Last week at the ICO’s Data Protection Practitioners Conference, there was much discussion of IC025, the regulator’s recently published draft action plan for the coming three years. Consultation is ongoing, with the finalised plan to be in operation from October 2022.
A priority for the first year will be safeguarding and empowering the public, particularly the most vulnerable groups (such as children) through a better understanding of how their information is used and can be accessed.
At the same time, the ICO aims to bring down the burden and cost of compliance for organisations.
Proposed free resources for businesses
Among its proposals to achieve this, before October 2023, the ICO plans to launch a database which publishes recommendations it has made following audits, investigations, or complaints. Anonymous case studies will be available online, providing examples of improved practice and best or good practice.
The ICO will also host an online forum for organisations to discuss questions about data protection compliance and standards, in acknowledgment of the value of knowledge-sharing and networking. It is hoped this resource, moderated by the ICO, will bring together experts and support organisations.
Other free resources likely to be welcomed by businesses include making available a range of ICO templates and ‘off the shelf’ products to help organisations develop their own proportionate accountability or privacy management programmes.
In particular, the ICO aims to provide improved support for SMEs with a range of ‘data essentials’ training and development modules and products which “will enable them to publicly demonstrate their capability and commitment to the essential components of responsible data use.”
Some new proposals might not be welcomed. Increasingly, subject access requests (SARs) are a headache for organisations. With a view to safeguarding and empowering the public, the ICO are developing a ‘Subject access request generator’ to help people identify where their personal information may be held and how to request it in ways which will assist organisations to respond effectively. This tool will generate a template SAR individuals can send to an organisation, and at the same time the organisation will receive information from the ICO which, it claims, will help respond quickly and simply to the SAR.
Artificial Intelligence (AI): discrimination and human rights implications?
Another concern identified as a priority for the regulator is AI (Artificial Intelligence) driven discrimination. The ICO indicates it will be investigating concerns over the use of algorithms to sift recruitment applications, which could be negatively impacting the employment opportunities of those from diverse backgrounds.
Chief Executive of the Equalities and Human Rights Commission, Marcial Boo, who participated in ICO conference panel discussions, explained how both regulators want to improve awareness of how the Equality Act 2010 and the UK’s Human Rights Act apply to use of personal data in relation to automated decision making and new digital software for recruitment. In addition, he flagged that while digital platforms have the potential to improve equality of opportunity, there must be increased awareness of how making services digital by default risks exclusion and less favourable treatment of some of those with protected characteristics such as age and disability.
The ICO plans to set out its expectations in refreshed guidance for AI developers to ensure algorithms treat people and their information fairly, and in addition establish a platform (iAdvice) to offer early support for innovators in this sector.
New ICO guidance ‘in the pipeline’
As expected in the coming year there will be new ICO guidance for organisations. They propose to publish a ‘guidance pipeline’ online and we are to expect a programme of guidance reviews in response to forthcoming legislative reforms, which of course will include the new Data Protection and Digital Information Bill when it becomes law. (It has been placed before Parliament and its second reading is scheduled for 5th September).
Three to watch:
- Given the new Bill involves adjustments to the Privacy and Electronic Communication Regulations (PECR) there is certain to be updated guidance on direct marketing.
- Attendees at the conference had a preview of the new ICO guidance on Transfer Impact Assessments, relevant to some international transfers of personal data by UK organisations, and it is expected this guidance will become over the summer.
- Finally, of great interest to all those HR and employment law practitioners is the ICO proposal to launch an employment practices hub, following on from last year’s consultation on updating the ICO’s Employment Practices Code.