The Data (Use and Access) Bill has passed through the Houses of Parliament, to replace the European Union-era data privacy law, the Data Protection Act 2018.
The watchdog the Information Commissioner’s Office (ICO) faces change, from a corporation sole to a corporate body known as the Information Commission, overseen by a Chair and non-executive board. The ICO, which is making an office move from Wilmslow to Manchester, will now be required to consider the public interest in promoting innovation and competition, alongside privacy and data protection.
The Data & Marketing Association notes that the Bill has been drafted to stay consistent with core EU data protection principles and European Court of Justice rulings, so as to preserve the UK’s ‘adequacy’ status, allowing free flow of personal data from the EU to the UK.
Comment
Jake Moore, Global Cybersecurity Advisor at the anti-virus software firm ESET, said: “The passing of this bill is another reminder that every time we go online we leave behind a trail of digital footprints such as our likes, searches, locations and browsing habits – all of which can be harvested, analysed and even sold. But when creativity can also be picked up and copied in plain sight, we run the risk of changing the future of the arts for good.
“It’s not just about targeted ads, it’s the subtly, slow erosion of originality where people’s creative instincts are fed into growing algorithms that learn from them and inevitably profit from. Protecting your privacy isn’t only about avoiding spam or hacks, it should also be about safeguarding creativity in a digital world that’s constantly trying to analyse and capitalise.”
Graeme Stewart, head of public sector at Check Point Software, raised what he termed some serious cybersecurity challenges. “By increasing interconnectivity, the attack surface expands significantly. There’s a heightened risk of exposing sensitive personal data, and technical frameworks like Trusted Research Environments and digital identity systems will require exceptionally high levels of authentication and data protection. From a public-facing perspective, there’s a real concern around personal data breaches. As information flows more freely between public bodies and private companies, the risk to individuals increases. Just look at recent incidents like the Ministry of Defence payroll provider breach. It’s a clear warning that supply chain security needs to be solidified, especially as third parties gain wider access to valuable data.
“The challenge is that most people simply don’t understand the implications of this. Public digital literacy needs to improve so that individuals can make informed decisions and recognise the risks. But right now, cybersecurity incidents barely make an impact in the media – there’s a dangerous sense of apathy. Unless there’s strong, mandatory contractual enforcement around cybersecurity, particularly in supply chains, we’re likely to see more attacks, not fewer. Another critical risk is large-scale data pooling. For example, the NHS electronic patient record system could become a prime target for ransomware attacks, and if compromised, that data could be exploited for malicious purposes.
“So, while the ambition behind the Act is positive – using data for public good – the reality is it creates a much larger threat landscape. A “security-first” mindset is no longer optional. We need a ‘Fortress Britain’ approach where technical controls are transparent, auditable, and embedded from the outset. That includes AI-driven processes – we must understand exactly how and where data is being used, especially when integrated with tools like ChatGPT or other AI platforms. In summary:
“The public are largely unaware of the risks, yet they’re the ones most affected if security fails.
We can expect a surge in supply chain and ransomware attacks due to the increased value of shared data.
Public sector investment in cyber resilience must scale up dramatically to handle the volume and sensitivity of this data.
Outsourcing contracts must include watertight clauses that make private/third-party organisations fully accountable for defending any data they handle.
“Cyber investment won’t slow the Act down – it will enable it. And that must be a top priority.”
Background
The Bill began passage through Parliament last autumn. For more, visit gov.uk.
Digital ID inquiry
The Home Affairs Committee of MPs meanwhile has announced an inquiry into potential benefits and risks of the use of government-issued digital ID. A deadline for written submissions to the inquiry is Thursday, August 21. Dame Karen Bradley, Conservative MP for Staffordshire Moorlands and chair of the committee, said: “Introducing digital ID could help the Home Office achieve its ambitions to reduce crime and improve control over the immigration system. But there are also fears that ID schemes could infringe on people’s privacy or be costly to implement effectively.
“The debate around digital ID is growing and we want to find the best evidence for how digital ID could be used by the Home Office to implement its priorities. We will be exploring the benefits and risks of digital ID systems as well as the practical challenges to their introduction.”
Among the committee’s questions are whether digital identification would need to be mandatory, whether to combat fraud, make labour market checks, or manage border entries and exits.
More on Labour’s first year in government since the July 4 election, in the July edition of Professional Security Magazine.
