Now nearly six months into the Information Commissioner's Office ("ICO")'s three-year strategic plan, "ICO25", 2023 will continue to see changes and improvements to some ICO practices. This follows commitment from the Information Commissioner in ICO25 to more focus on certainty and flexibility, and an acknowledgment of the importance of this for companies to aid planning and innovation.
We set out some of the key changes to note and how they could impact your business in this article.
The ICO's regulatory purpose is informed by a range of statutory duties across 11 separate legal frameworks, set by UK Parliament. Whilst independent in the setting and delivering of objectives, the ICO is accountable to Parliament and the public for its outcomes achieved through a range of regulatory interventions. This includes the provision of advice; offering guidance and tools; publishing formal opinions; undertaking audits and inspections; issuing recommendations from complaints and breach reports; mandating changes to practice or processes; and where necessary, issuing monetary penalties.
Under its strategic plan, the ICO aims to demonstrate that its work reduces compliance burdens and costs for businesses through providing support, guidance and regulatory clarity. It has put, and continues to put, in place a package of actions which it says will help save businesses at least £100 million across the next three years by providing greater certainty and more targeted support around its regulatory interventions. Those actions include:
- Publishing internal data protection and freedom of information materials;
- Creating a database of ICO advice provided to organisations and the public;
- Producing a range of templates to help organisations develop their own approaches; and
- Creation of an ICO moderated platform for organisations to discuss and debate compliance and share information and advice.
Transparency - Publication of reprimands and data sets
The ICO announced a few weeks ago its decision to publish all reprimands it issues (unless there is good reason not to), and all reprimands issued from January 2022. (Good reason for not publishing would be, for example, for national security reasons, or because an ongoing investigation would be put in jeopardy.)
The ICO has explained that whilst fines tend to grab headlines and attention from businesses, reprimands represent other times when it has laid out steps to raise data protection standards. Publishing the detail of these penalties constitutes one of the steps towards the ICO's commitment to provide greater transparency for organisations, as well as the public. The detail makes clearer when entities have been made accountable to the ICO, and what is expected of organisations to improve processes and practices.
In addition to reprimands, the ICO also publishes the latest monetary penalties, enforcement notices, undertakings and prosecutions it has issued, along with audits and overview reports and decision notices and monitoring reports in relation to Freedom of Information requests.
Further, in the commitment to being open and transparent about its work, the ICO also now publishes data sets which contain information about public concerns and organisations' self-reported incidents. It publishes information on matters with the full range of outcomes, including those where, after its consideration, no action has been taken by the ICO. The aim of this is to give visibility to the public of all investigatory work undertaken by the ICO including where the ultimate result is to take no further action.
The promise of more flexibility from the ICO comes in tandem with a number of recent fine reductions resulting from appeals. For example: the successful appeal of the DSG Retail Limited (Carphone Warehouse) penalty decision published in July 2022, where, after appeal to the First Tier Tribunal, the ICO's imposed fine of £500,000 was halved and most of its findings were rejected.
With increased recent attention on those ICO approaches and decisions, and a fresh commitment to flexibility on the part of the ICO, it seems that a more pragmatic ICO approach to penalties and investigations may be on the cards for businesses. This would possibly and hopefully play out in more negotiation leading to settlement of investigations.
ICO25 also set out specific recognition of the challenges the public sector faces. It sets out support for the public sector, including a revised approach to public sector fines and the creation of a cross Whitehall Leadership Group to drive compliance and high standards of information across government departments. Added to this, the plan sets out the ICO's commitments to supporting the development of modern freedom of information, including prioritising freedom of information (FOI) complaints and a greater emphasis on dispute resolution around complaints.
The Tech Horizons Report
On 20 January 2023, the ICO published its first annual Tech Horizons Report which considers technologies emerging over the next two to five years and encourages developers to think about privacy at an early stage when implementing new technologies to maintain public trust and confidence. The production of the report responds to the commitment made by the ICO in ICO25 to set out its position on emerging technologies to reduce burdens on companies, support innovation and prevent harms.
The report particularly focuses on four categories: (1) Consumer HealthTech such as wearable devices and health and wellbeing apps; (2) Next generation Internet of Things (IoT); (3) Immersive technology e.g. augmented and virtual reality, and (4) Decentralised finance, such as software that employs blockchain technology to support peer-to-peer financial transactions.
The report highlights that particular focus points for organisations in these contexts should be transparency, especially when information is captured about third parties; what control people have over their data (including exercising individual rights), how much data is gathered and ensuring this is not excessive, and additional safeguards for sensitive personal data. There are also challenges around the accuracy of inference made by some devices and the security of information processed by others.
The ICO's Sandbox service continues to run. This scheme supports organisations creating products which use personal data in innovative and safe ways, such as projects involving the above-listed technologies. The ICO also continues to offer insight to the government on issues surrounding the future of connected technology, safeguards for children, automated decision making and data security.
Impact of proposed changes to UK data protection law
The government introduced the Data Protection and Digital Information Bill in July 2022, the purpose of which was to legislate to update UK data protection law. The Bill's passage through the UK's legislative process was, however, paused at second reading in September 2022 following governmental change. The bill included an intention to introduce a new constitutional governance model for the ICO. Any change to UK data protection law will occur midway through the life of the ICO's ICO25 strategic plan. We are therefore watching and waiting in 2023, to see not only what the current government will decide on data protection law reform, but also for any changes new law may have on the remit and constitution of the ICO.
If you would like further information or have any questions about the contents of this article, the ICO's publication of data sets and reprimands or Tech Horizons Report, please contact Helen Davenport.