anonymise data. In reality, it is unlikely to have much of an impact on employers with regard to the personal data they process on their employees which usually clearly identifies the employees by name, job title or employee number (all of which are known to the employer at the time of processing).   

Data Access Requests  

Vexatious and excessive requests 

The Bill changes the threshold for charging a reasonable fee (or refusing to comply with a request) from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’.  

The revised threshold is intended to capture a wider set of unreasonable and/or disproportionate requests.  The onus will be on the controller to show that the request is vexatious or excessive if challenged.  

The Bill provides some factors for organisations to consider when looking at whether a request is vexatious or excessive, although these are similar to factors already highlighted in ICO guidance.  They include: 

  • The nature of the request 
  • The relationship between the data subject and controller 
  • The resources available to the data controller  
  • The extent to which the request repeats an earlier request and how long ago any such request was made 
  • Whether the request overlaps with other requests made by the data subject 

The Bill highlights that requests intended to cause distress, not made in good faith and/or that are an abuse of process will be vexatious.  Some of these are already referred to, albeit to a limited extent, in ICO guidance (for example a request may be viewed as manifestly unfounded if the individual making it expressly states that they intend to cause disruption). 

The list is clearly helpful for organisations and may help employers who are faced with data access requests from ex-employees as part of Employment Tribunal proceedings (or the build up to these).  However, more guidance will be needed from the ICO on these factors to understand clearly what circumstances they cover.  

Requests for further information  

The Bill also adds wording to suggest that where an organisation needs more information to identify the personal data or processing activities it can request this.  This has the effect of pausing the time limit for compliance until the information is provided.  An example of when such information may be required is where the controller processes a large amount of information about the data subject.   

More guidance will be needed from the ICO on this point and when it can be used but it does suggest that employers who process a large amount of information on their employees could request further information and need not comply until such information is provided.  

The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. 

New Legal Basis – Recognised Legitimate Interests 

The Bill introduces a new legal basis for processing where processing is ‘necessary for the purpose of a recognised legitimate interest’.  

A list of recognised legitimate interests is provided within the Bill.  These are relatively limited and focus on matters of public interest but include, for example, where processing is necessary for the purposes of detecting, investigating or preventing crime which may be helpful to employers who need to complete checks such as those for anti-money laundering. 

Data Protection Officer (‘DPO’) 

The Bill removes the need for certain organisations to appoint a DPO and instead requires them to designate a ‘senior responsible individual’ who must be part of the organisations’ senior management.    As such this seems to be a departure from the original requirement under the UK GDPR for the DPO to be independent and many organisations who have already appointed external consultants may be concerned about this change.  Again, it would be useful to have further clarification on this point from the ICO.   

Accountability – Record Keeping 

The Bill states that controllers must retain ‘appropriate records’ of processing.  Much of the information that should be included in these records remains unchanged but the emphasis seems to be on controllers now to assess the nature, scope and processing of their activities, the risks to individuals rights and freedoms and their resources in deciding what is appropriate here. 

The Bill confirms that the exemption for organisations with less than 250 employees remains in place but says that those with less than 250 employees will need to comply if processing is likely to result in a high risk to individuals’ rights and freedoms.  This is slightly narrower than the current position which says those with less than 250 employees also need to comply if the processing is not occasional or involves the processing of special category of criminal convictions data. 

For those smaller organisations that have already retained records based on the broader current wording, it’s likely to be helpful to maintain this in any event to enable them to identify data flows which assists with compliance with wider data protection obligations.   


About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 19 April 2024
  • Employment

Amanda Glover comments on ‘Employment law isn’t working for anyone’ for HR Magazine

In HR magazine, Amanda Glover, Associate at Clarkslegal responds to the recent article titled ‘Employment law isn’t working for anyone’ by Libby Purves in The Times last week.

  • 17 April 2024
  • Employment

‘Injured feelings’- Vento Bands price increase 2024

Injuring someone’s feelings through acts of discrimination, harassment or victimisation can be a costly business.

  • 17 April 2024
  • Employment

FAQs on the long awaited amendments to Statutory Paternity Leave

This April has seen a wave of new family friendly rights come into force. Amongst these, is the long awaited amendments to Statutory Paternity Leave.

  • 10 April 2024
  • Employment

New Guidance: Confidence to Recruit

The new Government guide in collaboration with the CIPD aims to give employers the confidence to recruit its workforce from a wider range of people including those who may have been overlooked in the past as a problem rather than an asset.

  • 03 April 2024
  • Employment

FAQ’s on the new Carer’s Leave Act

Beginning on 6 April 2024, the Carer’s Leave Act comes into force, meaning carers are now entitled to request 1 week’s unpaid leave to care for their dependants.

  • 26 March 2024
  • Employment

Navigating Neuroinclusion: A Guide for Employers

Over the past few years, we have seen a marked rise in awareness of neurodiversity, as well as campaigns for awareness and inclusion in the workplace for neurodiverse employees.