Following the appointment of John Edwards as the head of the Information Commissioner’s Office (ICO), the office recently launched the ICO 25 Strategy Plan (plan), setting out the ICO’s priorities for the next three years. The plan covers the strategy and how it will be achieved by 2025. It is worth noting that the government intends to update UK data protection law during the plan, including intending to introduce a new constitutional governance model for the ICO. A copy of the strategy can be found here and its four objectives here.
As part of the next 12 months of the plan, the ICO intends to address/implement the following key areas of focus:
- Children’s privacy
Particularly on social media platforms and similar sites. For example, ensuring they have privacy notices appropriate for children. This dovetails with the government’s Online Safety Bill and highlights the importance of protecting the privacy and safety of children using the internet.
- International data flows
The ICO seeks to improve the Binding Corporate Rules approval process by removing duplication and providing advice to government re. adequacy decisions.
- Compliance tools
To help reduce the costs of compliance and aid the understanding of organisations, case studies showing previous recommendations and one-off pieces of advice from the ICO will be shared. If there is ambiguity or misunderstanding, it is likely the feeling is shared by other organisations. By publishing this information in an accessible way will allow organisations to feel confident and reduce the burden of trying to “find the answer”.
- Subject access request tool
The ICO intends to create a generator for subject access requests for individuals, which will request all relevant information from an individual (which may otherwise not be included) therefore enabling businesses to respond quickly and efficiently. This appears to be a win-win for individuals and organisations as it helps individuals to feel in control, as well as reducing time needed to deal with requests for the organisations, thereby lowering costs.
- Training for SMEs and certification schemes so organisations can demonstrate seeking compliance.
For those who are not familiar with the objectives - the plan revolves around four “strategic enduring objectives” and includes measures for the ICO to review the effectiveness of their efforts. We have briefly explained the objectives below.
- Safeguard and empower people
The key branding for the plan “empowering you through information”, gives a flavour for the contents. The idea is to uphold information rights, especially for the most vulnerable people, by helping people to understand their rights in combination with tackling predatory marketing and supervising cyber security, which will in turn enable people to feel empowered.
- Empower responsible innovation and sustainable economic growth
The plan envisages innovation and economic growth as a result of regulatory certainty, reducing the costs of compliance and clear consequences if and when there is non-compliance. There are various steps the ICO proposes to take, including cooperating and collaborating with regulatory counterparts domestically and internationally, as well as there being more of a focus on sectoral regulators.
- Promote openness, transparency, and accountability
This objective is focussed on the Freedom of Information (FOIA) and Environmental Information (EIR) frameworks within the UK, assisting public authorities with advice, tools, practice directions etc.
- Continuously develop the ICO’s culture, capability, and capacity
This essentially aims to improve perception of the ICO as a knowledgeable and influential regulator by providing quality and timely responses and communicating in ways which are understandable, accessible and engaging.