Unpacking the ICO’s Data Protection Priorities for 2023-24
The Information Commissioner’s Office (ICO) has recently published its “ICO Audit a year in focus”. This report highlights the ICO’s regulatory actions and decisions over the past year and presents important insights that professionals in the field of data protection should be aware of.
The past year has witnessed the impact in those areas where the ICO has targeted its heightened regulatory focus, with specific emphasis placed on sectors and areas with pronounced vulnerability.
Notably, the protection of children’s privacy stood out as a paramount concern, evident in the strategic measures introduced. Here are the salient points that the ICO set out in its report:
- Children’s Privacy in Gaming: Recognising the burgeoning gaming industry and its undeniable appeal to the younger demographic, the ICO has acted to initiate child privacy checkpoints within game development. This proactive step is aimed at integrating data protection from the very inception of game creation, thereby reinforcing a safer virtual environment for children.
- Educational Initiatives for the Gaming Sector: In addition to the above, the ICO has taken an educational approach by providing key tips to the gaming industry. The primary objective? To accentuate the significance of children’s privacy and equip industry players with the tools and knowledge to adhere to best practices.
- Digital Economy Act Review: As the digital economy continues to grow and evolve, the ICO has embarked on a comprehensive review of the Digital Economy Act, seeking to ensure its relevance and efficacy in today’s rapidly shifting digital landscape.
- Engagement with the Department for Education (DfE): Acknowledging the need for synergy between education and data protection, the ICO has engaged actively with the DfE. This collaboration primarily seeks to simplify privacy information, tailoring it to be more child-friendly and ensuring that young minds can comprehend and exercise their data rights with ease.
- Self-assessment Tools for Online Services: In a bid to bolster child protection online, the ICO has championed the development of risk assessment tools. These self-assessment instruments are designed to aid online service providers in recognising potential threats, ensuring that they take pre-emptive measures to uphold the sanctity of child privacy.
As can be seen from the above list, the protection of children’s rights was a key focus which highlights the present Commissioner’s approach on prioritisation. His stated aim has been to take action which will provide the most benefit to those that need it most, rather than to pursue technical matters which will make little material difference to individuals. This pragmatic, harms-based approach is likely to continue with the organisation caring most and therefore focussing most of its attention and resources on areas where it can have the greatest real world impact.
As the digital sphere continually evolves, it is essential for data protection practitioners to stay informed of the latest regulatory directions and trends. The Information Commissioner’s Office (ICO) has set out its plan of action for the year 2023-24. We set out below those focal areas, providing an overview and a concise analysis to help predict where the regulator is most likely to focus its attention next.
- Artificial Intelligence in Recruitment:
The ICO plans to delve into audits and engagements with AI system providers and users. This focus is timely given the surge in AI-driven recruitment practices, notably AI scanning, which now plays a prominent role in candidate assessments. In this context it is important to recognise that Article 22 of the GDPR sets boundaries on decisions rooted purely in automated processing, such as profiling. The increasing reliance on automated CV reviews could potentially breach this provision, given the risks of inaccuracies and absence of human oversight. Therefore, these upcoming ICO audits might pave the way for stricter regulatory interventions. As ever work of this nature is complex and never quick but expect significant focus on this area going forward.
- Financial Services:
The ICO aims to compile and review information on various financial themes, encompassing data protection compliance in economic crimes, technological innovations, and the nuances of international finance. However, given the existing stringent regulatory framework in the financial sector, significant shifts or alterations to the present regulations are not expected. This is a huge area to cover and one which is already heavily regulated so we would not necessarily expect significant enforcement action but more likely guidance and education.
- Data Sharing in Child Protection/Safeguarding:
The ICO’s work involves collaborating with multiple child protection agencies to identify and rectify present systemic deficiencies. As a continuation from last year’s focus, it’s important to note that the Information Commissioner, John Edwards, has made it clear that public sector bodies, likely to be the majority of those involved in children’s safeguarding, won’t generally face fines for a defined period which is still in place. This suggests again that enforcement action, aside from potential Reprimands, is less likely in this area.
- Mobile Phone Extraction:
The ICO intends to thoroughly assess compliance concerning mobile data extraction during criminal investigations. This focus stems from growing concerns about data extraction in legal contexts, especially given the guidance on this matter which was promulgated in June 2021. The upcoming audits might well be geared towards ensuring this guidance is being implemented. Again, this will be largely, if not entirely, public sector focussed with associated implications for likely enforcement action.
- Privacy & Electronic Communications Regulations:
The ICO is set to audit public electronic communications entities. With the forthcoming Data Protection and Digital Information Bill on the horizon, penalties are expected to increase significantly to match the GDPR standards, therefore amounting to as much as 4% of worldwide turnover once the Act is eventually in force. These electronic communication entities may in due course be the first organisations to face the risk of those more severe fines if any of those audits identify sufficiently serious ongoing failings.
The ICO’s recent “Audit a Year in Focus” sheds light on their upcoming data protection priorities. These guidelines emphasise areas like children’s online safety, AI in recruitment, and mobile data extraction. Key takeaways include the need for industries to integrate these guidelines promptly and the paramount importance of safeguarding data in an ever-evolving digital landscape. As we move into 2023-24, staying informed and compliant with the ICO’s guidance will be crucial for all organisations operating in the digital space.
If you have any questions about this, get in touch with our contributors.
For further information, please contact:
James Moss, Partner, Bird & Bird