ICO25: A New Strategic Plan From The ICO

On 14^th July 2022, The Information Commissioner’s Office (ICO) published its new strategic plan, outlining targets to be achieved by 2025. The plan sets out a broad range of actions, with what may be seen as an optimistic deadline of 3 years. Here at DPP, the direction of the commissioner is important to us; it helps us understand the areas of data protection where greater emphasis is placed, helping us to guide organisations in the direction of where they will need to be. This blog will unpack and discuss the implications of some of the targets outlined in this plan. If you would like to see a brief overview of the aims covered in this 57-page document, we have provided a summary at the end of this blog.

Data subject rights

In addition to providing greater information about data subjects’ rights in FAW documents, the ICO has also detailed a plan to develop a SAR (Subject Access Request) tool. This tool will be used to help data subjects discover where their personal information may likely be held and will help them to request their personal data in ways which will assist organisations to respond effectively. The tool will also generate an ICO template form that the requester can send to the organisation. The organisation will receive guidance from the ICO to help them respond quickly and simply.

What are the implications of this? This tool will make the SARs easier for both the requestor and the recipient organisation. Requestors will have better knowledge of where to place their SARs and will have a template document to request this information, making the submission of a SAR much easier for data subjects. Organisations will also have greater information available to them, provided by the ICO, to guide them in responding to SARs. However, this SAR tool will likely be of greater benefit to data subjects than to organisations. This is because the tool will make the submission of a SAR much easier, likely empowering individuals to make more. Despite the ICO’s guidance to organisations on how to respond to a SAR, the foreseeable increase in receiving them will cause additional strains on organisations. If you struggle with SARs and would like some guidance, Eleanor Green, Data Protection Consultant here at DPP has released a blog on complying with a Subject Access Request, check it out here. Additionally, DPP’s outsourced SAR bureau can undertake the SAR on your behalf, please send any inquiries to [email protected].

Implications for public sector enforcement

As the ICO raise in their plan, the topic of public sector enforcement may not allow for a straightforward approach. As the ICO rightly state, fining the public sector is not an ideal approach as it takes money away from the important services that it is intended to support. As a result, the ICO plan to take a more supportive approach to the public sector, balancing the need for enforcement with the desire to not take money away from public services. From here it seems that the most suitable approach would be to avoid fining public sector organisations in the first instance and to instead provide greater resources and support for compliance efforts of organisations in the public sector.

However, avoiding fining the public sector altogether may not be the best approach. Should an organisation continually cut corners with data protection and refuse to implement the recommendations of the ICO (potentially because they don’t believe there will be any financial repercussions if they do) then further measures may be necessary. Non-pecuniary impacts such as reputational damage may not be appropriate here as the long-term effects of lack of trust in the public sector due to reputational damage may be very costly for the public, e.g. not seeing your GP if they continually experience data breaches. As such, fines could still be a suitable last point of call for the ICO, to ensure that they retain a method of ensuring compliance through this type of threat. Therefore, removing the possibility of fining the public sector altogether may not be an appropriate approach for ensuring data protection compliance. Instead, the issuing of data protection fines for public sector organisations may need to be retained and only used as a last resort of ensuring compliance.

It is also unclear whether this will have any impact on the sum of money that organisations are fined, should a fine be necessary. It may be that, in line with the ICO’s desire to not take away unnecessary money from organisations in the public sector, organisations are fined a smaller amount than organisations in the private sector would be fined. Currently, it is unclear whether this will play a role in the ICO’s decision to undertake enforcement action against organisations in the public sector.

Is this plan overly simplified?

