Hello, thank you for having me here today at the Data Protection Intensive. I spoke to you last year, three months into my role, and I told you all what I was planning to do in my first year.
Now, I’m over a year in. Rather than list all the things I and the ICO have done over the past year, I thought it’d be easier to show, not tell. I want to show you what I’ve done so far. Roll the tape…
As you saw in the video, we’ve done a lot over the past year to make a difference to those we regulate.
Our work with victims of sexual assault. Tailored, specific help for small businesses. Tools, events and guidance for games designers to help them comply with the Children’s code.
I’ve also become chair of the Digital Regulation Cooperation Forum, or DRCF, to bring together four of the UK’s regulators to ensure cross-regulatory cooperation and a coherent approach to digital regulation.
We’ve also had to stop doing some things, to ensure we can focus our attentions and effort on the issues that matter most to people. We needed to be more conscious of the choices we were making and the consequences of these.
Part of this means being more deliberate about what we investigate, and by doing our investigations in a more timely way. We’re constantly evaluating our value proposition, and considering how we can provide the most benefit and certainty to the public and organisations.
For example, back in July I said we’d be looking into the use of AI and algorithms within the benefits system. We had concerns, brought to us by civil society, over fairness and the way decisions were being made, and wanted to make sure that people weren’t being unfairly discriminated against.
Our investigation into that practice has finished, and I’m pleased to say that we didn’t find any evidence to suggest that people in the benefits and welfare system are subjected to any undue harm or financial detriment as a result of the algorithms used by local councils. We found that there was sufficient and meaningful human involvement in the process of benefit entitlement, and that the algorithm they deployed was to reduce administrative burdens, rather than to make decisions of consequence.
Another example of this change in approach was our involvement with the Driver and Vehicle Licence Agency (DVLA) last year, and which legal basis they could rely on to share details of drivers with private car parking firms to recover parking fines.
Following a number of complaints to us, we investigated and found that the DVLA were relying on a different legal basis for processing than what we would recommend.
This began a long-running investigation, prior to my time here, culminating in a Commissioner’s Opinion. In the end, we concluded that the DVLA had infringed the law on a technicality, that the previous Opinion was sufficient and enforcement action was not necessary.
Similarly, in 2020 we became involved with Ofqual and exam boards over their use of algorithms when awarding grades based on teacher assessments, due to the disruption caused by the pandemic. Our view, as the regulator, differed from that of the exam boards and Ofqual, and we had to engage extensively with them to achieve a beneficial outcome.
We’re also keen to understand more about where the person or organisation who’s brought a complaint to us is coming from.
We’ve engaged with organisations across all sectors on aspects of data protection to ensure that people’s personal information is protected.
For example, the NHS wanted to update the NHS app to give GPs the option to upload patient notes and records. The British Medical Association wrote to us expressing concerns about patient privacy and confidentiality. We wanted to ensure that sensitive patient information would be protected.
Institutionally, our instinct was that we couldn’t provide advice or pass judgement without launching a full investigation. However, through working closely with NHS England and the Department for Health and Social Care, we addressed the BMA’s concerns and provided them with reassurance.
Through moving quickly and agilely, we provided regulatory certainty and assurance to both sides, ensuring the safety of patient information, whilst making sure that the data controllership and responsibilities remained with GPs.
Through providing an answer early on, we avoided a situation where we may have had to open an investigation, committing time and resource, and went straight to the source.
We’re engaging more with marginalised groups that we haven’t been in contact with in the past – we call these communities of unmet need. It’s important for us to meet with and help new groups that we haven’t spoken to before, so that they understand how the ICO can help and the role of information rights in their struggles.
For example, when we released our report into the excessive collection of data from victims of rape and serious sexual assault, I received messages from women who had gone through this process. It was moving to hear their experiences first hand, and it made me determined to make sure that we improved this practice so that others wouldn’t have to go through the same distress.
We’ve also had productive meetings with academics at the Islam-UK Centre at Cardiff University to understand how information rights issues affect Muslim communities.
Part of our work under ICO25 is to ensure that we aren’t a faceless regulator. We want to be approachable and open – both to organisations and to the public, as well as to our DPO network across the UK.
Whilst we’re on the topic of the DPO, I want to reiterate my message from last year: you are the eyes and ears of an organisation; a specialist role whose importance cannot be overstated. We continue to value the work that you do, and have been very keen to support you in whatever way we can.
One way we can do this is through our very own free conference – the Data Protection Practitioners’ Conference – which is taking place on 3 October this year.
We’ll be announcing more details about this soon, and registration for tickets opens on 6 April, so keep an eye on our website and social media channels.
Another way in which we’re adapting our approach is by moving at pace. We are acting quickly, ensuring that we’re being effective where there is a public perception of data being either misused or not treated properly.
