1. At its meeting on 14 January 2025, the Delegated Powers and Law Reform Committee ("the Committee") considered the delegated powers that are exercisable within devolved competence in the Data (Use and Access) Bill ("the Bill”).

2. The Committee considered the Legislative Consent Memorandum (“LCM”) for the Bill in terms of Rule 9B.3 of the Parliament’s Standing Orders. Paragraph 6 of Rule 9B.3 provides that where the Bill that is the subject of an LCM contains provisions conferring on the Scottish Ministers powers to make subordinate legislation, the Delegated Powers and Law Reform Committee shall consider and may report to the lead committee on those provisions.

3. The LCM is also being considered in terms of the Committee’s wider remit contained in Rule 6.11.1(b) of the Standing Orders, which provides that the remit of the Committee includes considering and reporting on proposed powers to make subordinate legislation in particular bills “or other proposed legislation”.

4. The Scottish Government lodged the LCM on 22 November 2024. The provisions in the Bill relate principally to reserved matters, however, a few aspects of the Bill relate to matters that are devolved in Scotland.

5. The UK Government has published a Delegated Powers Memorandum to accompany the Bill (the “UK DPM”). As is normal for UK bills, the Scottish Government has not published a delegated powers memorandum. The Scottish Government’s view on the relevant clauses is set out in the LCM.

6. The lead committee is the Economy and Fair Work Committee.

7. This is a substantial Bill comprised of seven parts and 16 schedules. The majority of the provisions in the Bill which are subject to the LCM were previously in the UK Data Protection and Digital Information (No.2) Bill (“DPDI Bill”) which fell at the time of the General Election.  Many of the provisions in the Bill are either the same, or broadly similar to those contained in the DPDI Bill which the Committee considered and reported on at its meetings on 6, 27 June, 3 October 2023, and 30 April 2024.  The Committee was generally content with the provisions in the Bill and recommended consent be given to them, with the exception of powers relating to account information notices and the implementation of law enforcement information-sharing agreements, which do not appear in this Bill.

8. The stated purpose of the Bill is to make provision for a variety of measures relating to the use of and access to data.  Many of the Bill’s provisions do not extend to Scotland or are reserved.  However, some of the provisions are within devolved competence, or confer powers which could be exercised within devolved competence and so are subject to the LCM.

9. Part 1 of the Bill deals with Access to Customer Data and Business Data.  These provisions are referred to as “smart-data” provisions and they contain regulation-making powers that could be used to compel the secure sharing of customer data and to facilitate third party services for the consumer or business. Part 2 deals with Digital Verification Services intended to increase trust and acceptance of digital identities across the UK to help grow the digital economy. Part 3 supports the operation of the National Underground Asset Register and Part 4 makes changes to the registration of births and deaths, neither of which extend to Scotland.  Part 5 is reforming elements of the UK data protection regime.  Part 6 is replacing the office of the Information Commissioner with the Information Commission and Part 7 makes provision in respect of data use in a variety of subject areas.

10. The Scottish Government is recommending that the Parliament consents to the provisions of the Bill which are within devolved competence.

Part 1: Access to Customer Data and Business Data

Provision

Part 1 of the Bill (clauses 1-11, 13 and 18-26) contains several delegated powers to provide for the secure sharing of customer data at the customer’s request with authorised third-party providers. These provisions, whilst they extend to Scotland, are made mainly in a reserved area (consumer protection), however, a few aspects are devolved where it is a business-to-business transfer and so consent is sought by the UK Government in relation to these provisions. These powers are grouped together for the purposes of comment and recommendation as outlined below.  Other provisions in this part of the Bill are considered to be reserved under fiscal, economic and monetary policy and financial services.

Clause 2(1), (3) and (4): require traders to provide their customers with improved access to their transactional data (customer data)

Power conferred on: Secretary of State and the Treasury

Power exercisable by: Regulations

Parliamentary procedure: Affirmative procedure for first regulations and certain subsequent regulations

11. Clause 2 of the Bill contains several delegated powers. Clause 2(1) confers power on the Secretary of State or the Treasury by regulations to require suppliers of goods, services and digital content specified in the regulations and other persons holding the relevant data (“data holder”) to provide customers or their authorised representatives with access to customer data. This applies to consumers and business customers.

