Reflection of surrounding buildings on RPC's building.

ICO to focus on vulnerable and disadvantaged in new three-year plan

Published on 10 October 2022

The question

How does the UK’s Information Commissioner’s Office (ICO) propose to protect the data of those most vulnerable in society?

The key takeaway

The ICO has announced plans to focus on empowering individuals by looking at: the impact of predatory marketing calls; the regulatory work around children’s privacy; algorithms used in the benefits system; and discrimination in recruitment due to AI. The plan also sets out proposals for businesses to better manage their data obligations.

The background

The UK Information Commissioner, John Edwards, announced the new ICO25 plan which sets out his office’s plans for the next three years. Speaking at the launch, Mr Edwards said “My office will focus our resources where we see data protection issues are disproportionately affecting already vulnerable or disadvantaged groups. The impact that we can have on people’s lives is the measure of our success. This is what modern data protection looks like, and it is what modern regulation looks like”.

Businesses also need support with their data obligations. There are many businesses, in particular small and medium sized businesses, who have data protection responsibilities as a by-product of their business. The ICO considers that there is a need for certainty and flexibility when it comes to the support it can offer those businesses.

The development

Protecting vulnerable members of society: The ICO intends to focus on the following areas over the next year:

  • the continuing need for and support of children’s privacy through enforcement of the Children’s Code
  • reviewing the impact of predatory marketing calls on vulnerable people
  • reviewing algorithms used within the benefits system, and
  • the effect the use of AI in recruitment could be having on neurodiverse people or ethnic minorities (who were not part of the testing for this software).

Supporting business: The ICO also announced a package of actions it will take to support businesses, which it estimates should result in savings of at least £100m to business over the next three years. Support that will be offered includes:

  • publishing training materials relating to data protection and freedom of information requests
  • producing training for SMEs on data essentials
  • publishing a database of advice provided to the public and various organisations
  • creating a platform for organisations to discuss data issues and provide advice (under ICO supervision)
  • offer early support to innovators, and
  • producing templates for organisations to use when developing their approaches to protecting the data they hold.

Why is this important?

Data protection is an increasingly important part of society. Mr Edwards said at the launch of ICO25 that the support ICO will offer businesses “is ultimately a means to an end. We help business to help people”. He highlighted that in order for democracy to be effective, data protection is crucial and the law surrounding it needs fundamental change in order to meet the modern requirements. This is the start of a three-year action plan that the ICO is embarking on which may have significant effects on the focus of the office, as well as the support it offers to businesses and the requirements of data holders.

Any practical tips?

It always helps to know where the regulators are focussing their efforts, but especially in the field of data protection where the sanctions for non-compliance can hit hardest. The message from the ICO is clear, namely you must keep a very close eye on how you are interacting with the most vulnerable in society, including children. Don’t forget to consult the Children’s Code in particular. This landed in September 2021 and impacts how children access or use certain websites, apps, games or online products.

Autumn 2022