The ICO exists to empower you through information.

What happens if we encounter a breach of personal data whilst our product is in the Sandbox?

If a reportable breach occurs to your product or service in the Sandbox, we still expect you to report it to the ICO within 72 hours, in line with the UK GDPR requirement. You should state that the product or service is currently participating in the Sandbox. Although the ICO will consider the breach in line with our standard procedures, we will be very unlikely to undertake enforcement action if you are meeting the terms of your Sandbox entry letter. Report a breach here.

What if a member of the Sandbox team discovers that we are not compliant in other areas of our organisation during the course of the Sandbox?

The Sandbox team will not proactively assess your wider organisation or processes for compliance. If we identify a reportable breach during the course of the Sandbox, which falls outside of the scope of the product or service you are developing in the Sandbox, we will advise you to report this to the ICO in line with your obligations, as per standard procedures.

How much does the ICO intend to publicise about our participation in the Sandbox?

A condition of participation in the Sandbox is that you provide us with your consent to make public that your organisation is participating, along with a short description of your innovation, which we will agree with you ahead of publication.

You are not permitted to communicate to any external party about your Sandbox participation without the ICO's express written consent. This includes communications to any regulated or unregulated organisations, media outlets, existing or future customers, data subjects or otherwise. If you wish to communicate with third parties about any aspect of your involvement, you need to agree this in advance with your Sandbox point of contact.

Organisations are not to brand or promote the product or service being developed as ‘ICO-approved’.

What will the ICO’s process be for handling freedom of information requests in respect of commercially sensitive information?

The Sandbox team is bound by strict obligations of confidentiality by Section 132 of the DPA 2018. This includes confidential information that relates to an identified or identifiable individual or business provided as part of the Sandbox process.

Please ensure that you mark on any submission (Expression of Interest, Application form, general correspondence) information you consider to be commercially sensitive or confidential.

The Sandbox team will only share information about a product or service with other ICO staff as is necessary to undertake Sandbox work, or if it is not in breach of our confidentiality obligations.

As a public authority we are subject to the Freedom of Information Act 2000 (FOIA), and so are legally required to respond to any FOI requests we receive, which may include requests for information provided to us in the Sandbox.

We will treat any FOI request on a case-by-case basis and you should therefore make it clear if you provide us with any information that you consider confidential or commercially sensitive and why. Should we then receive a request for information, we will consider what, if any, exemption applies, bearing in mind the exemptions in Section 41 (information provided in confidence), Section 36 (conduct of public affairs) and Section 43 (commercial interests) of FOIA, as well as any other relevant exemptions.

This approach to confidentiality will not stop us agreeing with you what public information about your involvement we can share with third parties.

In what circumstances could our participation in the Sandbox be terminated?

We hope that termination from the Sandbox will be a rare occurrence. Termination may result if you do not adhere to the terms and conditions you agreed to when you entered the Sandbox.

The Sandbox process will require resource and time commitments on both our parts, therefore we expect participants to approach the Sandbox engagement in a positive and collaborative way, and to respond to all correspondence within reasonable timeframes and with complete transparency. Where this ceases to be the case, we may look to terminate your organisation’s participation from the Sandbox.

Acceptance into the Sandbox does not guarantee your progress through the Sandbox. You or we may wish to withdraw from the engagement, for example if we are unable to agree a feasible Sandbox plan, if we have concerns about how the plans are progressing, or if there are certain requirements that you are unable to meet.