On 14 July 2022, the UK Information Commissioner’s Office (“ICO”) has launched a public consultation on its draft strategic three year plan, titled “ICO25”. The plan sets out a commitment to safeguard the information rights of the most vulnerable individuals with the aim of empowering people to confidently share their information to use today’s market products and services, with work particularly targeting:

  • children’s privacy;
  • AI-driven discrimination;
  • the use of algorithms within the benefits system; and
  • the impact of predatory marketing calls.

The ICO25 plan sets out how the ICO will regulate and prioritise work over the next three years. Whilst the ICO’s focus covers a wide variety of areas, we have summarised some of the key proposals for businesses below:

  • Children’s privacy: ICO promises to continue to enforce its Children’s Code. It also wants to press for further changes by online media platforms (social, video, music and gaming) to correctly assess children’s ages and confirm with the Children’s Code’s guidelines and profiling children and sharing their data. The Children’s Code will also be aligned with any changes proposed by the Online Safety Bill (which is currently on hold until a new Prime Minister is appointed).
  • AI-driven discrimination: AI is being used within key areas that affect people’s lives, for instance, job applications or the benefits system. AI software is often used to cut down the amount of manual work needed for human review within these processes and there is the possibility that some people’s applications may never be seen by a human before they are rejected, leading to unintentional discrimination. ICO considers this has become an issue that can have damaging consequences for people’s lives. For example, being rejected for a job or not getting the financial support someone is entitled to is a risk particularly acute for the vulnerable groups. ICO will be investigating concerns over the use of algorithms to sift recruitment applications and aims to set out its expectations through refreshed guidance for AI developers on ensuring that algorithms treat people and their information fairly.
  • Direct marketing: ICO25 emphasised ICO’s commitment to continue to combat predatory marketing, particularly when it targets vulnerable individuals. Given the ICO’s ongoing focus on direct marketing area and the high enforcement rate in the area, the impact of this could be significant particularly as the UK government intends to raise the maximum level of Privacy and Electronic Communications Regulations (PECR) fines to those outlined under the GDPR (4% of an organisation’s annual turnover or £17.5 million, whichever is higher).
  • Data subject access requests: The ICO plans on creating a new subject access request tool to help individuals identify where their personal information may or is likely to be held and how to request it in ways which will assist organisations to respond effectively. The tool will generate a template from the ICO that the requestor can then send to the organisation and the organisation will receive the information from the ICO to help them respond efficiently.

More broadly, the ICO25 plan also aims to save businesses at least £100 million over the next three years by facilitating easier data compliance through the publication of resources and access to supporting platforms. ICO25 will meet this objective by:

  • Publishing internal data protection and freedom of information training materials on its website for reuse by organisations;
  • Creating a database where ICO will publish all of its one-off pieces of advice to organisations and the public in anonymous and reusable form as well as a database where recommendations made following complaints, investigations or audits are published as a series of anonymous case studies that too will be reusable;
  • Producing templates to help organisations develop their own accountability or privacy management programmes;
  • Creating ICO moderated platform for organisations to discuss and debate compliance and share information and advice;
  • Developing a range of essential training, specifically aimed at SMEs; and
  • Introducing iAdvice to provide bespoke support to those innovating with personal information.

ICO25 also sets out the ICO’s commitment to supporting the development of modern freedom of information, including prioritising FOI complaints and a greater emphasis on dispute resolution around complaints. You can read the ICO25 here and the press release here. ICO25 is open for consultation until 22 September 2022 and you can submit your comments here.