In July, the Information Commissioner’s Office (ICO) held its annual Data Protection Practitioners’ Conference (DPPC) shortly after its announcement of an ambitious three-year strategic plan. Consultation on the draft plan (called ICO25) closed last week, with the finalised version expected to be in operation from October 2022.
Children’s privacy remains a priority for the regulator. Recent ICO website postings to mark the anniversary of the Children’s Code mention how the regulator is currently looking into how over 50 different online services conform with the Code, with four investigations ongoing. They are also assessing outcomes after having audited nine organisations as part of their ongoing work to ensure that “Children are better protected online in 2022 than they were in 2021.”
In the first year of its action plan, a proposed objective for the ICO is safeguarding and empowering the public, particularly the most vulnerable groups (such as children) through a better understanding of how their personal information is used and can be accessed.
Sharing data to safeguard children: “the cutting edge of data sharing”
At DPPC, sharing personal data in the context of safeguarding children, described as “the cutting edge of data sharing”, was among the issues discussed.
While a constant concern for organisations, such as independent schools, is the fear of doing something wrong or causing a personal data breach when sharing information in those circumstances, Mr Edwards delivered a take home message:
“Wherever you work, whether it is in health, law enforcement, education or the care sector and you have information about a child that you think might be at risk, you won’t get into trouble if you share that information with someone who is in a position to do something about that”.
Detailed guidance on sharing personal data is available in the ICO’s statutory code on data sharing, which came into force on 5th October 2021. This will be supplemented by a resource specifically on sharing data to safeguard children which the ICO is presently working on with the Children’s Commissioner’s Office (CCO) and the UK Department for Education. As yet no timeframe for publication has been announced.
Further ICO guidance and new resources ‘in the pipeline’
Additional ICO guidance for organisations will be released in the coming year. They propose to publish a ‘guidance pipeline’ online and we are to expect a programme of guidance reviews in response to forthcoming legislative reforms, which will include the new Data Protection and Digital Information Bill if it becomes law. Following Liz Truss’s appointment as Prime Minister, the Bill’s second reading in Parliament was postponed to allow ministers to give further consideration to the reforms. It is not yet clear whether this will be a priority for the new government.
Among ICO proposals, at some point before October 2023, they plan launching a database which publishes recommendations it has made following audits, investigations, or complaints about organisations. Anonymous case studies will be available online, providing examples of improved practice and best or good practice.
The ICO website will host an online forum for organisations to discuss questions about data protection compliance and standards, in acknowledgment of the value of knowledge-sharing and networking. It is hoped this resource, moderated by the regulator, will bring together experts and support organisations.
Other free resources will include making available a range of ICO templates and ‘off the shelf’ products to help organisations develop their own accountability or privacy management programmes.