Practical Law

The Information Commissioner’s Office (ICO) recently held its annual Data Protection Practitioners’ Conference (DPPC) 2022 online. Here are some key takeaways:

In his opening speech, Mr John Edwards, the Information Commissioner, spoke about his plans for the ICO as an empowering regulator and emphasised why data protection practitioners “have never been more important”.

Data protection officers

In response to concerns raised by proposals in the Data Protection and Digital Information Bill (DP&DI Bill) to change the legal requirement for a data protection officer (DPO), Mr Edwards said:

“Understanding data protection remains a fundamental part of any modern organisation. Understanding not only what the law says, but also what that means in practice, and how it relates to your customers, staff and stakeholders, remains a specialist job. The privacy professional is the eyes and ears of an organisation in that respect.”

Data Protection and Digital Information Bill

Mr Edwards provided support for the DP&DI Bill:

“The GDPR is not beyond improvement. And the proposed DP reforms laid before Parliament yesterday strike a good balance in making improvements. The Bill reflects an understanding that there are areas of red tape for business that can be reduced, while acknowledging the value of protections that give people confidence to use the products and services that power the economy and society.”

The ICO will continue to monitor the proposed reforms and work constructively with government.

For more on the proposals, see DCMS data protection reforms: summary of consultation proposals and outcome and UK data protection reforms: towards a risk-based approach.

ICO25 strategic plan

Further to a listening tour, Mr Edwards recapped on the recently launched draft ICO25 Strategic Plan, which aims to empower organisations and individuals and sets out a vison of what the ICO will look like in 2025 and how this will be achieved. For further detail, see ICO25: a plan for empowerment and Information Commissioner launches draft ICO25 strategic plan for consultation.

The ICO intends to save businesses at least £100 million over the next three years by providing more certainty and by cutting the cost of compliance with data protection legislation, part of which has been to publish the ICO’s in-house training materials for re-use by organisations.

The deadline for comments on the draft Plan is 22 September 2022 and responses will feed into a final version, which will be published in the autumn.

Transfer risk assessments for international personal data transfers

Feedback received on the ICO’s consultation on a draft international transfer risk assessment (TRA) and tool was broadly positive, but many respondents raised concerns about the cost of carrying out a TRA and whether it is actually possible to assess the laws and practices of a third country, in particular public authority surveillance. See ICO consults on updated guidance and draft ICO international data transfer agreement for personal data transfers outside UK.

Due to the high level of interest in this area, this session includes a short preview of the ICO’s two proposed options and seven steps for carrying out a TRA (see ICO seminar: Transfer risk assessments).

It was highlighted that a number of changes have been made to the draft TRA, clarifying that:

• The controller or the processor which instigates the restricted transfer is responsible for complying with the requirements of Chapter V of the UK GDPR.
• The restricted transfers will follow the contractual protections and not the flow of personal data.
• There is no restricted transfer (and, therefore, no TRA is required) when a processor returns its personal data to its non-UK controller.

The ICO will also produce a non-compulsory TRA Record – a user-friendly document to make it easier for an SME or a DPO to carry out an assessment, and which will assist with accountability obligations.

In terms of next steps, the ICO is aiming to publish:

• Soon – a summary of consultation responses and an update to its International Transfers Guidance.
• During the summer (or shortly after) – TRA Guidance, Tool and Record.
• During the autumn – guidance on how to use the International Data Transfer Agreement and Addendum, and clause by clause guidance.

It will also be looking at what other tools will be useful such as, an online contract generator and examples of TRA Records. Feedback was invited on any tools that would be useful.

For further information see Transferring personal data outside the UK: FAQs .

New approval process for Binding Corporate Rules

In what will be very welcome news to anyone who is considering applying for Binding Corporate Rules (BCRs), the ICO has simplified the approval process and published updated guidance for controllers and processors.

To avoid any duplication, the ICO has identified five documents which comprise UK BCRs. For further detail, see the ICO’s Controller and Processor guidance and ICO simplifies UK Binding Corporate Rules approval process.

There will be no repapering for any applicants as the ICO will assess an already submitted application against the revised criteria.

The ICO will be publishing Q&As from its BCR workshops and will set up quarterly BCR engagements for feedback.

Sharing data to safeguard children

Safeguarding children has been described as “the cutting edge of data sharing”, but a main concern for practitioners is that they fear doing something wrong. In line with the ICO’s new approach to enforcement in the public sector (see Information Commissioner announces fresh approach to engaging with public authorities), Mr Edwards delivered a take home message:

“Wherever you work, whether it is in health, law enforcement, education or the care sector and you have information about a child that you think might be at risk, you won’t get into trouble if you share that information with someone who is in a position to do something about that”.

See also Overview of data sharing arrangements (UK GDPR and DPA 2018).

In terms of next steps, the ICO is working closely with the Children’s Commissioner’s Office (CCO) and the Department for Education, and it is also working on a resource on sharing data to safeguard children. The CCO is working with government departments to develop long-term solutions.

The ICO is seeking suggestions for further case studies to expand on resources in its data sharing information hub, which can be sent to datasharincode@ico.org.uk.

Keynote speech: Equality in the digital age

Mr Marcial Boo, Chief Executive of the Equalities and Human Rights Commission (EHRC) highlighted that while digital technology provides lots of opportunities, it also poses threats to the protection of personal data.

An overview of the EHRC’s planned work to address the impact of digital services and AI on equality and human rights (one of the priorities in the ICO25 Strategic Plan), includes to:

• Tackle online harms, including bullying discrimination and abuse, particularly of people with protected characteristics in law (such as race, sexual orientation, age or disability). It is advising Parliament on the Online Safety Bill (see Online Safety Bill and Online Safety Bill: do no harm?).
• Improve understanding of how the Human Rights Act 1998 (HRA) applies to the use of new technology particularly in relation to privacy, surveillance and the use of personal data. It is advising Parliament on reforms to the HRA set out in the Bill of Rights Bill 2022-23 (see Human rights reform: a controversial Bill of Rights and New UK Bill of Rights: a cakeist philosophy? ).
• Strengthen understanding of how the Equality Act 2010 applies to the design and use of automated decision-making and how discrimination, including through algorithmic biases, can be identified and challenged.
• Reduce exclusion from digital services, particularly for people with protected characteristics.
• Identify gaps in the law to ensure that the law is up-to date and reflects new technologies so that individuals are protected from discrimination and breaches of their rights.

The ECHR is offering support in two areas of high risk, which pose particular opportunities and threats:

• Embedded bias in AI, which can perpetuate bias because it relies on existing data where there may already be inequality.
• The growth in digital by default policies, which can lead to digital exclusion.

The EHRC will also be watching the progress of the DP&DI Bill to ensure that it provides adequate protection for individuals and meets human rights standards.

Finally, Mr Boo encouraged practitioners to consider equality issues in everything they do so that policies and practices are fair, inclusive and protect individuals’ privacy rights.

Unable to attend DPPC 2022?

If you missed the conference, all of the speeches, panel sessions and seminars are now available on the DPPC website, together with the ICO’s Five things we learned from DPPC 2022.