UK data regulator ICO sets out plan to be recognized and used by public and business
The Information Commissioner’s Office (ICO), the UK’s data regulator, has launched a plan to become better known and better used by business and the public alike by 2025 as it sees the role of data expand in society, business and personal life. The three-year plan includes tools for people to be able to comply with the regulator’s laws and outlines priorities for tackling areas including biometrics.
This attempt at greater public recognition looks likely to be replayed by data protection authorities worldwide as they understand their own roles and raise awareness of their services.
After a six-month listening tour in 2022 following the appointment of new Information Commissioner John Edwards in January, the ICO has devised ‘ICO25’, a plan subtitled ‘Empowering you through information’. The three major aims of the consultation document are to set out why the ICO’s work is important, what the authority wants to be known for and by whom and how they intend to achieve this by 2025.
“One of our big priorities is to look across who the ICO reaches because our laws touch almost every aspect of human activity,” said Edwards on the BBC’s flagship radio news program Today, “and we need to be able to reach the most vulnerable in society who may not even be aware of their rights.”
The document is something of a self-exploration mission statement (“Our privacy and information rights are built into the historic DNA of UK democracy and society”), but also includes its role in relation to others:
“We empower you as a member of the public to confidently contribute to a thriving society and sustainable economy; we empower your organisation to plan, invest, responsibly innovate and grow; we empower you by promoting openness and transparency by public bodies; we empower you to hold us to account for the difference we make when enforcing the laws we oversee.”
The regulator promises to do more to understand the most vulnerable, and empower them to make decisions while reducing harms such as predatory marketing and cyber security threats.
It also intends to foster further transparency with the “development of a modern Freedom of Information (FOIA) and Environmental Information (EIR) practice framework in the UK, inspiring confidence in public services and democracy.” It hopes more people will escalate issues for its examination.
Down past the values (“We regularly ask ourselves why, and why not, and seek creative opportunities and solutions to both recurring and new situations”) it begins to outline objective such as the following for the public:
“Assess and respond to 80 percent of data protection complaints within 90 days; assess and respond to 90 percent of data protection complaints within six months; ensure that less than 1 percent of our data protection complaints caseload are over 12 months old; conclude 95 percent of all formal investigations within 12 months of them starting.”
New ways to tackle the issues under the ICO’s remit begin in October by when it hopes to have a clearer plan of its next steps towards the 2025 goal. A significant part of this is helping people understand their rights and a step towards that is the development of a subject access request tool. Speaking on Today, Edwards promotes subject access requests as a first step for individuals to handle disputes with organizations.
The tool will generate a template from the ICO for an individual to understand what information an organization holds on them. The process links the ICO to that organization so that it can seek information from the regulator to help its response.
The first period to October 2023 will see a focus on children’s privacy and the continued enforcement of the Children’s Code (or Age Appropriate Design), as well as further pushes for social media companies and gaming platforms to correctly assess children’s ages. This will include making changes to the code in light of the Online Safety Bill, whose progress has recently been paused as the ruling party, the Conservatives, undergoes a leadership election to replace outgoing leader Boris Johnson.
Biometrics are covered, again as part of protections for the vulnerable. The plan states that technologies such as facial recognition, gait analysis, iris and fingerprint recognition are becoming cheaper and have “immense promise” but also pose risk “especially around emotion recognition technologies which can discriminate against certain vulnerable groups. We will be working with industry to set out our expectations on how these technologies should be used and investigating how these technologies are being deployed for any adverse impacts on vulnerable groups.”
The ICO wants to provide regulatory certainty with what it calls a “guidance pipeline” so that industry has a clearer understanding of what it is coming. This includes guidance of emerging technologies such as AI and biometrics.
In its attempts to provide more timely regulatory intervention it will step up on a number of fronts including understanding emerging technologies: “We will identify key issues that will influence the way that personal data is used. We will focus our efforts on areas such as the regulation of biometrics, facial recognition technology and the use of AI and algorithms and health data.”