The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

two people looking at a computer screen

Supporting NHS COVID-19 vaccine research in the pandemic

15 December 2020

The ICO has been working with NHS Digital during the pandemic as part of the sandbox to help them deliver a mechanism to sign volunteers up to COVID-19 vaccine research. A focus of this support has been ensuring ‘data protection by design’ into the service.

The full details are published in a report.

In July 2020, NHS Digital launched the COVID-19 Vaccine Studies Permission to Contact Service (‘PtC’) or the COVID-19 Vaccine Registry as it is also sometimes referred to publicly, in partnership with the National Institute of Health Research (NIHR), the research partner of the NHS in England.

This first of its kind, the UK-wide NHS-developed online service allows members of the public to register their details to give their permission to be contacted by researchers working on the NIHR approved UK coronavirus vaccine about participating in their studies.

Members of the public are provided with a link to the NIHR’s ‘Be Part of Research website’ which provides individuals with information about the COVID-19 vaccine studies and practical details about being involved in the research.

They are asked to give their email address and are taken through some health-related and other questions, with the answers provided helping to ensure that any information shared with researchers running a vaccine study is limited to people who are potentially eligible to take part.

When NHSD joined the beta phase of the sandbox as one of the first participants, in 2019, they began to explore the development of a central consent mechanism through which individuals could agree to share their health data for purposes beyond their direct care and treatment, such as research. The plan centred around three use cases, one of which was a ‘permission to be contacted consent model’.

As the pandemic became a priority, the project was re-scoped in June 2020 to focus on the delivery of a mechanism to support the COVID-19 vaccine trials. The earlier work already carried out within the sandbox provided a valuable head-start.

The ICO Sandbox provided support to NHS Digital whilst developing the PtC user journey, drafting of the data protection impact assessment (DPIA) to identify any risks posed by the processing, and the user privacy notice.

Although it was a challenge to turn this around within such a tight timescale, it is rewarding to be able to respond and contribute to a `real world’ challenge and collaborate with organisations to put data protection considerations at the heart of an innovative new project from the start – which is ultimately what the sandbox aims to do.

Sandbox helps develop innovative tools to combat financial crime

05 November 2020

Two innovations to help companies tackle financial crime are the latest results to come out of the sandbox. Both have been developed as part of the beta phase and follow the first two reports on Heathrow Airport and JISC which were published In July.

Onfido: Mitigating bias in customer identity verification

Onfido Limited has worked in the Sandbox to identify and mitigate bias present in the biometric identity verification technology it designed to enable its clients to prove that their customers are who they claim to be.

For example, a financial institution would likely use the technology to prove the identity of a customer who wants to open a bank account. That customer will be asked to provide a digital photo of their identity document and a selfie taken using a mobile phone or other device.

Onfido will then analyse those images to determine the likelihood that the identity document is genuine; and the face in the selfie matches the face in the identity document, and that the selfie image does not display evidence of signs of fraud or facial spoofing. If the identity verification check is successful, the customer will be able continue with the rest of the process. Onfido’s work in the Sandbox ensures that its product is fair and inclusive for all users undergoing identity verifications.

Future Flow: Data flows

Future Flow Research Inc provides an analytics platform which monitors the flow of funds in the financial system with the potential to combat financial crime. The platform enables financial institutions to contribute pseudonymised transactional data in bulk, enabling multiple financial institutions, Regulators, and agencies to work together to detect and ultimately tackle electronic financial crime.

This collaborative approach to fighting financial crime opens up the prospect of higher detection rates with lower false positives, while reducing the burden of scrutiny on each individual and business consumer.

Organisations who are considering developing tools and services in data sharing and children’s privacy online can register their interest to take part in the next phase of the sandbox.

First reports published from the Regulatory Sandbox

23 July 2020

The first reports from participants in our regulatory sandbox have been published, revealing the outcomes of collaborations between the ICO and two of the organisations who were among the participants in the pilot phase of the scheme.

This beta phase set out to road test’ the scheme ahead of a full launch. We were seven months in when the pandemic struck, impacting businesses and organisations across the board in different ways.

As a result some of our participants were unable to continue working in the same way - so we worked flexibly with them to rescope their work with us. For some projects we have agreed extensions, and others have continued as planned and are now nearing the natural end of their projects

JISC and Heathrow Airport Ltd reports mark the first steps towards achieving the aim of the sandbox: to show that data protection can be combined with real world innovative solutions.

