Year: 2025

Government Announces plans to ‘unleash AI’ across UK 

In a major policy speech on Monday, the Prime Minister set out the Government’s plans to use AI across the UK with the aim of boosting growth and delivering services more efficiently. The speech was part of a response to a report by Matt Clifford, a tech entrepreneur, who was commissioned to devise the AI Opportunities Action Plan.
The key Government proposal are: 

  • Adopting all 50 recommendations made by the Clifford report. 
  • A new approach to building the infrastructure required to develop AI, including building more data centres. 
  • The creation of a series of AI “growth zones”, where planning approvals for data centres will be accelerated and there will be improved access to the energy grid. 
  • An increase in the UK’s compute capacity 20-fold by 2030, including by building a new supercomputer. 
  • Promoting more AI use in the public sector to enable its workers to spend less time doing admin and more time delivering services. Some examples were given of how AI could be used; for example to inspect roads and spot potholes around the country, and in hospitals for tasks such as diagnosing cancer more quickly.  

The full list of proposals and timescales can be read here

Alongside Monday’s announcement, the government revealed tech companies had committed a total of £14 billion of investment in AI infrastructure in the UK, which they expect to create 13,250 jobs. But there are serious challenges ahead in terms of the cost of the proposals, amid concerns over borrowing and the falling value of the pound, as well as the data security and privacy implications.  

There is also the challenge of regulatory uncertainty. The UK does not have any AI legislation. On this subject the Government response is not very specific; promising to ensure “we have the right regulatory regime that addresses risks and actively supports innovation will drive AI trust and adoption across the economy. The government will set out its approach on AI regulation and will act to ensure that we have a competitive copyright regime that supports both our AI sector and the creative industries.” 

When an AI Bill does finally appear, it is likely to focus on the production of large language models (LLMs), the general-purpose technology that underpins AI products such as OpenAI’s ChatGPT and Microsoft’s Copilot. This is the area where there is most controversy with copyright owners, such as authors, complaining that their work has been unfairly used to train AI models. In December, the Government launched a consultation on Copyright and Artificial Intelligence.  

AI Literacy 

In his speech Keir Starmer pledged to use the power of AI to ”turbocharge” the economy and improve public services.  This requires a workforce that has the skills and understanding regarding how to develop and use AI, its opportunities and risks
i.e. AI literacy. The EU AI Act includes specific AI literacy requirements, under Article 4, which come into force on 2nd February 2025: 

“Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.” 

It will be interesting to see if any proposed UK AI legislation contains the same requirement for AI literacy.  

With the Government’s AI plans going full steam ahead it is essential that Data Protection Officers and compliance professionals develop their understanding of AI so that they can shape the future conversation and ensure that new AI tech strikes the right balance between innovation and risk management.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Join our Artificial Intelligence and Machine Learning, How to Implement Good Information Governance workshop.  

The Data (Use and Access) Bill: All change or much of the same? 

On 23rd October 2024, the Labour Government introduced into Parliament the Data Use and Access Bill. The Bill was highlighted in the King’s Speech in July (under its old name of the “Digital Information and Smart Data Bill”) where his Majesty announced that there would be “targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies.” However this statement of intent does not match the reality; many of the Bill’s core provisions are a “cut and paste” of the Data Protection and Digital Information Bill (DP Bill), which failed to pass before last year’s snap General Election. 

Key Provisions 

Let’s examine the key provisions of the new Bill against those in the DP Bill. 

Smart Data: The new Bill retains the provisions from the DP Bill that will enable the creation of a legal framework for Smart Data. This involves companies securely sharing customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs will provide the customer with innovative services to improve decision making and engagement in a market. Open Banking is the only current example of a regime that is comparable to a ‘Smart Data scheme’.
The new Bill will give such schemes a statutory footing, from which they can grow and expand.  

Digital Identity Products: Just like its predecessor, the new Bill contains provisions aimed at establishing digital verification services including digital identity products to help people quickly and securely identify themselves when they use online services
e.g. to help with moving house, pre-employment checks and buying age restricted goods and services. It is important to note that this is not the same as compulsory digital ID cards as some media outlets have reported. 

