The ICO Grants Programme and why the time is right to support independent research

“Once you stop learning, you start dying.”

So said Albert Einstein, and while the school year may be nearing its end and university students are already returning home for the summer, we at the ICO have launched our first ever Grants Programme for new, independent research into data protection and privacy enhancing solutions, and we believe it is a genuinely exciting development.

Its outcomes will help us stimulate innovative research and solutions into pressing and challenging privacy issues. The solutions should make a real difference to the public and the data protection practices of organisations.  The programme will also help us achieve many of the key goals set out in the ICO’s new Information Rights Strategic Plan – for example, staying relevant and keeping abreast of evolving technology, improving standards, increasing public trust and maintaining and developing international leadership and influence.

But why should the ICO, as a regulator, be funding research at all? Shouldn’t we be concentrating all our efforts and resources on investigating organisations which breach the Data Protection Act and sorting out unsatisfactory responses to Freedom of Information Requests?

Of course, we recognise and value the importance of our day to day work and this is where the core of funding goes. Our recent annual performance statistics revealed we were dealing with more cases and queries than ever before. Demand is increasing by the year and so is our response, whether through enforcement, conversations with stakeholders or engagement with the general public. When you add the work we are doing to prepare for the introduction of the new GDPR regime in May 2018, it’s clear that we have plenty on our plate – and we’re ready and gearing up for that demand.

But a regulator that concentrates solely on what’s right in front of its nose, that fails to look up and look around, is in danger of walking into a lamppost and banging its head.

We have, in fact, commissioned valuable research in the past. For many years the ICO has run research tenders to support specific policy projects and we have very much valued our interactions with the academic community, NGOs and innovators and the input they’ve had into our work.

We now want to do more to release the potential in these communities. This new programme will take a broader ‘horizon-scanning’ approach, encouraging them to develop new insight and solutions into key data protection and privacy challenges posed by new technologies such as artificial intelligence and machine learning. We are always willing to learn and this external research will feed into our own broader policy thinking and conversations.

This is the right time to launch this programme given the challenges we face and the need to enhance and tap into the expertise of others. The significant public and media interest in our current investigation into the use of data analytics for political purposes is a good example of how quickly things can move and change in the information rights sphere.

By launching the ICO Grants Programme, we are also building on the success of similar schemes already operating overseas. Data doesn’t necessarily recognise physical borders and we believe the ICO should be a global player and always aware of the international implications of our work.

But rest assured, this is not a navel gazing exercise. Foremost in all of our thinking has been the importance of the programme’s practical focus. We want applied research and real solutions with genuine benefits for the UK public, not purely theoretical research.

We also recognise the importance of value for money – the programme will be run in line with the Government’s Minimum Grants Standards and will involve a panel of external experts providing recommendations on which proposals to fund. Successful applicants will be subject to continuous monitoring.

More information about the programme, eligibility and the application process is also available on our dedicated ICO Grants Programme web page. You can also watch our recent webinar outlining further details about the scheme.

Steve WoodSteve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.
Posted in ICO, Steve Wood | Tagged | Leave a comment

Interesting times, and how we navigate them

By Elizabeth Denham, Information Commissioner.

Interesting times, and how we navigate them

I remember hearing my predecessor talk about a Chinese saying “may you live in interesting times”.

I think it’s fair to say we’re living in them!

My term in office is five years, and it’s abundantly clear to me as the first year draws to a close, ‘interesting times’ will be a recurring theme of my term. GDPR, Brexit, and whatever follows those two. Add to that a general election too. Continue reading

Posted in Elizabeth Denham | Tagged , , , | Leave a comment

The Information Commissioner opens a formal investigation into the use of data analytics for political purposes

By Elizabeth Denham, Information Commissioner.

data-political-purposes-blogIn March we announced we were conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes.

