Empower people through a better understanding of how their information is used and accessed
Understanding how information is used is fundamental to people feeling empowered. However, it can be complicated and confusing to those not familiar with the law, particularly for some more vulnerable members of society. It is also easier for businesses and organisations to deal with questions about how data is used, particularly subject access requests (SARs), if there is clarity and consistency. SARs is an area that we receive a lot of complaints about, where we can provide additional support and guidance to both the public, businesses and organisations.
Subject access request tool – we will develop a subject access request tool to help people make requests in ways which will help organisations to respond effectively. The tool will help people identify where to send their requests and explain what they should expect. The receiving organisation will receive information from the ICO to help them respond quickly and simply.
Help people to understand their rights – we will make sure that when people have questions, we provide them with easy access to answers, using technology and our expertise to develop FAQs. We will make sure our services are accessible to customers with differing needs and share stories of how we have made a difference to people’s lives to help them understand what our work means to them. However, we recognise that some people prefer, and in fact need, to speak to someone. We will speak and listen to people to help resolve their problem.
Understand public sentiment to better serve a diverse population
We know there are parts of society and the economy which need our support but are not yet aware of our work. It is often those who would benefit the most from information rights that are not aware of how to access them. It is our role to ensure that all members of society are able to use and understand their rights.
Insight and research – We will develop our insight and research capabilities, including a deep dive into the attitudes and habits of different parts of the population, especially those we currently do not engage with. We will also gain better insight into issues that affect the most vulnerable in society.
Community outreach – we will reach out to communities and vulnerable groups we have not previously engaged with partnering with special interest and representative groups to identify issues that are affecting them and act on that information. We will identify groups that would benefit from a greater understanding of their information rights, taking into account the wider economic and social environment.
Equality, Diversity and Inclusion (EDI) – we will ensure that we appropriately consider EDI in all our regulatory remit activities and decision-making.
Safeguard the most vulnerable
We need to even up the power balance between those who hold our most precious data and the most vulnerable who hand over their data, often with little knowledge of their rights. People need confidence in their privacy in order to participate in society - to share their personal information to access innovations and services, confident their information rights will be respected. That is particularly true of vulnerable groups who have no choice but to share their information with organisations in order to be able to access services and receive the support they crucially need.
For the period until October 2023, we will focus our investigation and project work on the following issues:
Children’s privacy – we will continue to enforce our Children’s code and influence industry to ensure children benefit from an age-appropriate online experience. We will:
- press for further changes by social media platforms, video and music streaming sites and gaming platforms to correctly assess children’s ages and conform with the Children’s code guidelines about profiling children and sharing their data. We will continue to push for improved transparency and use of privacy notices children can understand. We will also consider changes to the code required by legislative reform on data protection and to promote closer policy alignment with the Online Safety Bill; and
- continue our investigations where organisations are not conforming with the code and take appropriate enforcement action. We will share examples of good practice from our direct engagement with organisations to encourage wider positive change. We will work with Ofcom through the DRCF to promote joined up and effective regulation to protect the privacy and safety of children online.
Impact of technology on vulnerable groups - rapid technological change is transforming how people’s data is collected and used. By being responsive to emerging technologies we can guide organisations in a timely way – helping them adopt new technologies and ensuring that people are protected.
- AI-driven discrimination has become an issue that can have damaging consequences for people’s lives. For example, being rejected for a job or not getting the financial support they are entitled to, a risk particularly acute for vulnerable groups. We will be investigating concerns over the use of algorithms to sift recruitment applications, which could be negatively impacting employment opportunities of those from diverse backgrounds. We will also set out our expectations through refreshed guidance for AI developers on ensuring that algorithms treat people and their information fairly.
- Biometric technologies - like gait analysis, facial recognition, iris scanning and fingerprint recognition, are becoming cheaper and more powerful. They are beginning to drive innovative new services across the finance, entertainment, health and education sectors. While these biometrics have immense promise, we also need to be alert to risks – especially around emotion recognition technologies, which can discriminate against certain vulnerable groups. We will be working with industry to set out our expectations on how these technologies should be used and investigating how these technologies are being deployed for any adverse impacts on vulnerable groups.
- Online tracking is used to gather data for purposes ranging from advertising to age estimation. We will influence changes such as the phasing out of third-party cookies to create a more privacy-oriented internet. We will work with government, industry and other regulators to give web users meaningful control over how they are tracked online and move away from cookie pop-ups.
- CCTV – we will look at how this technology is being used in various settings, particularly in care homes, and set out clear guidance.
Deprivation – we will work on issues that may aggravate, or be aggravated by, the cost of living crisis. This includes:
- work with the financial industry on how they use and collect intelligence databases;
- looking at the use of algorithms within the benefits system;
- exploring the use of targeted advertising (adtech) of gambling on social media and the use of personal information within the gambling sector; and
- continuing to focus on predatory marketing calls and data-enabled scams and frauds targeting vulnerable people online and on social media.
Personal safety – particularly the approach of police forces to collecting personal information from victims of rape and serious sexual assault cases and data sharing to prevent domestic homicide and to support safeguarding.
Enable sector-based resolution of data protection complaints
People should be able to access services and support as quickly and easily as possible when they encounter a data protection problem. The regulatory landscape can seem confusing, and it is important to simplify and minimise the number of potential routes people need to consider when faced with a data protection issue.
Co-ordinate with sector-specific ombudsmen or representative groups – we will explore ways of joining up services where there is already an existing service that customers can access, for example sector-specific ombudsmen services. In order to reduce the number of organisations someone with a complaint must deal with, we will explore the opportunity for these services to become the first point of contact for data protection complaints in their area of expertise or responsibility. The ICO will support this by providing technical advice, where needed.