The Information Commissioner John Edwards was interviewed on 14 July 2022 on BBC Radio 4's Today Programme - with the conversation centred on "technology vs democracy" and the ICO's new 3 year plan (ICO25).
The first issue discussed was the recent news that the Online Safety Bill has yet again been delayed (as we wrote about here). The relatively glacial speed at which legislatures can move when compared with technology companies was vaunted as a major reason for the Bill having not yet seeing the light of day - with the most recent delay coming as a result of the Bill being removed from the Government's agenda to make space for a motion of no confidence. The Bill will now return to Commons business "in the Autumn”. However, the Commissioner was keen to point out effective regulation making the internet a safer place for the most vulnerable in society (a theme which continued throughout the interview) is to some extent already available in the shape of the ICO’s Children’s Code. While the Bill has a far wider remit, at least the UK does have some protection already in place.
When asked about the ICO's three year plan, ICO25, the Commissioner mentioned the following as priorities:
- making it easy for businesses to comply with regulation for the benefit of the vulnerable;
- empowering people with their own information;
- empowering businesses to innovate safely;
- using the ICO's Freedom of Information mandate to allow people to hold the Government to account by using their right of access to information;
- creating compliance tools to protect the vulnerable online; and
- looking at the reach of the ICO - as its mandate is so broad, there will inevitably be people who are unaware of their rights - and improving awareness.
It was the theme of empowering individuals, particularly the vulnerable, which was the focus throughout, with the right of access established by Article 15 UK GDPR identified as a key tool.
In brief, this right allows individuals to request access to their personal data which an organisation holds about them, as well as supplementary information such as why this data is being processed, who it may be shared with and how long it will be stored for.
The Commissioner used the example of an individual being in conflict with a recruiter or employer as a reason why someone may exercise this right by submitting a subject access request. Subject access requests can be a useful tool for people to gain knowledge of how their data is used, and the ICO is keen to ensure that data subjects are aware of the tools that can be used to exercise their rights. The way in which awareness may be increased is yet to be seen – data controllers are after all already obliged by Articles 12 and 13 of the GDPR to inform data subjects of the right to submit subject access requests.
This focus from the ICO on promoting the right of subject access could lead to organisations receiving even more subject access requests in the coming years, so this may be a good time to review (or implement!) the processes used to fulfil data subject requests and ensure your privacy documentation is up to date.
Finally, artificial intelligence - a hot topic which we have talked about recently - see our Passle on Employment law across the globe – data protection and AI - was also discussed. Here, the power imbalance between AI vendors and purchasers who are not able to assess the effectiveness of the AI system they are looking into was a concern for the Commissioner, particularly where there is a risk of discriminatory outcomes (with the example given being an AI system analysing vocal conversations potentially discriminating against neurodiverse people or those speaking English as a second language). It seems openness is the ICO's goal to mitigate this. It was unclear whether this would mean the ICO themselves would review AI systems to ensure the data sets used to train them were fit for purpose, or whether it will empower organisations to review these themselves prior to purchase. This is something for AI vendors to be aware of, alongside the raft of upcoming regulation such as the Data Reform Bill and the Government's white paper on AI governance.
"My most important objective is to safeguard and empower people, by upholding their information rights."