12. Clause 2(3)(a) confers power to enable or require suppliers to produce, collect or retain customer data.  Clause 2(3)(b) confers power to enable or require a data holder to make changes and provide for rectification of inaccurate data and clause 2(4) confers power to allow third party authorised representatives to take, on the customer’s behalf, any action that a customer could take in relation to the goods, services or digital content supplied or provided by the trader. Clause 3 of the Bill provides a non-exhaustive list of the provision which may be made in regulations under clause 2. Clause 6 also contains further provisions relating to the appointment and functions of decision-makers to accredit those eligible to be authorised to receive customer data.

13. Clause 23 is a bolt-on provision which applies to all the powers in Part 1.  It concerns other subordinate legislation, not made under powers in the bill (referred to as ‘related subordinate legislation’), which makes provision about access to customer data or business data. It provides that any of the powers in Part 1 of the bill may be exercised so as to make, in connection with such related subordinate legislation, provision which could be made as part of or in connection with clauses 2 or 4 of the Bill regarding access to customer or business data. This is intended to allow smart data provision to be made by amending existing subordinate legislation, rather than making new stand-alone regulations under the bill.  Clause 23 is not addressed individually as it is not a stand-alone power.

14. Regulations made under clause 2 are subject to the affirmative procedure where they are the first set of regulations under the power and where they make the requirements of existing regulations more onerous for data holders, contain enforcement or investigatory provisions, contain revenue-raising provisions or amend primary legislation. Otherwise, they are subject to the negative procedure. In addition, the regulations are subject to mandatory periodic review and reporting to Parliament.

Clause 4(1), (3) and (4): Power to require traders to publish, or provide their customers with access to, contextual information about their goods and services (“business data”)

Power conferred on: Secretary of State and the Treasury

Power exercisable by: Regulations

Parliamentary procedure: Affirmative (apart from some amendment regulations)

15. Clause 4 of the Bill also contains several delegated powers. Clause 4(1) confers power on the Secretary of State or the Treasury by regulations to make provision requiring a data holder to publish business data or to provide business data on request to a customer of the trader, or to a “third party recipient”.

16. Clause 4(3) confers power to enable or require a data holder to produce, collect or retain, or arrange for the production, collection or retention of, business data.

17. Clause 4(4) of the Bill confers power to require a public authority as a third-party recipient to publish or provide business data.  Clause 4(5) outlines what the Secretary of State must have regard to when making regulations under clause 4.  Clause 5 provides a non-exhaustive list of the provision which regulations under clause 4 may contain. Clause 6 (described in paragraph [14] above) also applies to regulations under clause 4.

18. Like clause 2, regulations made under clause 4 are subject to the affirmative procedure where they are the first set of regulations under the power and where they make the requirements of existing regulations more onerous for data holders, contain enforcement or investigatory provisions, contain revenue-raising provisions or amend primary legislation. Otherwise, they are subject to the negative procedure. In addition, the regulations are subject to mandatory periodic review and reporting to Parliament.

Clause 8(1) - Enforcement of data regulations

Power conferred on: Secretary of State and the Treasury

Power exercisable by: Regulations

Parliamentary procedure: Affirmative

19. Clause 8 of the Bill confers power on the Secretary of State or the Treasury to make provision for the monitoring and enforcement of the smart data regulations. Regulations under clause 8 may confer investigatory powers on an enforcer (i.e. one or more public bodies identified in the regulations). Regulations may also create offences, punishable only with a fine, for the provision of false or misleading information or preventing an enforcer from accessing information or other materialⁱAccording to the UK DPM, this provision is designed to reflect broadly sections 144 and 148(2) of the Data Protection Act 2018..

20. Clause 9 places restrictions on the investigatory powers that can be conferred. The possibility of regulations providing enforcers with powers to impose financial penalties is subject to the constraints in clause 10.

21. Regulations made under clause 8 are subject to the affirmative procedure and are also subject to mandatory periodic review and reporting to Parliament.

Clause 11 – Fees

Power conferred on: Secretary of State and the Treasury

Power exercisable by: Regulations

Parliamentary procedure: Affirmative

22. Clause 11 of the Bill confers power on the Secretary of State and the Treasury by regulations to make provision requiring the payment of fees for expenses incurred, or to be incurred, in performing duties, or exercising powers, imposed or conferred by regulations under smart data schemes. Regulations made under this clause may also make provision about how fees paid must or may be used.

23. Regulations made under clause 11 are subject to the affirmative procedure and are also subject to public consultation and mandatory periodic review and reporting to Parliament. 

