Clifford Chance

On 14 July 2022, the Information Commissioner's Office (ICO) published a draft of its new strategic plan, 'ICO25 – Empowering you through information' (ICO25),which describes the ICO's four core strategic objectives for the next 12-36 months and how it plans to achieve them. The strategic objectives set out in ICO25 are: (i) safeguarding and empowering people, particularly vulnerable groups; (ii) empowering responsible innovation and sustainable economic growth; (iii) promoting openness, transparency and accountability; and (iv) continuously developing the ICO's culture, capability and capacity.

The publication of ICO25 follows the ICO's recent six month listening exercise.  The plan remains in draft form at present as the ICO is currently consulting on the purpose, objectives and performance measures set out therein.  Nevertheless, ICO25 provides valuable insight into where the ICO is likely to focus its efforts in the next twelve months and beyond.

What do these objectives mean in practice and how does the ICO plan to achieve them?

What are the core strategic objectives of ICO25 and how will they be achieved?

Safeguarding and empowering people, particularly vulnerable groups. The ICO plans to focus on intervening to safeguard groups and individuals who are exposed to the greatest risk of harm, including by doing more to supervise the cyber security of certain digital service providers, tackling what it perceives as "predatory" marketing (in particular where this is aimed at vulnerable groups) and making sure that individuals understand their information rights.

The steps that ICO25 outlines in order to achieve this aim include: 

• Developing a Subject Access Request Generator tool, which will allow individuals to generate and send template subject access requests to organisations, thereby enabling individuals to identify where their personal data is held and request information relating to it in a ways the ICO believes will assist organisations to respond effectively;
• Continuing to enforce the Children's Code, focussing particularly on issues around age assessments, the profiling of children, the sharing of children's data and alignment with the Online Safety Bill;
• Tackling issues around online tracking through work with government, industry and other regulators on the phasing out of third-party cookies and a move away from cookie pop-ups; and
• Providing refreshed guidance on AI-driven discrimination, use of biometric technologies, such as gait analysis, facial recognition and iris scanning, and use of CCTV in certain setting such as care homes.

Empowering responsible innovation and sustainable economic growth. In ICO25 the ICO states that it will provide regulatory certainty and provide "simple ways to comply easily and proportionately with the law", which will reduce the cost of compliance.  Under the banner of this broad objective, the ICO25 action plan includes the aims of delivering timely regulatory interventions, enabling international data flows through regulatory certainty, and involvement in legislative reform.  This is clearly aligned to the positions taken by DCMS in the conclusions to its consultation process on reform of the UK data protection regime, culminating in the publication of the draft Data Protection and Digital Information Bill.

The steps that ICO25 outlines in order to achieve this aim include:

• Acting as a 'hub' for good practice examples in relation to information rights, producing training for SMEs and creating a database in which the ICO publishes (in anonymised form) advice it has provided to organisations and recommendations it has made following complaints;
• Producing self-service tools, products and templates to help businesses in developing their accountability and privacy management policies and programmes, including publishing views and tools to simplify use of privacy enhancing technologies and delivering a programme of codes of conduct and certification schemes;
• Creating an online forum for organisations to debate compliance questions, as well as running a data protection practitioner conference and stakeholder events;
• Introducing iAdvice - a bespoke advice portal for quick advice to those bringing new products to market;
• Streamlining the process for those raising a data protection complaint by collaborating with sector-specific ombudsmen services;
• Publishing a 'guidance pipeline' to provide transparency in relation to the ICO's programme of guidance reviews and production and more generally adopting agile, programmatical approach to regulatory work, operating within defined time, cost and scope parameters;
• Delivering the outcomes of investigations more quickly and transparently, and clearing operational backlogs to bring caseloads to within published service standards by 31 March 2023; and
• Advising the UK Government in relation to draft legislation as well as third country adequacy assessments for international data transfer, and improving the BCR approval process.

Promoting openness, transparency and accountability. The ICO plans to respond to freedom of information (FOI) requests in a more efficient and prioritised manner and act more quickly in respect of FOI appeals.

 Develop the ICO's culture, capability and capacity through regulatory certainty. ICO25 states that the ICO aims to work in more agile and efficient ways, with a view to providing value for money for data protection fee payers (being predominantly SMEs).

The steps that ICO25 outlines in order to achieve this aim include:

• Reviewing the ICO's governance structures, how it develops and supports its staff, how it uses and shares data, and how it invests in IT; and
• Seeking to recover the costs of litigation from companies which have been fined; and

Ensuring all organisations meet their registration requirements with the ICO and publishing information on how the associated data protection fee has been used

 Enforcement

John Edwards, the UK's Information Commissioner stated in his speech at the ICO25 launch that the ICO will seek to provide "certainty in what the law requires, coupled with a predictable approach to enforcement action that allows businesses to invest and innovate with confidence". The speech also pointed to ICO25 as an indicator of the ICO's priorities for enforcement, with a warning that "those who seek to target and exploit vulnerable communities, who seek an advantage over law abiding competitors by misusing personal information" would find themselves "on the receiving end of our most punitive regulatory tools".

Next Steps

The ICO is now consulting on the ICO25 with a call for feedback during the consultation period, which closes on 22 September 2022. Views and input will be analysed and used to inform the final version of the ICO25 that is due to be published in autumn.