New legislation on data sharing and cyber Security
By Amy Peacey
Amy Peacey, a Partner at Clarke Willmott, analyses the new flagship data and cyber security legislation that was unveiled in the recent King’s Speech
Having failed to make the previous Conservative government’s legislative “wash up” prior to the election, the new Labour government has introduced two replacement Bills which take a slightly different approach.
Digital Information and Smart Data Bill (DISDB)
It is difficult at this stage to determine the full scope of this Bill but it appears that it will take a different approach to what was proposed by the previous government’s Data Protection and Digital Information Bill (DPDIB) - with the focus on the sharing of data to facilitate growth in a secure way.
The new government’s stated aim is to harness the power of data for economic growth, to support a modern digital government and to improve people’s lives.
Some of the proposals in the new Bill are similar to those in the DPDIB including:
- the establishment of a Digital Verification Services to assist individuals with moving house, pre-employment checks and buying age-related products by supporting the creation of secure and trusted digital identity products and services
- Smart Data schemes to provide for the secure sharing of customer data with authorised third-party providers
- moving to an electronic system for the registration of births and deaths.
- plans to strengthen the Information Commissioner’s Office
The new Bill also includes proposals such as:
- developing a National Underground Asset register using a digital map that will revolutionise the installation, maintenance, operation and repair of cables and pipes which will give planners and excavators secure, instant access to the data they need to carry out their work effectively
- establishing a Data Preservation Process that will provide access to data which is necessary for the investigation into the death of a child
- the ability for scientists to ask for broader consent for the use of data for scientific research
There has been no mention of individual rights, so there is unlikely to be any change to the data subject rights set out in the UK GDPR. All of the above proposals are for the benefit of businesses.
The Cyber Security and Resilience Bill (CSRB)
This Bill is part of the government’s pledge to enhance and strengthen the UK’s cybersecurity measures and protect the digital economy.
The existing UK regulations reflect law inherited from the EU, which is implementing reforms to the Network and Information Systems Directive 2018 to create a more robust framework, known as NIS2, which will be in effect in the EU from 17th October 2024. The previous government had indicated that NIS2 would not be replicated in the UK and had proposed more limited changes to the existing regulations.
The new government says the cyber security regulations need an “urgent update”, and it is likely that the CSRB will be similar to the proposed EU legislation.
The Bill will:
- expand the remit of the current UK NIS regulations to protect more digital services and supply chains
- provide regulators with greater powers to ensure essential cyber safety measures are being implemented. This would include potential cost recovery mechanisms to provide resources to regulators and provide powers to proactively investigate potential vulnerabilities
- implement increased incident reporting to provide data on cyber attacks, including where a company has been held to ransom. The purpose is to improve the understanding of cyber threats and provide essential data to enable identification of patterns of attacks and an effective response
The only reference to Artificial Intelligence (AI) is that the government will “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models. Although not specifically mentioned as a Bill, it is likely that the government will be consulting further on AI legislation during its term.
It is important to remember that at this stage there is no timescale for the implementation of these Bills into legislation. The limited information that has been provided in respect of both the DISDB and the CSRB is positive for UK businesses but we will have to wait and see what the detailed provisions and the long-term impact are.
Amy Peacey is a partner in the corporate and commercial team at Clarke Willmott in Southampton.