When we launched the scheme in September 2019, we were extremely encouraged by the calibre and number of applications we received (63) from a broad range of sectors. The ten programmes that were selected, were chosen because they were viable and because of the real public benefit they could deliver through ground breaking products and services.

What was heartening for us was the fact that so many organisations wanted to work with us to prioritise data protection and incorporate it into their ideas from the outset. It was clear that both public and private sectors wanted to adopt a data protection by design approach – a cornerstone of the GDPR.

These are the first two reports, the other projects from the beta phase are at earlier stages in the scheme and their reports will be published on completion.

JISC – Wellbeing Code of Practice

JISC is a not-for-profit organisation serving the higher and further education and skills sectors. It champions the importance and potential of digital technologies for UK education and research.

Within the sandbox, JISC has developed a Wellbeing Code of Practice with universities and colleges who want to investigate the use of student activity data to improve their provision of student support services, helping them protect both their privacy and wellbeing.

It shows that good data protection can enable higher education providers to provide their duty of care to students by using the resources and data they already have available to them.

Heathrow Airport Ltd - Automation of the Passenger Journey programme

Heathrow Airport’s Automation of the Passenger Journey programme aimed to streamline the passenger journey by using biometrics. Facial recognition technology would be offered at check-in, self-service bag drops and boarding gates to create a seamless experience for passengers travelling through the airport. Passengers would no longer have to present different forms of documentation, such as boarding cards and passports, at different points in their journey to prove their identity and show that they are authorised to travel.


This first phase of the sandbox has been a beneficial experience for all parties, in our March blog we provided an update which reviewed progress made and the positive experiences of participants.

They have gained an insight into how data protection does not hinder innovation and how the two can work together. By working alongside us, they have also been able to help develop our views on compliance issues which have informed our own advice and guidance.

The ICO sandbox team has, in turn, expanded its understanding of how it can support organisations that are striving to innovate in a world where technology is moving at a fast pace and people are increasingly aware of their privacy rights.

This successful trial run, has given us the opportunity to introduce improvements ahead of the full launch. We will be publishing details about this, the new themes we will be focusing on and how organisations can register their interest in the near future.

In the meantime, we are always keen to hear from you and if you have any enquiries please contact [email protected]

Work begins on creating ICO Sandbox short list as application period closes

Applications for the ICO Sandbox have now closed and we have had a fantastic response, with 64 submissions received in total.

Organisations have clearly put a good deal of thought into how they want to work with us to help ensure that their innovative projects using personal information can comply with data protection law.

Our initial analysis suggests that there are many high quality, viable applications. There was also an interesting spread of applicants from different sectors and of varying size.

So what happens now?

The sandbox team will carry out an initial triage sift process of each application, scoring them against our selection criteria, before creating a short list. This will then go before an internal assessment panel for final decisions.

We anticipate around 10 projects will be chosen for the initial beta phase of the sandbox, although this may vary slightly depending on the nature of the successful applications.

It is anticipated the successful applicants will be informed in July, when our team will work with them to draw up detailed plans for their journey through the sandbox.

So we have reached ‘the end of the beginning’ and now the real, practical work begins in earnest. However, the sandbox team would like to take this opportunity to thank all who participated in the initial discussions, round table events and conference feedback sessions and helped to inform how this exciting new project will work in practice.

Please get in touch with any Sandbox queries as deadline for applications approaches

As the deadline for applying to take part in the ICO’s Regulatory Sandbox is fast approaching, we thought this would be an opportune time to provide a quick update on progress to date and to identify any additional issues we have encountered during our recent engagement with prospective applicants.

Since we opened the beta phase of our sandbox for applications at the end of March, we have had a great response. Lots of people and organisations have contacted the dedicated sandbox team to talk things through and we had some great questions and feedback at the workshops we held at the ICO’s annual Data Protection Practitioners’ Conference in Manchester last month.

We are really keen to promote further dialogue. Our specialist staff are on hand, ready to talk to people and organisations who might be thinking of putting an application in or who are unsure about whether or not the sandbox will be right for their product or service. We can help explain the principles, the process and what is needed in more detail.

We are very excited by the potential of some of the projects being discussed with us and full, completed applications have already started coming in, which is great.