Clause 18 - Liability in damages

Power conferred on: Secretary of State and Treasury

Power exercised by: Regulations

Parliamentary Procedure: Affirmative procedure

24. Clause 18 of the Bill confers power on the Secretary of State and the Treasury by regulations to provide that a public authority given functions under Part 1 in relation to smart data schemes is not liable in damages for anything done or omitted to be done in the exercise of those functions.

25. Regulations made under clause 18 are subject to the affirmative procedure and are also subject to public consultation and mandatory periodic review and reporting to Parliament. 

Clause 19 – Duty to review regulations

Power conferred on: Secretary of State and Treasury

Power exercised by: Regulations

Parliamentary Procedure: Negative procedure

26. Clause 19 of the Bill requires the Secretary of State and the Treasury by regulations to provide for the review of provision made in the exercise of powers to make regulations under part 1 of the Bill in relation to smart data schemes at least every five years. The findings of the review must be published in a report, a copy of which must be laid before Parliament. Clause 19(8) ensures that regulations which merely amend substantive regulations which already contain a review clause do not themselves need to be reviewed.

27. Regulations made under clause 19 are subject to the negative procedure. 

Committee consideration

28. The UK DPM states that the essential purpose of Part 1 (smart data schemes) is to:

    improve data portability, beyond the limited right to data portability in the UK GDPR between traders and their customers, in order to overcome information asymmetry between them and thereby facilitate better outcomes for customers for instance in helping them to compare deals and switch suppliers.

29. Many aspects of the provisions of Part 1 of the Bill are reserved through the consumer protection reservation and as such are not subject to this LCM, however, some areas are devolved where the customer is a business and not an individual.

30. The Scottish Government’s LCM outlines that as elements of the clauses in this part concern business-to-business data transfers they are not caught by the consumer protection reservation. The Scottish Government states at paragraph 7 of the LCM that it is not possible to neatly separate out the clauses into reserved and devolved.  The Scottish Government is therefore recommending consent be given to the smart data provisions for the following reasons which are outlined in paragraph 14 of the LCM:

    • that these are complex matters;

    • it is important that the same regulatory scheme applies across the UK;

    • it will ensure Scottish consumers and businesses will benefit from the scheme;

    • the Scottish Parliament could not legislate in a cohesive way;

    • there is no administrative efficiency or benefit in a vehicle in Scotland making similar/identical provision for part of a regime.

31. The Committee considered many of these powers previously, which are substantially the same or identical to the provisions in the DPDI Bill, and for the reasons noted below were content with them.  This is with the exception of clauses 18 and 19.  Clause 18 was in the previous iteration of the Bill, however, that did not form part of the LCM at that time and was not considered by this Committee.  This time it is included, however, the power is not addressed at all within the UK DPM for the Bill. It is the Committee's view that this was missed out in error, but given this was addressed in the UK DPM for the DPDI Bill, the Committee considered the explanation of the power and justification provided for the equivalent clause in that Bill given they are in the same terms. The UK DPM for the DPDI Bill describes this power as necessary in order to ensure that the relevant public authority can carry out its functions effectively. The immunity is not total: a public authority would still be liable where an action or omission was in bad faith, or where incompatible with a right under the Human Rights Act 1998.

32. Clause 19 again is a clause that was in the previous iteration of the Bill, but was not a power to make subordinate legislation, it was simply a duty to review and to lay a copy of the report of that review before the UK Parliament, and as such did not form part of the Committee’s consideration.

33. Although some of the powers have been amended, the comments apply equally to the new, amended and not previously considered powers in the Bill, as well as the powers previously considered and reported on. 

34. The powers in this part of the Bill in relation to smart data schemes are interconnected.  The Bill specifies a significant amount of detail on what subsequent regulations made by the Secretary of State or the Treasury may contain, and the powers themselves are sufficiently narrowly drawn in that they can only be used for the implementation of such schemes, where they are considered necessary. Many of the Bill’s provisions relate to areas that are reserved and as such many aspects cannot be legislated on by the Scottish Parliament.  The only aspect of the smart data schemes that is within devolved competence is business-to-business data transfers. The Scottish Government is clear in the LCM that it would be difficult to separate out the reserved and devolved matters to work alongside each other effectively.

35. The Committee also considers it is clear what provision these powers will be used to make as the powers themselves give significant detail on what the various regulations may and must contain which is supported by a very detailed UK DPM. The powers cannot be used to make substantive provision in areas of devolved competence of the sort it might be appropriate for the Parliament to have some further scrutiny of.

