The use of biometrics to speed up airport passenger journeys, innovations in crime prevention and technological advances in the health sector are among the first projects selected to take part in the ICO Sandbox.

Other products and services which will be tested and scrutinised for compliance with data protection law will include innovations in housing, road traffic management, student welfare and tackling bias in artificial intelligence.

The sandbox is a new ICO service which will support organisations which are developing innovative products and services using personal data with a clear public benefit. Participants will be able to draw on the ICO’s expertise and advice on data protection by design, mitigating any risks as they test their innovations, while ensuring that appropriate protections and safeguards are in place.

Elizabeth Denham, Information Commissioner, said:

“The ICO supports innovation in technology and exciting new uses of data, while ensuring that people’s privacy and legal rights are protected. We have always said that privacy and innovation are not mutually exclusive and there doesn’t need to be an either-or choice between the two.

“The sandbox will help companies and public bodies deliver new products and services of real benefit to the public, with assurance that they have tackled built-in data protection at the outset.

“Engaging with businesses and innovators in the sandbox is also a valuable exercise in horizon scanning - the ICO can identify new developments in technology and innovation and the potential opportunities and challenges they may provide.”

In all, 10 projects have been selected from the 64 applications the ICO received for the initial beta phase of the sandbox:

  • FutureFlow:
    FutureFlow is a RegTech start-up designing a Forensic Analytics platform that monitors the flow of funds in the financial system. Its platform enables multiple financial institutions, regulators and agencies to leverage each other’s intelligence on Electronic Financial Crime without heavy reliance on Personally Identifying Information. This collaborative approach to tackling financial crime opens the prospect of higher detection rates with lower false positives, while reducing the burden of scrutiny on each individual and business consumer.
  • Greater London Authority:
    In order to reduce levels of violence in London, the Mayor has set up a Violence Reduction Unit (VRU) which is taking a public health approach to this issue. As part of this work, the VRU needs to better understand how public health and social services can be managed to prevent and reduce crime, with a focus on early intervention. There is increasing interest from the VRU, the Mayor’s Office of Policing and Crime (MOPAC) and the Greater London Authority (GLA), for health, social and crime data to be looked at in an integrated and collaborative way.
  • Heathrow Airport Ltd:
    Heathrow Airport’s Automation of the Passenger Journey programme aims to streamline the passenger journey by using biometrics. Facial recognition technology would be used at check-in, self-service bag drops and boarding gates to create a seamless experience for passengers travelling through the airport. Current processes require passengers to present different forms of documentation, such as boarding cards and passports, at different points in their journey to prove their identity and show that they are authorised to travel. By offering passengers the option of using facial recognition technology they would have the choice to enjoy a frictionless journey through the airport.
  • Jisc:
    Jisc is developing a Code of Practice with universities and colleges wishing to investigate the use of student activity data to improve their provision of student support services. This will help them protect both privacy and wellbeing.
  • The Ministry of Housing Communities and Local Government:
    The Ministry of Housing, Communities and Local Government's project partners with Blackpool Council and the Department of Work and Pensions, and seeks to match personal information controlled by multiple parties in order to create a dataset that will allow MHCLG to understand more about the private rented sector in Blackpool, who lives there, and how we can help improve the quality of properties.
  • NHS Digital:
    NHS Digital is working on the design and development of a central mechanism for collecting and managing patient consents for the sharing of their healthcare data for secondary use purposes, including medical research and regulated clinical trials.
  • Novartis Pharmaceuticals UK Limited:
    Novartis is exploring the use of voice technology within healthcare. Through its Voice Enabled Solutions project, Novartis is working with healthcare professionals to design solutions to make patient care easier, and addressing the data privacy challenges posed by this emerging technology.
  • Onfido:
    Onfido will research how to identify and mitigate algorithmic bias in machine learning models used for remote biometric-based identity verification.
  • Tonic Analytics:
    The Galileo Programme was launched in 2017 and is jointly sponsored by the National Police Chiefs’ Council and Highways England. Galileo’s primary focus is on the ethical use of innovative data analytics technology to improve road safety while also preventing and detecting crime.
  • TrustElevate:
    TrustElevate provides secure authentication and authorisation for under- 16s. TrustElevate is the first company globally to provide verified parental consent and age checking of a child. It is working to enable companies to comply with regulatory requirements, and to make the Internet a safer environment for children, facilitating a more robust digital ecosystem and economy.

The next stage of the process will be to agree and develop detailed plans for each sandbox participant before work starts on testing their products and services. It is envisaged all participants will have exited the sandbox by September 2020.

As part of the Sandbox participation agreement, the ICO and the 10 organisations taking part in the beta phase will not go into any further detail about their respective individual projects at this stage.

If you need more general information about the ICO Sandbox, please contact the ICO press office on 0303 123 9070, or visit the media section on our website.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
  3. The General Data Protection Regulation (GDPR) is a new data protection law which applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security. The UK’s decision to leave the EU did not affect the commencement of the GDPR.
  4. The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
    • Processed lawfully, fairly and in a transparent manner in relation to individuals;
    • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    • Accurate and, where necessary, kept up to date
    • Kept in a form which permits identification of data subjects for no longer than is necessary; and
    • Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”
    • Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
  5. To report a concern to the ICO go to ico.org.uk/concerns.