HomeInsightsInformation Commissioner’s Office Sandbox six months on

Contact

In September 2019 the ICO launched the beta phase of the Sandbox, the ICO initiative to support organisations innovating using data protection by design. The ten projects selected represent a range of industries and organisations looking for solutions to tackle some of the most fundamental questions for today’s society, for example, how can organisations work together to reduce violent crime? What can universities do to better support students with their mental health? And how can new technologies improve health care?

The ICO says that it has expanded its insight through workshops conducted for each individual project. It is considering where additional guidance may help organisations with compliance. The ICO recognises that this work has “given us the opportunity to consider real-world examples of the most contemporary data protection issues”.

Even at this early stage, the ICO says that there are key issues starting to emerge:

  • realising the benefits of data in the public sector: some participants are working to overcome historic data sharing challenges across the public sector, others have focused on the much more recent challenge of how to incorporate big data. The opportunities afforded by personal data combined with powerful new technologies need to be effectively balanced against the rights and freedoms of data subjects, especially considering the legal framework for processing and the expectations of the public;
  • consent questions: the ICO is working to ensure that a common understanding is developed around consent and its various legislative definitions to ensure that all parties understand the differences, and apply consent in a consistent manner whilst providing transparency information to the public. It has increased its understanding of the role of digital identity products for vulnerable data subjects and the practical challenges in obtaining consent from children, and those with parental responsibility, where national identity services are less mature;
  • the challenge of new technologies: the real world application of voice biometrics and facial recognition technology (FRT) are posing some interesting challenges. The ICO has been examining how FRT can be used in situations where there are many other global standards and requirements that need to work alongside data protection law. This is feeding into its wider work, consolidating its thinking on an appropriate basis for processing special category data in order to assess racial bias in facial recognition; and
  • data analytics: examining how data analytics can be used in a data protection compliant manner has meant testing the ICO’s advanced understanding of certain aspects of the GDPR. This has involved assessing suitable lawful bases and conditions for processing special category data, identifying data protection risks within processing and reviewing data sources that may be used in data analytics to ensure that the purpose would not be incompatible. This will help shape future ICO guidance.

The ICO says that it is “looking forward to working alongside the organisations to develop some truly ground-breaking projects to a fully working solution, delivering innovative and compliant products and services for the public good”. The ICO also says that by applying the legislation to new and emerging situations, it is also developing its understanding and is already using this to inform its wider guidance and regulatory approaches. To read the ICO’s news release in full, click here.