We’re not neglecting the basics, either – last year, we took action and publicised seven reprimands against organisations who either refused or were non-compliant with their subject access request responsibilities. This was the first example of enforcement action by the ICO related to SARs – a key aspect of people’s rights under data protection law, and an essential part of building trust with your customers.
We’ve also implemented a philosophy of regulating for outcomes. And when we say outcomes, we mean outcomes that will help people.
One of the ways we are doing this is by explicitly using the full spectrum of regulatory tools available to achieve results. As enshrined in Article 58(2) of the UK GDPR, I have a number of regulatory powers at my disposal. They range from warnings and reprimands at the one end all the way through to erasure of data and fines at the other.
Regulation exists on a spectrum – a gradated response to non-compliance. We’re promoting the other ways we can improve compliance, for example through our audit work or our new approach to fining the public sector, as well as the upstream work to make compliance easier, like our upcoming Innovation Advice service to offer fast, frank advice on data protection issues. You can find out more about this service tomorrow afternoon, with the Innovation team who are hosting a panel session.
Lastly on my regulatory philosophy – it’s important for us as the regulator to show that non-compliance with data protection is not profitable. Misusing your customers’ information in order to gain a commercial advantage over others will always be viewed negatively by my office, and we will seek to impose fines commensurate with the ill-gotten gains achieved through non-compliance.
Last year I was honest about things that we needed to improve on. One example of this was our FOI casework levels, which weren’t where we wanted them to be a year ago.
In March 2022, the caseload stood at over 2,200. Our original plan to tackle the backlog was to recruit eight additional staff and make efficiency savings through our casework.
In October 2022, we supercharged our approach to casework.
Today, our caseload stands at 840. In our original plan, we had forecast for our caseload to be at 1,532 by the end of March – so we’ve had a significant uplift in performance, and a 45% improvement on our original plans.
I’m really proud of the work that our FOI team have put in to make this happen.
We’re also adjusting our ways of working. The idea is to clearly articulate the ICO’s values and create a shift in approach – if you interact with the ICO now, you should notice a difference. Some ways in which we’re doing this are by prioritising simply and with agility, as I’ve shown through my examples today, and by being a more empathetic and open regulator, being transparent about our processes and understanding what our priorities are and why.
During my listening tour last year, I heard – probably from some of you in the room right now! – that some of our approaches weren’t working. You were worried about the change that a new law and new Commissioner would bring, and whether what you could expect from the regulator would change at the same time.
I wanted to provide you with certainty.
One of the ways we’re providing that certainty is through our three-year strategy, which we’re calling ICO25. Through creating the strategy, we’ve adopted a new mission statement, which is that ‘the ICO exists to empower you through information’.
That means a lot of things in a lot of different situations. For example, through trying to be a more open and empathetic regulator, we’ve begun publicising our reprimands and sharing our internal training materials.
It’s also about investing once at the centre, so that the organisations we regulate and the people we protect can benefit. One example of this is that we’re changing and improving our classification for personal data breach reports that come into us, to give us more of an overview of whether the breach affects vulnerable people.
This then allows us to offer more tailored, specific advice to data controllers about how they can ensure these vulnerable people are protected from the impact of the breach. We’re also asking controllers to assess the risk they believe is posed to vulnerable people when reporting the breach.
I’m keen to build on the high reputation of the organisation that I inherited from my predecessor. This means putting down better markers of what the law means, so that the people and organisations of the UK which the law affects know their rights and can comply with the law.
And I’d add, as an aside, that we look for that clarity in the law ourselves. A few of you will be aware of the work we did around Experian, and their handling of huge amounts of personal data. The lower tier tribunal did not find in our favour in that case, in certain respects. But having carefully considered the judgement, I believe the tribunal erred in law, and we will be applying to the upper tribunal for permission to appeal.
Of course, that law is under review right now. As I’m sure you’ve all heard, it’s being re-introduced to Parliament today. I’ll leave it to the Secretary of State to set out her view at her keynote tomorrow, but I want to stress that the changes we have committed to in ICO25 are not predicated or dependent on law reform. We can still achieve everything we set out to achieve, regardless of what direction the law goes in.
There are positives to law reform and advantages to our independent practices – we can be, to borrow a key phrase from my first year, more fleet of foot than many of our European counterparts. We can identify harms and focus on where we can be most effective, to bring the most benefit to the people and organisations of the UK.
It’s been a year of listening, of setting things in motion, of preparing for the year to come and the years after that. Now we are taking action and creating the ICO we want to be – one that empowers you through information, one that is empathetic and transparent, and one that supports the whole of the economy to thrive. Regulation can be a force for good – and we want to ensure all the people we serve understand that the ICO is here to empower them.
Ultimately, I want to be able to stand here at next year’s IAPP – if invited..! – and show you all of the changes and impacts we’ve had this year, as we continue our year of delivery.
Thank you.