Research Provisions: The new Bill keeps the DP Bill’s provisions that clarify that companies can use personal data for research and development projects, as long as they follow data protection safeguards.  

Legitimate Interests: The new Bill retains the concept of ‘recognised legitimate interests’ under Article 6 of the UK GDPR- specific purposes for personal data processing such as national security, emergency response, and safeguarding for which Data Controllers will be exempt from conducting a full Legitimate Interests Assessment when processing personal data.  

Automated Decision Making: Like the DP Bill, the new Bill seeks to limit the right, under Article 22 of the UK GDPR, for a data subject not to be subject to automated decision making or profiling to only cases where Special Category Data is used.
Under new article 22A, a decision would qualify as being “based solely on automated processing” if there was “no meaningful human involvement in the taking of the decision”. This could give the green light to companies to use AI techniques on personal data scraped from the internet for the purposes of pre employment background checks. 

International Transfers: The new Bill maintains most of the DP Bill’s international transfer provisions. There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR 

Health and Social Care Information: The new Bill maintains, without any changes, the provisions that establish consistent information standards for health and adult social care IT systems in England, enabling the creation of unified medical records accessible across all related services. 

PECR Changes: One of the most significant changes, copied from the DP Bill, is the increase in fines for breaches of PECR, from £500,000 to UK GDPR levels; meaning organisations could face fines of up to  up to £17.5m of 4% of global annual turnover (whichever is higher) for the most serious infringements. Other changes include allowing cookies to be used without consent for the purposes of web analytics and to install automatic software updates.  

What is not in the new Bill? 

Most of the controversial parts of the DP Bill have been have not made it into the new Bill. These include: 

  • Replacing the terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, with “vexatious” or “excessive” requests. Explanation and examples of such requests would also have been included.  
  • Exempting all controllers and processors from the duty to maintain a ROPA, under Article 30, unless they are carrying out high risk processing activities.  
  • The “strategic priorities” mechanism, which would have allowed the Secretary of State to set binding priorities for the Information Commissioner. 
  • The requirements for the Information Commissioner to submit codes of practice to the Secretary of State for review and recommendations.  

The Data Use and Access Bill, in its current form, will not fundamentally change UK data protection laws. This is unlikely to change during its passage through Parliament as most of its provisions are copied from the DP Bill introduced by those who are now the official Opposition.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Want more detail about the Bill and how it will affect your organisation? See our forthcoming  DUA Bill workshop. 

Are you a privacy professional wishing to advance your career in 2025? The Advanced Certificate in GDPR Practice is designed for experienced DPOs seeking to refine and expand their DPO skills and expertise. The course comprises of a rigorous set of engaging masterclasses that teach you to dissect complex data protection scenarios and give practical compliance advice. This immersive experience will empower you with the skills and confidence needed to tackle the most challenging data protection projects within your organisation 

Records Management and AI 

In 2025 Artificial Intelligence (AI) will continue to redefine the way we live, work, and interact. From improving healthcare outcomes to optimising supply chains, AI projects hold the promise of unprecedented advancements. Accuracy, explainability, transparency are often cited, amongst others, as key concepts in discussions about successful implementation of AI projects. However, one critical component is sometimes overlooked: good records management.  

Data Integrity and Quality 

The foundation of any AI system, especially Generative AI, is data. AI algorithms rely on vast amounts of data to learn, make predictions, and generate insights. Therefore, the accuracy, completeness, and reliability of this data are paramount. Good records management ensures that data is systematically collected, organised, and maintained throughout its lifecycle. By implementing rigorous records management practices, organisations can avoid the pitfalls of incomplete or inaccurate data, which can lead to flawed AI models and unreliable outcomes. 

In the healthcare sector, AI models are increasingly used to diagnose diseases and recommend treatment plans. The accuracy of these models depends on the quality of medical records and patient data. Poor records management can result in missing or erroneous data, potentially jeopardising patient safety and leading to incorrect diagnoses. Conversely, well-managed records provide a robust dataset for training AI algorithms, enhancing their accuracy and reliability. 