We would like to take this opportunity to remind prospective applicants that the sandbox is open to organisations of all sizes and from all sectors. They should be developing a new, innovative product or service which uses personal data and which will benefit the public, but which may have some data protection risk identified.

Applicants really need to spell out the innovation and public benefit of what they are doing. They should use straightforward language to explain why their product is something genuinely new and exciting, and how it will benefit people.

Evidence is also vital. This doesn’t need to be masses of information but if an application is supported by a claim regarding the problem the product or service seeks to solve, its unique nature or its potential benefit to the public, then there should information to back this up. The application should then join the dots and spell out how your innovation will address this.

So don’t be scared to email us in first instance at [email protected] or pick up the phone if you have already engaged with us. Early and direct engagement with the sandbox team can clear up any grey areas and will invariably lead to a stronger application. And that will lead to a potentially much better outcome for everyone concerned – the organisation, the ICO and, ultimately, the UK public.

The deadline for applications is noon on Friday 24 May.

New film sets out how organisations can benefit from ICO Sandbox

We have had an excellent response since opening our ICO regulatory sandbox Intention to Apply Survey last month – but we still want to hear from more of you.

Many organisations have already let us know they would like the ICO’s help in ensuring that their new, innovative products and services comply with data protection law.

We know there are many more – particularly large companies, and organisations from the public and third sectors – that are planning to apply to take part in the Sandbox but have yet to let us know.

We would appreciate you taking the time to fill out the survey so we can plan our processes and resources accordingly and ensure the sandbox works as effectively as possible for everyone.

Our recent Sandbox workshop in London was a huge success and we are grateful to all who attended. Their contributions were invaluable and we had some excellent feedback and suggestions.

We made a short film about the event (above) so you can hear from ICO staff and delegates how taking part in the sandbox can be of real benefit your organisation, giving you free, expert advice and support from the regulator throughout the process of developing your new product or service.

You can also find out more by reading our Discussion Paper, which sets out how we envisage the sandbox will work in practice, or by emailing our team at [email protected]

Discussion Paper and Intention to Apply Survey

30 January 2019

In November we published an analysis of the call for views on our proposed regulatory sandbox. Since then, we have continued to develop the systems and processes necessary to launch a fully functioning beta phase of our sandbox, with the aim of opening for applications at the end of April.

We’ve had lots of questions about how our sandbox might work in practice and we know that organisations will be considering whether an application will be right for them.

With that in mind, we have published our sandbox discussion paper which explains to potential participants how we see the sandbox working in practice. The paper sets out our thinking so far - from early engagement through to application, sandbox entry and, ultimately, exit.

The paper will form part of the discussion at our sandbox workshop event in London on 6 February. This event is now fully booked but we would still welcome feedback on the project, including from any potential sandbox participants. We’ve included discussion questions throughout the paper and are asking people to send their views to [email protected].

To help us plan our resources and build the sandbox appropriately, we are also now opening our ’Intention to apply’ survey. This will enable organisations to tell us in advance about any product or service that they might consider entering into the sandbox.

It is not an application – the full formal process will open later in the year – but will give us more of an idea about the numbers and types of formal applications we are likely to receive.

The survey will remain open until we open for applications and is entirely voluntary and non-binding. Click here to access the survey.

The sandbox is open to all sectors and all sizes of organisation, so whether public, private or third sector, a tech start-up or an innovation hub at a large established company or Government body, please do get in touch if you plan to use personal data in a new and innovative way.

View a video of Chris Taylor from the ICO discussing the latest on the regulatory sandbox.

Date announced for consultation workshop

5 December 2018

Following our call for evidence and analysis of the submissions we received, work on the ICO Regulatory Sandbox continues with an event in the New Year to gather more detailed evidence, ideas and opinions.

The consultation workshop will take place on 6 February 2019 in London and we are now accepting expressions of interest in attending.

We are keen to get participation from innovators working with personal data and who might want to make use of our Sandbox, whether in the private, public or third sectors.

If you feel you are qualified to make a positive contribution to this event, either because you would like to take part in the Sandbox when it opens, or you represent those who do, please contact us on [email protected].

ICO analysing initial responses to regulatory sandbox project

21 November 2018

We published a ‘call for views’ on the development of our regulatory sandbox back in September, in line with the commitment made in our Technology Strategy to consult before the end of this year.

