April 26, 2016

The report summarises the key themes that emerged from the responses to the ICO’s consultation on the draft framework criteria, which ran from 3 September to 3 October 2014.  The draft framework criteria document is comprised of:

• the principles that must underpin an ICO-endorsed scheme; and
• the detailed criteria on scheme requirements.

The consultation provided an opportunity for organisations to provide their views on the draft framework criteria to ensure the ICO requirements for privacy seal schemes are robust, credible and achievable.  The ICO sought feedback on the following specific areas of the framework criteria document:

• roles and responsibilities of ICO, UKAS and scheme operators;
• the underpinning principles;
• the scope and objectives of the scheme requirements;
• sustainability of schemes;
• the certification process; and
• the quality criteria for organisations.

The ICO received 28 responses; 14 responses came from private sector organisations, mainly from those with a specific privacy or security interest; the remaining responses came from the finance sector (three responses), academics (three), public authorities (five responses) and a telecoms company, a legal firm and a trade/representative body.

The majority of responses were generally supportive of the ICO’s approach and confirmed that the proposed approach was consistent with expectations around certification processes.

The themes that emerged from the consultation exercise were consistent with the previous stakeholder feedback:

• interaction of the ICO’s scheme with the European Commission’s draft proposals for a new Data Protection Regulation;
• limitation of the scheme to cover UK processing only;
• impact on ICO’s regulatory role, including complaints resolution;
• clarity around the role of UKAS.

Two strongly critical responses were received, raising two specific concerns:

1. The rationale for limiting the first invitation for proposals to new schemes only: the ICO responded by saying that it has extended the scope of its invitation to allow proposals covering existing schemes to be put forward for ICO endorsement, as long as such schemes are adapted to meet the standards of the framework criteria and undergo the UKAS accreditation process if necessary.
2. A strong recommendation that the ICO should wait until a final text of the proposed EU data protection Regulation is agreed following the 26 September leak of the Council’s draft text on the Article 39 provisions: the ICO responded by saying that it does not share the same concerns about the Council’s latest proposals for the provisions on certification mechanisms in Article 39 of the draft Data Protection Regulation. In fact, it says that it welcomes the latest Council text, which amends Article 39 to introduce an approach that is more consistent with the co-regulatory model proposed by the ICO.  The ICO does not agree that it should delay its progress and intention to introduce a privacy seal scheme in the UK.  It says that it is taking this opportunity to build the ICO’s expertise in an area that will become significant in the near future because of the Regulation.  Ideally, it would like ICO-endorsed schemes to be consistent with the provisions at the European level once the Regulation is in force, and it is “watching developments closely”.

To read the ICO’s summary of responses document in full, click here.