Compliance with Legal and Regulatory Requirements 

Good records management practices are essential for ensuring compliance with legal and regulatory requirements. AI projects often involve the collection and processing of personal data. The GDPR impose stringent requirements on how organisations handle this data. By maintaining accurate and up-to-date records of data collection, usage, storage, and disposal, organisations can demonstrate their commitment to data protection and privacy. Additionally, effective records management enables organisations to respond promptly to data access requests, audits, and inquiries, further enhancing compliance and transparency. 

Data Security and Risk Management 

Data breaches and cyber-attacks are significant threats to AI projects, as they can compromise the integrity and confidentiality of sensitive information. Good records management practices play a crucial role in mitigating these risks. By implementing robust data governance frameworks, organizations can establish clear protocols for data access, storage, and protection. 

Effective records management involves the use of encryption, access controls, and regular audits to safeguard data against unauthorized access and breaches. In the event of a security incident, well-managed records provide a clear trail of data activity, enabling organisations to quickly identify and address vulnerabilities. This proactive approach to data security not only protects the organisation’s assets but also fosters trust among stakeholders. 

Facilitating Data Integration and Interoperability 

AI projects often require the integration of data from multiple sources, including internal databases, external partners, and public datasets. Good records management practices facilitate seamless data integration and interoperability, ensuring that data from diverse sources can be combined and analysed effectively. 

By standardizing data formats, metadata, and classification schemes, records management enables organizations to harmonize disparate data sets and create a unified data repository. This interoperability is essential for the development of comprehensive AI models that leverage diverse data inputs to generate more accurate and holistic insights. Moreover, well-managed records provide a clear audit trail, allowing organisations to trace the provenance and lineage of data used in AI projects. 

Enhancing Accountability and Transparency 

Transparency and accountability are critical factors in the ethical deployment of AI systems. Stakeholders, including customers, regulators, and the public, demand visibility into how AI models are developed, trained, and used. Good records management practices provide the documentation and audit trails necessary to demonstrate accountability and transparency. 

For example, the development of an AI model for credit scoring requires documentation of the data sources, algorithms, and decision-making processes used. Effective records management ensures that this information is systematically recorded and readily accessible for review. In cases where AI decisions are challenged or questioned, well-maintained records provide the evidence needed to explain and justify the outcomes, thereby enhancing accountability and trust. 

Good records management is the linchpin of successful AI implementation. It ensures data integrity and quality, facilitates compliance with legal and regulatory requirements, enhances data security, enables data integration and interoperability, and promotes accountability and transparency. As AI continues to evolve and reshape industries, organisations must prioritise robust records management practices to unlock the full potential of their AI initiatives. By doing so, they can build a solid foundation for sustainable and ethical AI deployment, ultimately driving innovation and creating value for all stakeholders. 

Get ahead of the game with our Information and Records Management Practitioner Certificate.  Whether you are a records manager, Freedom of Information Officer or Data Protection Officer this practitioner level certificate will teach you the theory of records management alongside practical hands-on application. The next course starts in two weeks with a special introductory price. Places are limited, so please book now to avoid disappointment.  

What Has the Freedom of Information Act Ever Done for Us? 

1st January 2025 marked the 20th anniversary of the Freedom of Information (FOI) Act 2000 coming into force. FOI advocates argue that the Act has transformed the landscape of public information access, empowering citizens, journalists, and organisations to hold public bodies more accountable while fostering a culture of openness. However, some critics consider it a “snooper’s charter” that has impeded government efficiency. Tony Blair, whose government enacted FOI, expressed regret in his memoirs: 

“Freedom of Information. Three harmless words. I look at those words as I write them, and feel like shaking my head till it drops off my shoulders. You idiot. You naive, foolish, irresponsible nincompoop. There is really no description of stupidity, no matter how vivid, that is adequate. I quake at the imbecility of it.” 

With these differing views in mind, let’s take a closer look at some of the FOI Act’s achievements.  

Greater Transparency 

One of the most significant achievements of the FOI Act is its enhancement of transparency in government operations. By granting individuals the right to request information from public authorities, the Act has helped lift the veil on many aspects of governmental and institutional processes. This increased transparency has led to greater scrutiny of decision-making, financial management, and policy implementation. 