Recommendation

Part 2 – Digital Verification Services

Clause 49 - Code of practice about the disclosure of information

Power conferred on: The Secretary of State

Power exercised by: Code of Practice

Parliamentary Procedure: Affirmative procedure for the first publication of the Code, and negative procedure when revised thereafter

Provision

37. The Bill introduces a Digital Verification Services register (“DVS”) that the Secretary of State must establish and maintain.  Clause 45 of the Bill provides for a public authority to share information relating to an individual with a person registered in the DVS register, where the individual makes a request to that person to provide DVS.  Clause 48 sets out that where Revenue Scotland discloses personal information to a person under clause 45, that person must not further disclose that information otherwise than for the purpose of providing DVS, except with the express consent of Revenue Scotland. The same provision is made in respect of information disclosed by the Welsh Revenue Authority and Revenue and Customs.

38. Clause 49 requires the Secretary of State to prepare and publish a Code of Practice about the disclosure of information by public authorities to registered DVS providers under clause 45.   Any public authority must have regard to this code of practice when disclosing information.  The code is subject to a consultation requirement with the Information Commissioner, the Welsh Ministers, the Scottish Ministers, the Department of Finance in Northern Ireland, and such other persons as the Secretary of State considers appropriate.  The first publication of the Code of Practice is subject to the affirmative procedure as it is required to be laid in Parliament and approved before it is published.  Clause 49(4) provides for the Code of Practice to be revised from time to time. When it is revised it is subject to the negative procedure, but still subject to the requirements to consult and still laid in draft before the UK Parliament.

Committee consideration

39. The Code of Practice is not subordinate legislation as such, however, it is a quasi-legislative document and the power to make the code is addressed within the UK Government’s DPM.  Given that public authorities (including Revenue Scotland) are to have regard to it when sharing information relating to an individual with a person registered in the DVS register, the Committee considered it even though it was not addressed within the LCM.

40. The Code of Practice will be applicable to all public authorities who are disclosing information under clause 45, one of which is Revenue Scotland.  The digital verification scheme is a UK wide one and the Code of Practice is intended to provide practical guidance to authorities on the use of the powers to ensure consistency.  The DPM states that the Digital Economy Act 2017 has similar provision relating to publishing codes of practice and is subject to various safeguards.

41. It is not uncommon for guidance and codes of practice to be published to supplement the implementation of legislation.  In this case there is a requirement to consult prior to any Code of Practice being published and given its quasi-legislative effect it is also subject to a high level of parliamentary procedure for the first publication and a continuing level of parliamentary scrutiny thereafter. 

Part 7 – other provision about the use of, or access to, data

Clause 121 - Power to disclose information to improve public service delivery to undertakings

Power conferred on: The appropriate national authority which for Scottish Bodies is the Scottish Ministers

Power exercised by: Regulations

Parliamentary Procedure: Affirmative procedure

Provision

43. Clause 121 of the Bill makes modifications to section 35 of the Digital Economy Act 2017 (“the 2017 Act”) relating to disclosure of information to improve public service delivery. Section 35 of the 2017 Act provides that a specified person may disclose information held by the person in connection with any of the person's functions to another specified person for the purposes of a specified objective.  Schedule 4 lists specified persons, who must be either a public authority or a body who provides services to a public authority.  Section 35 confers power on the “appropriate national authority”, which for Scotland and Scottish bodies is the Scottish Ministers, to specify public authorities that can share data for a specified objective, by amending Schedule 4 of that Act.

44. The amendments made by the Bill widen the conditions with which an objective must comply in order to meet the definition of an information-sharing “specified objective”. Currently, information may only be shared between specified public bodies for specific purposes related to public service delivery aimed at improving the well-being of individuals or households. Clause 121 extends this provision, to allow information sharing to improve public service delivery to undertakings, being any person carrying on a trade or business, including for charitable purposes.

45. Regulations made under section 35 of the 2017 Act are subject to the affirmative procedure and are subject to a duty to consult various bodies including the Information Commissioner, the Commissioners for Her Majesty’s Revenue and Customs, the appropriate national authorities, the Minister for the Cabinet Office, and such other persons the national authority considers appropriate.

Committee consideration

46. This power did appear in the DPDI Bill and was considered by the Committee. Previously it was content with the power as the Scottish Ministers are the “appropriate national authority” for Scotland in relation to Scottish bodies. The amendments made to the 2017 Act by clause 121 will alter the executive competence of the Devolved Administrations by extending the scope of their regulation-making power to specify public bodies who may share information, to include information-sharing for the purposes of improving public service delivery to undertakings.