We were keen to explore a wide range of issues, from identifying areas where data protection might be perceived as a barrier to innovation to the general scope of the sandbox and on to some more detailed questions about what mechanisms and operational approaches we should take.

We’ve had a really positive response, with nearly 70 organisations getting back to us including companies, trade associations, public authorities, third sector bodies and others. The quality of responses was really high, with lots of helpful suggestions and input, and we are grateful to all who gave their time to respond.

Our analysis of these responses sets out some key themes that emerged and provides comment from us under each of the survey sections. This starts to signpost how we expect our sandbox to develop. For example, we suggest that the sandbox is likely to be broad in scope and open to any sector and any size of organisation.

That said, we plan to make use of eligibility criteria to control entry in three main areas: innovation, public benefit and what we are at this stage calling ‘fitness to participate’. We are also planning to encourage applications in particular from those organisations that are dealing with specific data protection challenges that were flagged in responses as being central to enabling innovation.

We also take the opportunity to clarify that this will not be a sandbox in which we provide test environments, dummy data sets or software tools, and we confirm that organisations will not receive ‘certification’ for participating. Rather, this is about working collaboratively with innovators through a range of informal steers and supportive advisory mechanisms to support the dual goals of privacy and innovation. In addition, we intend to continue to explore what other mechanisms such as the ‘letters of comfort’ we described in our survey, may be feasible.

Work now continues to develop the operational processes needed to deliver the sandbox. We plan to undertake further consultation in the New Year as our operational model develops, and this will include events for organisations interested in the project which are provisionally scheduled to take place early in February 2019. Further information on these events will be published in the ICO e-newsletter on December 6 and in an update on this blog.

We remain committed to opening the sandbox, probably through a live ‘beta’ phase, later next year.

Chris Taylor, a Head of Assurance at the ICO, blogs about how organisations can help us shape our regulatory sandbox.

26 September 2018

For a year or so now, we’ve been talking about our plans to create a regulatory sandbox. A place where organisations are supported to develop innovative products and services using personal data in different ways.

It’s part of our mantra that privacy and innovation go hand in hand. It’s not privacy or innovation, it’s privacy and innovation – because organisations that use our sandbox won’t be exempt from data protection law.

They will have the chance to engage with us, take advantage of our expertise, seek our advice in mitigating risks and consult us on data protection by design. At the same time, and as you’d expect, we’ll be ensuring that appropriate protections and safeguards are in place.

But we’ve a little way to go before we start inviting organisations to get involved. A few weeks ago we launched a call for evidence; this is the first stage in the consultation process and our chance to find out your views on the feasibility, scope and demand for a sandbox. The responses we receive will then help us create a more detailed proposal for consultation.

Individuals and organisations are already getting in touch. We’ve heard from law firms, charities, digital start-ups and people who are simply interested in data rights. They’ve told us about the real benefits that provision of advice could provide, and some of the possibilities there might be. For example, for charities to innovate in the public interest or for organisations to make improvements in health and wellbeing through the safe and innovative use of public data. Perennial issues such as enhancing cyber security and app development also appear.

But we want more. We know that companies and organisations are developing innovative products and services that use personal data in innovative ways. We want to hear from you.

Data protection cuts across all sectors, so we want to hear from you if you work in health, education, the finance industry, transport, retail, the third sector, local government, police and justice . . . the list is endless.

We appreciate that different stakeholders will have different and particular areas of expertise and we’re keen to get views from as many sectors as possible.

We want to know:

  • what you think the scope of any such sandbox should be - should we focus on particular innovations, sectors or types of organisations?
  • what you think the benefits might be to working in a sandbox, whether that’s our expert input or increased reassurance for your customers or clients.
  • what mechanisms you might find most helpful in a sandbox – from adaptations to our approach, to informal steers or the provision of technical guidance – what are the tools that a sandbox might contain?
  • at what stage in the design and development process a sandbox would be most useful to you?

It’s easy to share your views with us. Just click on the link to our survey and tell us what you think.

If you want more information about the call for evidence, pleased email the team at [email protected].

Chris Taylor is a Head of Assurance at ICO working on the development of ICO's operational approach to Codes Of Conduct, Certification Schemes, Regulatory Sandbox and eIDAS.