Imagine a world without third-party trackers, marketing calls and scammers, targeted ads for children, and AI bias. Although this sounds too good to be true, The Information Commissioner’s Office (ICO) of the United Kingdom is envisioning a future where these nuisances could be curtailed with the launch of its preliminary three-year strategic plan for data privacy called ICO25.
The ICO is the U.K.’s independent regulator for its data protection and information rights laws and has specific responsibilities established by the Data Protection Act of 2018 as well as the Freedom of Information Act of 2000. Since the country will no longer be part of the E.U. thanks to Brexit, it can no longer rely on the framework of the GDPR for data privacy governance.
The agency’s new plan, ICO25, establishes its commitment to protecting data and information rights for what it calls vulnerable individuals with a particular focus on children’s privacy, AI-driven bias and discrimination, the use of algorithms in the U.K. benefits system, and the impact of predatory marketing calls.
In a video, Information Commissioner John Edwards said: “I want – we all want – a regulator who empowers: Empowering people to confidently share their information to use the products and services that drive our economy and our society, empowering organizations to use information responsibly and confidently to invest and innovate, and empowering people to hold government to account, driving transparency that helps us all better trust in the decisions taken by public bodies. These are the principles that will underpin our work for the next three years.”
As for actions laid out by the plan, the ICO will publish internal data protection and freedom of information training materials. The agency will also create a reference database of all previously provided ICO guidance, along with producing readymade privacy compliance templates for organizations. ICO will also set up a moderated platform for discussion, debate, and information sharing.
The agency has lofty goals for its performance of data privacy duties. In a section outlining performance objectives, the ICO promised to assess and respond to 80% of data protection complaints within 90 days and 90% within six months while making sure less than 1% are more than a year old. The agency also seeks to respond to 95% of all information access requests, conclude 95% of all formal investigations within a year, and establish a consumer panel to publish and respond to 100% of its recommendations.
In order to help people understand their privacy rights, the ICO will publish a FAQ, but it recognizes that some cases need more guidance. The agency encourages contact through written inquiries, and it hopes to resolve 80% of these within a week with 99% being resolved within a month. Another goal is to refer or close 80% of personal data breach reports within a month and ensure that less than 1% of data breach reports are over a year old. In addition, the ICO plans to develop a subject access request tool that will allow people to identify where personal information is likely to be held and how to request it using a generated template.
For children’s privacy measures, the agency promises to push for changes and investigate non-conformity on social media, video, and gaming platforms with age verification, improved transparency, and privacy notices that are easily understood by children. For AI-driven discrimination, the ICO will investigate how the financial industry uses intelligence databases, as well as investigate algorithms that are used for benefits eligibility or hiring that could negatively affect opportunities for vulnerable groups. The agency will also scrutinize predatory marketing and scam calls that target vulnerable groups like the elderly and support the U.K. government’s intention to raise fines for violations to 4% of an organization’s annual revenue or £17.5 million, whichever is higher.
Regulating online tracking is also on the agenda: “We will influence changes such as the phasing out of third-party cookies to create a more privacy-oriented internet. We will work with government, industry, and other regulators to give web users meaningful control over how they are tracked online and move away from cookie pop-ups.” The report also mentions regulations for biometric technologies, CCTV footage, and privacy considerations for victims of violent assault.
At the launch of the plan, Edwards called ICO25 “a vision of the regulator we want to be, the world we want to shape, and a practical plan of how we get there,” and commented on ICO25’s significance: “There are few regulators who can say their work is of fundamental importance to the democracy on which society exists. But that is the value of the Freedom of Information Act. My role is to ensure the administration of that law is fit for the modern world.
“But to achieve that requires fundamental change. And that change has to start in my office. The proposals I set out today involve trying different approaches. Some may work well, some may not work, some may need tweaking. But it is absolutely clear to me that in a world of increasing demand, and shrinking resources, we simply cannot keep doing what we’ve been doing and expect the system to improve.”