🗓️ Vote due 19 June 2025
If you’ve been quietly ignoring the Data (Use and Access) Bill up to now, you’re not alone. It’s flown a bit under the radar for many in higher education, but with the final Commons vote due on 19 June, now’s a good time to understand what’s coming, and how it’ll affect our day-to-day work with data.
Spoiler: it’s not all bad. In fact, some changes might make things easier. But there’s nuance, and definitely some prep to do.
The Basics
This Bill is the UK government’s long-awaited shake-up of data protection laws post-Brexit. It touches on everything from Subject Access Requests to cookies and smart data, and it’s likely to become law later this year. The final vote is just the last formal step before Royal Assent.
What does that mean for those of us managing or working with data in universities and colleges? Let’s break it down.
1. Legitimate Interest Becomes… More Legitimate
The Bill introduces a new concept: recognised legitimate interests. These are predefined cases (like detecting fraud or ensuring public security) where you can skip the balancing test we normally do under GDPR.
There’s also a non-exhaustive list to guide other uses, things like internal admin, marketing, or improving services.
Why it matters:
If you’ve ever agonised over whether a legitimate interest assessment is “good enough,” this might be welcome news. It could simplify data sharing across teams or departments, or how we handle internal analytics. But remember: the Bill doesn’t remove the need for transparency or accountability. Keep the documentation.
2. Changes to Subject Access Requests (SARs)
Under the Bill, organisations only need to carry out a “reasonable and proportionate” search when responding to a SAR. You can also delay the clock starting until identity is confirmed or a fee is paid (where allowed).
Why it matters:
If you’re the person who has to trawl inboxes or shared drives when a SAR comes in, this could reduce the burden. But “reasonable” is subjective, so it’s a good time to review your SAR processes and train staff on where the new lines are drawn.
3. Automated Decisions & AI
The current rules around automated decision-making (Article 22) are softened. If there’s no special category data involved, it’s easier to use AI or automation, as long as there are safeguards and humans can step in where needed.
Why it matters:
There’s potential here for more intelligent workflows, automated flags in student systems, smarter triage in student services, etc. But institutions still need to design governance around how these systems work, what data they use, and how people can challenge outcomes.
4. Cookie Rules & Website Tracking
The Bill introduces exemptions for some non-essential cookies used to improve services (like website analytics), but at the same time, the fines for breaches under PECR are being aligned with GDPR, up to ÂŁ17.5 million or 4% of turnover.
Why it matters:
You might be able to simplify your cookie banners, but don’t assume it’s a free-for-all. Work with your web team to audit current trackers and document the purpose behind each one.
5. International Data Transfers Get a Loosen-Up
The UK will move away from needing “essential equivalence” with other countries to a “not materially lower” standard. That makes it slightly easier to justify transfers outside the UK/EU.
Why it matters:
For universities using overseas systems, collaborating with global partners, or storing data in third countries (hello, US-based cloud services), this gives a bit more breathing room. But review your transfer tools and make sure safeguards are still in place.
6. Smart Data & Digital IDs
The Bill introduces support for Smart Data Schemes (think Open Banking-style data sharing) and a framework for Digital Verification Services. That includes creating a government-backed “trust framework” for certified digital ID providers.
Why it matters:
We may see opportunities to streamline student onboarding or identity checks in the coming years, but also pressure to adopt tools we haven’t tested. Keep an eye on this, especially if your institution is part of any pilots or cross-sector initiatives.
7. AI and Copyright – Still to Come
The original Bill contained controversial clauses about allowing AI developers to scrape copyrighted material. Those were removed after a Lords rebellion, but the government is now required to report on AI use and data scraping within 9 months of the law coming into force.
Why it matters:
If you’re working with AI or supporting researchers who are, expect further guidance. In the meantime, it’s worth documenting what datasets you’re using and checking for copyright or licensing risks.
8. A New-Look ICO
The ICO will become a new body with a more structured leadership model and a clearer focus on early resolution of complaints at the organisational level.
Why it matters:
You might find yourself needing to respond to more formal internal processes before issues escalate externally. Make sure your data protection policies are accessible and staff know how to escalate issues early.
What You Should Do Now
Here’s a quick checklist to keep you ahead of the curve:
- Review your lawful bases – can you simplify with the new legitimate interest categories?
- Update your SAR policies – clarify what’s “reasonable and proportionate.”
- Assess any automated systems – make sure human review is built in.
- Audit cookie use – are your trackers justified under the new rules?
- Map your international data flows – does anything need updating under the new adequacy test?
- Monitor DVS/smart data pilots – are there risks or benefits to early adoption?
- Stay alert for further AI guidance – especially around copyright or transparency.
Final Thoughts
The Bill marks a definite shift in UK data regulation. For those of us in higher education, it’s a mixed bag, some welcome clarity and reduced admin in places, but a need to sharpen up governance and documentation elsewhere.
If you’re not already talking to your legal or compliance team about this, now’s the time to get it on their radar. Because whether we like it or not, data work is about to get reshaped again.