A notable example of this was the 2009 MPs’ expenses scandal. FOI requests exposed widespread misuse of public funds by Members of Parliament, leading to resignations, repayments, and reforms in the parliamentary expenses system. Such revelations underscore how the FOI Act has empowered citizens to hold public officials accountable. 

Empowering Citizens and Strengthening Democracy 

The FOI Act has also played a pivotal role in empowering citizens. By democratising access to information, it allows anyone to request details from public bodies without needing to justify their reasons. This access enables citizens to engage more effectively in public debates and advocacy efforts, armed with facts and data obtained through FOI requests. 

One example of this empowerment was seen in 2013 when FOI requests helped expose racial disparities in police stop and search practices. This revelation sparked widespread public concern and contributed to reforms in policing policies.
Similarly, FOI requests uncovered the disproportionate closure of public libraries in deprived areas, prompting national discussions on equitable access to public services. 

Accountability Through Public Scrutiny 

Accountability is a cornerstone of good governance, and the FOI Act has played an instrumental role in ensuring that public officials and institutions are answerable to the people they serve. Numerous FOI disclosures have led to public outcry and prompted subsequent reforms.  

For example, in 2006, widespread concern about knife crime, fuelled by several
high-profile cases, led to a highly publicised knife amnesty by the police.
Tens of thousands of knives were handed in. However, an FOI request later revealed that a statistical evaluation of the amnesty in London found that, just weeks after the operation, knife crime rates were back to pre-amnesty levels. This disclosure, which might otherwise have been suppressed, demonstrated how FOI can provide vital, often inconvenient, truths that drive public policy. 

Promoting Ethical Conduct and Integrity 

The FOI Act has not only exposed wrongdoing but also served as a deterrent against unethical behaviour. Public officials are more likely to act with integrity, knowing that their actions could be subject to public scrutiny. 

In 2021, a BBC Panorama investigation revealed serious patient safety issues buried in confidential hospital reports. FOI requests led to the discovery of 111 reports, authored by medical royal colleges, which NHS trusts were legally obligated to share. Of those, only 26 were published, and 80 had not been shared with regulators at all. The resulting public outcry prompted greater attention to transparency within the NHS. 

Challenges and the Road Ahead 

Despite its successes, the FOI Act has faced several challenges, and notable gaps in the framework still need to be addressed. Currently, it does not extend to private entities performing public functions or receiving substantial public funding. Surprisingly, the Labour General Election manifesto made no reference to FOI despite the Party arguing for many years that private contractors delivering public services should be subject to FOI.  This leaves a significant transparency gap, where key information remains inaccessible. Expanding the scope of the FOI to include these entities would help ensure that transparency and accountability are maintained across all sectors receiving public money. 

Another challenge is the slow or inadequate response to FOI requests by some public authorities. While the Information Commissioner has taken action in recent years to hold public bodies accountable for FOI failures, from police forces to local councils and government departments, response times can still be unacceptably long. 

Although FOI contains exemptions to protect sensitive information, there are instances where these exemptions are applied excessively or inappropriately, leading to the withholding of information that could otherwise be disclosed. This undermines the spirit of the Act and hampers transparency. (See the recent article in the Guardian “Dubious’ use of the Freedom of Information Act stopping access to files on Prince Andrew, researchers say”). In 2021 current and former editors of Britain’s leading newspapers expressed concern over the government’s handling of FOI requests. 
In an open letter, they called for an investigation into a Cabinet Office unit – the Clearing House – which is alleged to have profiled journalists and blocked FOI requests.  

As we celebrate the 20th anniversary of the Freedom of Information Act, it is clear that the Act has been a game-changer for transparency, accountability, and democratic engagement in the UK. While there have been notable achievements, the journey is far from complete. To maximise its potential, the FOI Act should be strengthened in key areas, including expanding its coverage and ensuring that public authorities are adequately resourced to handle requests in a timely and efficient manner. The next 20 years will be critical in determining whether the FOI can continue to serve its intended purpose: fostering an informed, engaged, and accountable public. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Are you an experienced FOI officer wishing to advance your career in 2025. Our FOI Intermediate Certificate strengthens the foundations established by our FOI Practitioner Certificate. It will help you become an adept FOI practitioner by delving deeper into the intricacies of the FOIA, equipping you with the skills and confidence to navigate its complexities.