47. The Scottish Government is recommending consent to this part of the Bill and paragraph 21 of the LCM states that the amendments made by this provision could potentially provide benefits to businesses and the third sector which include better targeted support, services, information and funding.

48. Regulations made under section 35 of the 2017 Act are subject to the affirmative procedure, along with the various consultation requirements described above. The modifications made by clause 121 of the Bill do not alter the procedure to be applied to such regulations. The power permits the amendment of primary legislation (Schedule 4 of the 2017 Act), and it would therefore be appropriate for the highest level of scrutiny to be applied to such regulations.

Clause 133 - Power to make consequential amendments

Power conferred on: Secretary of State

Power exercised by: Regulations

Parliamentary Procedure: Affirmative procedure where regulations amend primary legislation; otherwise negative procedure

Provision

50. Clause 133(1) of the Bill confers power on the Secretary of State by regulations to make provision that is consequential on the Bill. Regulations made under this clause may make different provision for different purposes, may include transitional, transitory or saving provision and may amend, repeal or revoke any provision made by primary legislation, which includes an Act of the Scottish Parliament.

51. Regulations under this clause that amend or repeal provision in primary legislation are subject to the affirmative resolution procedure and the negative procedure otherwise.

Committee consideration

52. The UK DPM states this power is necessary to ensure that the provisions in the Bill operate correctly with respect to the new regulator and there are many amendments made to other pieces of legislation by this Bill which may require updates to relevant cross-references to provide legal certainty.

53. This provision is not addressed in the Scottish Government’s LCM, as was the case with a similar power that was in the DPDI Bill.  Although it was not subject to the LCM at that time the Committee considered the power and was content.  The power in clause 133 is substantially the same as the power considered and reported on by the Committee in the DPDI Bill.

54. Ancillary powers are standard in modern primary legislation. Although this power could be exercised within devolved competence (albeit on a very limited basis), this is an ancillary power to enable implementation of provisions which principally relate to reserved matters and the power can only be exercised in consequence of provisions of the Bill. It would therefore not be appropriate for the Scottish Ministers to exercise this power separately.

Clause 137(1): Power to make transitional, transitory and saving provision

Power conferred on: Secretary of State

Power exercised by: Regulations

Parliamentary Procedure: Negative procedure for amendments to Schedule 21 DPA 2018 and Part 2 of Schedule 9 to this Bill, otherwise none

Provision

56. Clause 137 of the Bill confers power on the Secretary of State by regulations to make transitory or saving provisions that may be needed in connection with any of the Bill’s provisions coming into force, including changes to such provisions in Schedule 21 to the Data Protection Act 2018 (“the 2018 Act”). (Further transitional provision etc.) and Part 2 of Schedule 9 to this Bill (Transfers of personal data to third countries etc: consequential and transitional provision).

57. Regulations under this clause that amend or repeal provision in primary legislation are subject to the negative resolution procedure and are not subject to any parliamentary procedure otherwise.

Committee consideration

58. The UK DPM states that this is a standard power to ensure a smooth commencement of new legislation and transition between existing legislation, principally the 2018 Act and the Bill. The UK DPM highlights precedents for such a power, including in section 213 of the 2018 Act.

59. Like clause 133 outlined above, this provision is not addressed in the Scottish Government’s LCM.  It was also not subject to the LCM in the DPDI Bill, although the power is substantially the same, and was not considered by the Committee.

60. This power is drafted as a free-standing power to make provision. Where the power is exercised to amend primary legislation it is considered to be appropriate to subject it to parliamentary procedure, and not subject to any procedure otherwise.  Commencement regulations do not normally attract any parliamentary procedure and whilst powers to amend primary legislation would usually be subject to the affirmative procedure, this power is subject to the negative procedure.  It is stated that this is due to the nature of the power which is making provision in connection with the commencement of the provisions of the Bill only.  This is consistent with the approach taken in section 213 of the DPA.

61. Although this power could be exercised within devolved competence (albeit again on a very limited basis), this is a power to make transitional, transitory and savings in connection with the commencement of the Bill’s provisions only.  Further it will relate principally to reserved matters. The power can only be exercised in consequence of provisions of the Bill. It would therefore not be appropriate for the Scottish Ministers to exercise this power separately.