The Information Commissioner, Mr John Edwards, recently launched the ICO’s plan for the next three years, the “ICO25”.
It sets out why the ICO’s work is important, what it wants to be known for and how it intends to achieve this by 2025. Practical Law’s detailed legal update on the ICO25 is available here.
Such reports are often reviewed with interest so that organisations can understand the ICO’s key enforcement areas and sectors for the coming year. The ICO25 is currently in the consultation phase and is open for feedback until 22 September.
The draft ICO25 report emphasises the “personal” element of “personal data”. After a six month listening exercise to hear directly from businesses, organisations and people, the ICO sees its purpose as empowering individuals through information. The plan sets out four strategic enduring “objectives” to support this purpose:
- Safeguard and empower people, particularly the most vulnerable.
- Empower responsible innovation and sustainable economic growth, by providing certainty and flexibility and bringing down the burden or cost of compliance.
- Promote openness, transparency and accountability, by providing assured regulatory advice and guidance and encouraging public sector standards.
- Continuously develop the ICO’s culture, capability and capacity to deliver impactful regulatory outcomes.
It is a strategy that focuses on people, and especially the most vulnerable in society who are most at risk of exploitation, such as children, the elderly and those most likely to be affected by the cost of living crisis. In addition, the ICO wants to be seen as a pragmatic and consistent regulator towards both business and government. It wants to reduce the compliance burden by producing innovative and accessible material for organisations and be seen to be working with government to improve data handling practices, and to educate rather than just issuing fines to cash-strapped departments.
What are we likely to see in the next 12 months?
The ICO has detailed its annual action plan setting out the immediate steps it intends to take. Some notable items:
- Children’s privacy: continue to enforce its Children’s Code and influence industry to ensure children benefit from an age-appropriate online experience.
- AI and algorithms: investigate concerns over the use of AI and algorithms in recruitment applications which could be negatively impacting those from diverse backgrounds.
- CCTV, biometric and emerging technologies: set out guidance and investigating how these technologies are being deployed and any adverse impacts on vulnerable groups.
- Online tracking: influence industry to influence changes such as the phasing out of third-party cookies to create a more privacy-oriented internet. The ICO will work with government, industry and other regulators to give web users meaningful control over how they are tracked online and move away from cookie pop-ups.
- Use of data in the context of the cost-of-living crisis: in particular working with the finance industry on how they use and collect intelligence databases, algorithms in the benefits system, targeted advertising (adtech) in gambling and social media, predatory marketing calls, data enabled scams and frauds online and on social media.
- International data flows: speed up the BCR approval process by removing duplication and providing adequacy assessments to parliament. However, there is no concrete guidance on this stage as to how the UK will differ on its approach to international data transfers at this stage.
- Investment in services, tools and initiatives: the ICO wants to act as a hub for good information rights practice. The Commissioner has challenged his team to save businesses at least £100 million across the next three years. It will do this by publishing data protection and FOI training materials for reuse, create a database with pieces of advice for use, publish recommendations, investigations and audits and case studies, produce a range of off-the-shelf products and templates.
- Support innovators: introduction of iAdvice, a fast, frank feedback service to provide early support for innovators.
- Deliver a programme of codes and certifications.
- Guidance updates: including updated direct marketing and journalism statutory codes, an employment practices hub, guidance on research and subject access requests in law enforcement, guidance on emerging technology such as AI and biometrics, and a programme of guidance reviews in response to forthcoming legislative reform.
- Encourage public sector standards and efficiency: including a cross-Whitehall Senior Leadership Group to drive compliance and high standards on information across government departments and a new approach for public sectors fines (more education, less fines).
- Deliver timely regulatory interventions: a commitment to clear backlogs by 31 March 2023, to deliver outcomes of investigations quicker and transparency around timelines. Introduction of “Pace” teams for discretionary regulatory work and respond to emerging technologies and trends.
ICO25 – radical empowerment or more of the same?
Many of the regulatory enforcement priorities will not come as a surprise to organisations or practitioners within the areas of children’s privacy, AI, adtech, online tracking and nuisance calls already firmly on the regulator’s radar. What is new is that the Commissioner has stated, albeit separately to the ICO25 report itself, that the ICO will look into providing advance binding rulings to allow ICO to declare its position on a business practice or question of law sooner, rather than after the fact.
Notwithstanding this, the ICO has set itself a busy “to-do” list in terms of tools, guidance updates, codes and certifications and launch of the iAdvice product. It has also set itself some ambitious performance targets: such as to respond to 80% of data protection complaints within 90 days and to have 80% of businesses reporting that they consider the ICO works effectively to reduce burdens on business.
What do you think? Submit your views until 22 September
Will it be information overload and overworked staff, or an efficient and responsive regulator that produces helpful and practical resources that will hugely change data protection compliance in the UK?
It also remains to be seen what real comfort the ICO can provide to organisations in relation to international data transfers. The Commissioner wants to be “ambitious about refining existing tools as well as working with DCMS …”. Will such measures be at the expense of adequacy with the EU? Or in practice will any changes only benefit those who operate exclusively within the UK?
You can submit your views to the ICO here. The consultation is open until 22 September. Feedback will be analysed by the ICO and used to inform the final version of the ICO25 plan, to be published in the autumn.