The ICO’s action plan also seeks to address complicated data protection issues and empower organisations to work within the remits of the law when tackling complex topics. The ICO plan to do this through numerous means, including through the provision of assured guidance. However, as we all know, some areas of data protection are complicated purely because there is no necessarily perfect response, as such assured and definitive guidance may not be a realistic outcome. It seems against the nature of data protection law to provide black and white responses to complicated questions. Many data protection issues involve an element of risk assessment, obviously introducing variable outcomes depending on the risk appetite of organisations. As such, the ability of the ICO to bring certainty in their guidance over areas which require a level of discretion for the organisation may be said to overly simplify complex issues. Greater guidance and rationale may be provided on intricate areas of data protection, however, if the ICO is planning to create a more absolute approach to data protection, this may in turn create issues in restricting the flexibility that the current risk-based approach allows for.

What will the resourcing implications be?

The schedule for ICO25 suggests that the ICO plan to make a lot of headway over the next three years. It seems the ICO is making a focus on supporting organisations in their compliance with data protection requirements by providing additional resources to them. The suggested amendments to the ICO’s approach should help create a cohesive body that helps empower organisations to comply with data protection requirements. There’s just one slight issue, is this all too good to be true?

All of these improvements will require time and resources. The workload of the ICO as of 25^th April 2022 can be found here: https://www.cfoi.org.uk/2022/05/ico-foi-backlog-remains-high/. To summarise their findings, the ICO’s backlog of FOIs was:

• 45% (1,019/2,272) are over 6 months old
• 20% (458/2,272) are over 9 months old
• 7% (158/2,272) are over 12 months old

And the backlog of cases was:

• 150 received but not worked on by a case officer
• 96 allocated to a case officer but the investigation has not yet started
• 1,815 are either being investigated or awaiting investigation
• 66 where the investigation is underway and the public authority has been asked for further information
• 143 have been reopened having previously been closed

As such, steps will need to be taken, as outlined in the ICO’s plan, to address this backlog in caseload and ensure that procedures are in place to allow for the ICO to be able to respond to incoming cases within a suitable timeframe. This will of course require funding and resources. As outlined in a previous blog by my colleague Oliver Rear, changes to the funding of the ICO are to be introduced, allowing the ICO to retain a certain amount of funds when fining organisations. This potential to increase the ICO’s funding may allow for further resources and measures to be put in place to achieve this plan to address the ICO’s caseload.

Conclusion

In summary, the ICO are highly ambitious in respect of its drive to improve its performance as a regulator over the next couple of years. As this blog has outlined, achieving these goals will not be an easy task and will require numerous changes from the ICO, with several question marks remaining over the most appropriate approaches for them to take in this context. For now, we’ll have to wait and see how these plans unfold and whether the goal of achieving all this by 2025 is attainable.

ICO 25 at a glance

As mentioned earlier, we have produced a very quick summary of the actions outlined by the Commissioner in their update, these are:

