The Information Commissioner’s Office (ICO) has released its ICO Audit a Year in Focus. This report outlines the ICO’s regulatory activities and rulings over the last year and provides crucial insights for data protection officials. The takeaways below make clear the current Commissioner approach to setting priorities to areas where the most impact to individuals will be felt. As we will see for the outgoing year, it is protection of children’s data.

Here are the key points of regulatory progress in 2022/23 from the report:

1. Collaboration with the Department for Education (DfE): Recognising the need for collaboration between education and data protection, the ICO has worked closely with the DfE. This partnership aims primarily to simplify privacy information, making it more child-friendly and guaranteeing that young brains can easily grasp and exercise their data rights. Some improvements planned by this collaboration include:

  • a planned production of an Information Rights code of practice for use by education establishments.
  • a ‘Data Protection Portal’ aimed at learners, parents/ carers, and education staff, to be available online for anyone to access – including DfE staff so there is a consistent understanding across the DfE and the sector.
  • Implementation of a new DfE Data Sharing Service with clearer roles and responsibilities, more effective principles, processes and procedures and a new suite of forms and guidance documents.

2. Review of the Digital Economy Act: As the UK digital economy continues to evolve, the ICO has announced a comprehensive review of the Digital Economy Act to maintain its relevance and efficacy in today’s quickly changing digital surroundings.

3. Initiatives for Education in the Gaming Sector: The ICO has adopted an educational posture by offering crucial guidance to the gaming sector. What is the main goal? To emphasize how important, it is for kids to have their privacy and give industry participants the resources and information they need to follow best practises.

4. Self-assessment Tools for Online Services: The ICO made a case for the creation of risk assessment tools to improve child safety online. These self-assessment tools will assist internet service providers in identifying dangers and taking preventative actions to protect children’s privacy.

5. Children’s Privacy in Gaming: The ICO has taken action to establish child privacy checkpoints within game production, acknowledging the growing gaming industry and its evident attraction to the younger population. This proactive measure aims to reinforce a safer virtual environment for kids by incorporating data protection from the very beginning of game design. Other measures are:

  • Development of a suite of guidance for parents and guardians about gaming products.
  • Disabling risky features within products and services including chat, friends list, push notifications and social features for U18s in the UK, by default.

What should we expect for 2023/24?

The ICO has hinted at new areas of regulatory focus for the oncoming year. They are:

1. AI services in recruitment: The ICO plans to undertake engagements with both providers and users of AI systems for the purposes of recruitment. This emphasis is pertinent given the rise of AI-powered hiring methods, particularly AI scanning, which is now heavily involved in applicant evaluations. In this regard, it is crucial to recognise that judgements based solely on automated processing, like profiling, are subject to restrictions under the GDPR. Due to the lack of human oversight and the possibility of errors, the growing use of automated CV evaluations may violate its provision(s). Thus, the reason why more stringent regulatory actions may result from this impending ICO focus.

2. Child protection: The ICO is not slowing down on prioritizing the safeguarding of children’s data. It plans to further a programme of work across the multiple agencies/sectors, who are responsible for child safeguarding (local authorities, social services, education, police, health) to identify any weaknesses in current arrangements and see where we might be able to provide guidance or clarity to increase their effectiveness. It will be particularly interesting to see the outcome of these developments in tandem with the changes envisaged in this sector because of the Online Safety Bill becoming law.

3. Financial services: The ICO seeks to gather and examine data on a range of financial topics, including technology advancements, international finance intricacies, and data protection compliance in economic crimes.

4. Extraction of mobile phone data: Assessment of compliance with data protection legislation with regards to the extraction and use of mobile phone data in criminal investigations by the criminal justice sector.

5. Conducting Privacy & Electronic Communications Regulations audits: The ICO intends to conduct audits of public electronic communications businesses. With the upcoming Data Protection and Digital Information Bill on the horizon, fines are projected to rise dramatically to match GDPR requirements, rising to as much as 4% of global revenue once the Act becomes law, one to look out for.

Comment

This report from the ICO gives insight on their impending data protection goals. For all companies functioning in the digital sphere, remaining informed and adhering to the ICO’s guidelines will be essential as we approach 2023–2024. On our part, we will continue to keep you apprised of these developments as we have always done. Watch this space.

Author

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author

Chiemeka works as a privacy specialist in Baker McKenzie's Intellectual Property & Technology Practice Group and is based in the firm's London office. He is a Nigerian-qualified lawyer who focuses in data protection, privacy, and technology transactions.