Engagement with the electorate is vital to the democratic process. Given the big data revolution it is understandable that political campaigns are exploring the potential of advanced data analysis tools to help win votes. The public have the right to expect that this takes place in accordance with the law as it relates to data protection and electronic marketing. Continue reading

Posted in Elizabeth Denham | Tagged , , , | Leave a comment

Draft GDPR Consent guidance receives a significant response

By Jo Pedder, Interim Head of Policy and Engagement.

gdpr-12-steps-to-take-nowThe issue of consent surrounding the use of data has proved to be increasingly high-profile recently – and that has been reflected in the large number of responses to our draft GDPR Consent guidance.

I previously announced back in early March that we were running a public consultation on our first piece of detailed, topic-specific GDPR guidance as we were interested in gaining your feedback on our draft.

The consultation is now closed and we received more than 300 responses from organisations across a variety of sectors, along with interested members of the public.

Continue reading

Posted in Jo Pedder | Tagged , , , | Leave a comment

Profiling under the GDPR: feedback request

By Jo Pedder, Interim Head of Policy and Engagement.

Imagine a friend tells you about a holiday deal. You go online to book the same deal but you cannot see it on the website. Unbeknown to you, behind the scenes an algorithm has analysed where you live, your age, gender, occupation, online activity and more and decided you wouldn’t be interested.

This is called profiling. Continue reading

Posted in Jo Pedder | Tagged , , | Leave a comment

ePrivacy reform: Privacy and electronic communications regulations (PECR) under review

By Jo Pedder, Interim Head of Policy and Engagement.

While preparations for the GDPR dominate the headlines, it’s not the only change for the digital economy. As technology evolves at a phenomenal rate, the laws that govern internet-based services are moving at an equally rapid pace.

The next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR). Continue reading

Posted in Jo Pedder | Tagged , , , | Leave a comment

Garages, new homes and old offices: the records management mistakes that put health records at risk

By Leanne Doherty, Group Manager.

When Cabinet Office Minister Ben Gummer announced the government was spending £1.9bn on UK cyber security, he highlighted health data as needing strong protection.

But while money is (rightly) invested in hi-tech cyber security solutions in the health sector, our experience is that data breaches in the sector are often caused by far more basic mistakes.

Indeed, a quick look through the health cases seen by the ICO enforcement team suggests work to do around garages and decommissioning as well as gigabytes and denial of service attacks.

Continue reading

Posted in Leanne Doherty | Tagged , | Leave a comment

Information Governance Survey: What councils need to do now

By Anulka Clarke, ICO Head of Good Practice.

Local Government Information Governance Survey

We’re here to help local councils comply with the Data Protection Act and get ready for the new General Data Protection Regulation (GDPR) coming into force from May 2018.

The ICO’s Good Practice department conducted a survey at the end of last year to find out more about information governance practices in local government. It received 173 responses. We already knew from our work with councils that there are some positive measures in place at local authorities but wanted to find out more about patterns of existing practices. Continue reading

Posted in Anulka Clarke | Tagged , , , , | Leave a comment

AI, machine learning and personal data

By Jo Pedder, Interim Head of Policy and Engagement.

AI, machine learning and personal data

Today sees the publication of the ICO’s updated paper on big data and data protection.

But why now? What’s changed in the two and a half years since we first visited this topic? Well, quite a lot actually:


Continue reading

Posted in Jo Pedder | Tagged , , , , , , , | Leave a comment

ICO guidance for consent in the GDPR

By Jo Pedder, Interim Head of Policy and Engagement.

gdpr-12-steps-to-take-nowBack in January I wrote about our plans for GDPR guidance in 2017 and our commitment to help organisations improve their practices and prepare for the GDPR.

I’m pleased to announce that our first piece of detailed topic-specific GDPR guidance has been published today for public consultation. This new guidance is about consent in the GDPR and we are interested to gain your feedback on it through a short consultation which is running from now until 31 March 2017.

The basic concept of consent, and its main role as one lawful basis (or condition) for processing, is not new. However the GDPR does set a high standard for consent. It builds on the Data Protection Act (DPA) standard of consent in a number of areas, and it contains significantly more detail on both the standard and processes for consent.

Continue reading

Posted in Jo Pedder | Tagged , , , | Leave a comment