• Data Subjects Rights Requests:
  • Introducing a SAR tool to help assist data subjects in knowing where their data is likely to be held and to also aid controllers in responding to requests.
  • Provide further guidance in understanding data subject rights by producing an FAQ document on this.
• Diverse populations:
  • Undertaking community outreach, insight and research to gain a better understanding of communities they have not previously engaged with. This is to provide greater consideration for different societal groups, ensuring that they are all accounted for in their work.
• Safeguarding children and vulnerable individuals:
  • Children:
    • Continue enforcing the Children’s Code through examples of good practice and direct engagement with organisations, undertaking enforcement action where necessary.
    • Pressing for further changes by social media, streaming and gaming platforms to correctly assess children’s ages and comply with the Children’s Code.
    • Promoting closer policy alignment with the Online Safety Bill.
  • Vulnerable individuals:
    • Being responsive to the impact of technology on vulnerable groups.
    • Renewed guidance for AI developers to ensure that algorithms are treating people fairly and not driving discrimination.
    • Working with stakeholders to set expectations on how biometric technologies are to be used and to investigate how these technologies may have adverse impacts on vulnerable groups.
    • Phasing out the use of third-party cookies and giving web users more meaningful control over how they are tracked online.
    • Greater guidance on the use of CCTV, particularly in care homes.
    • Working on issues that may aggravate or be aggravated by the cost-of-living crisis (e.g. looking at the use of algorithms within the benefits system)
    • Investigating implications on personal safety, particularly the approach of the Police in safeguarding, preventing and investigating crime.
• Sector-based resolution of data protection complaints:
  • Coordinating with sector-specific ombudsmen or representative groups to explore the opportunity for such groups to become the first point of call for data protection complaints, with the ICO providing support where necessary.
• Reducing the burden/cost of compliance:
  • Providing further materials to help organisations comply with data protection requirements. This will include:
    • Publishing training materials on the ICO’s website for organisations to use.
    • Creating a database where ‘one-off’ pieces of advice and recommendations following complaints, investigations or audits are published (in anonymous form).
    • Producing products and templates to help organisations develop their proportionate accountability or privacy management programmes.
    • Creating and hosting a forum for organisations to discuss and debate compliance questions and standards online.
    • Improve access to the Data Protection Practitioners’ Conference and other stakeholder engagement events.
• Assured regulatory advice:
  • Supporting innovators by introducing iAdvice (a ‘fast, frank feedback service for innovators’) and continuing in-depth innovation support to reduce time and costs for organisations bringing products to market.
  • Supporting SMEs with a range of ‘data protection essentials’ training, development modules and products.
  • Delivering a programme of codes and certifications tailored to the needs of sectors.
• Proportionate and transparent guidance:
  • Producing and publishing a ‘guidance pipeline’ with clarity and certainty to stakeholders and a programme of guidance reviews in response to upcoming legislative reform.
  • Producing sector-specific guidance by working with representative groups to co-design guidance that provides more tailored and targeted compliance advice.
  • Consulting with stakeholders and establishing a reference panel for consumers, sitting alongside the legal and technology reference panels, publishing their input on the development of their guidance.
  • Producing impact assessments for the ICO’s work where appropriate.
• Encourage public sector standards and efficiency:
  • Working with Government and UK devolved administrations to promote good information practices, meeting the framework set out by the National Data Strategy on how Government wants to work.
  • Revising the enforcement approach to balance the need for enforcement with the desire to avoid public money being diverted from the services that require it.
  • Enabling and encouraging responsible data sharing with the promotion of the ICO’s code of practice and practical tools for data sharing.
  • Supporting the public sector with in-depth feedback and advice provided.
• Timely regulatory interventions:
  • Clearing all of the operational caseloads and backlogs and then introducing a resource model to enable the ICO to respond flexibly to unforeseen peaks in demand.
  • Delivering outcomes of investigations quicker and having more transparency over response times.
  • More transparency about the regulatory action being undertaken and the rationale behind it.
  • Introducing Pace teams for discretionary regulatory work, with transparency over what these teams will be doing and publishing timescales in which they are expected to complete and report on their work.
  • Understanding and responding to emerging technologies and trends, working with other regulators to set out the ICO’s views on emerging technologies to reduce burdens on business, support innovation and prevent harm.
• International data flows through regulatory certainty:
  • Providing adequate assessments and opinions to Parliament.
  • Improving the Binding Corporate Rules approval process by removing duplication in application forms and speeding up the approval process.
• Involvement in legislative reform:
  • Continuing to provide timely and impactful advice to Government as legislative reforms are proposed and developed.
  • Openness, transparency and accountability:
  • Improving responses to Freedom of Information requests, improving the response process to provide a more timely outcome
• Efficiency, productivity and collaboration:
  • Refreshing the People Strategy.
  • Refreshing the Digital and IT Strategy.
  • Implementing an Enterprise Resource Planning system.
  • Developing a data strategy.
  • Reviewing governance structures.
• Value for money for DP fee payers:
  • Recovering the costs of litigation, as far as possible, from companies that have been fined.
  • Ensuring all organisations that are required to register to do so.
  • Publishing an annual value for money summary.
  • Agreeing on a policy for using the ICO’s DP fee income reserves.

If you would like to discuss the new strategy proposed by the ICO reach out to our support desk.