ICO selects first participants for data protection Sandbox

29 Jul 2019 12:53 PM

The use of biometrics to speed up airport passenger journeys, innovations in crime prevention and technological advances in the health sector are among the first projects selected to take part in the ICO Sandbox.

Other products and services which will be tested and scrutinised for compliance with data protection law will include innovations in housing, road traffic management, student welfare and tackling bias in artificial intelligence.

The sandbox is a new ICO service which will support organisations which are developing innovative products and services using personal data with a clear public benefit. Participants will be able to draw on the ICO’s expertise and advice on data protection by design, mitigating any risks as they test their innovations, while ensuring that appropriate protections and safeguards are in place.

Elizabeth Denham, Information Commissioner, said:

“The ICO supports innovation in technology and exciting new uses of data, while ensuring that people’s privacy and legal rights are protected. We have always said that privacy and innovation are not mutually exclusive and there doesn’t need to be an either-or choice between the two.

“The sandbox will help companies and public bodies deliver new products and services of real benefit to the public, with assurance that they have tackled built-in data protection at the outset.

“Engaging with businesses and innovators in the sandbox is also a valuable exercise in horizon scanning - the ICO can identify new developments in technology and innovation and the potential opportunities and challenges they may provide.”

In all, 10 projects have been selected from the 64 applications the ICO received for the initial beta phase of the sandbox:

The next stage of the process will be to agree and develop detailed plans for each sandbox participant before work starts on testing their products and services. It is envisaged all participants will have exited the sandbox by September 2020.

As part of the Sandbox participation agreement, the ICO and the 10 organisations taking part in the beta phase will not go into any further detail about their respective individual projects at this stage.

If you need more general information about the ICO Sandbox, please contact the ICO press office on 0303 123 9070, or visit the media section on our website.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
  3. The General Data Protection Regulation (GDPR) is a new data protection law which applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security. The UK’s decision to leave the EU did not affect the commencement of the GDPR.
  4. The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
    • Processed lawfully, fairly and in a transparent manner in relation to individuals;
    • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    • Accurate and, where necessary, kept up to date
    • Kept in a form which permits identification of data subjects for no longer than is necessary; and
    • Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”
    • Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
  5. To report a concern to the ICO go to ico.org.uk/concerns.