We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

The ICO Corporate Plan: an interesting glimpse in to the future of data protection

28 April 2014

On 25 March 2014, the UK Information Commissioner's Office (ICO) released its corporate plan for 2014 - 2017 entitled: 'Looking ahead, staying ahead' (the Plan).

The Plan reveals some interesting aspects of how the ICO aims to achieve its main objectives over the next three years:

Organisations have a better understanding of their information rights obligations

  • The Plan emphasises the importance of 'self-education', particularly via the ICO website and suggests that the ICO is developing information rights training material for use by organisations when training their own staff.
  • The Plan promotes privacy by design (PbD) and privacy impact assessments (PIA) and the development of accreditation, trust marks and seal schemes.  These concepts are all embedded within the proposed general data protection Regulation (the Regulation) and it is therefore no surprise that the ICO is paying these aspects of data protection particular attention.

Enforcement powers are used proportionately to ensure improved information rights compliance

  • The Plan states that the ICO will improve the compliance of organisations by issuing fines for serious breaches; one of the measures to achieve this will be by developing an on-line self-reporting breach tool. 
  • Given that data breach notification is likely to make the final draft of the Regulation, it seems that the ICO is already thinking about how it can efficiently pave the way for this new notification requirement.

Customers receive a proportionate, fair and efficient response to their information rights

  • The ICO intends to benchmark its customer service against other regulators and will conduct surveys to gauge customer satisfaction.

Individuals are empowered to use their information rights

  • The Plan states that the ICO is developing material for teachers and working with the education system to embed information rights awareness in the curriculum.

The ICO is alert and responsive to changes which impact on information rights

  • The Plan highlights that the ICO is keen to take a front seat to help shape the future of the EU data protection by working closely with the Ministry of Justice and the Article 29 Working Party.
  • The ICO will publish guidance on data protection and media following the Leveson report; this will be very interesting considering the ICO's cautious reaction to Leveson's recommendations to the ICO.
  • In line with Simon Hughes MP's comments at the ICO Data Protection Officer conference in Manchester in March 2014 regarding compulsory NHS data audits, the Plan explains that the ICO will continue to press the case for an extension of its assessment notice power to enable it to do compulsory audits when justified. Given that the public sector still receives the substantially more monetary penalties by the ICO, the ICO seems determined to deliver a clear message to public sector organisations in particular which do not comply with the Data Protection Act 1998.
  • The Plan states that the ICO will continue to encourage Government to activate legislation to allow penalties such as community service orders and threat of prison for the unlawful trade in personal information and outlaw the practice of enforced subject access. These are items that the ICO has been long campaigning for.

An efficient ICO well prepared for the future

  • The Plan explains that the ICO is preparing for substantial changing involving the implementation of a new EU legal framework and is working with the MoJ to define future funding arrangements. 

In summary, it is clear that in its Plan the ICO is preparing in earnest for the Regulation; the online data breach notification tool, emphasis on trust marks and seals and PIAs and PbD are probably the clearest indications of this.

This article was written by Janine Regan.

For more information please contact Janine on +44 (0)20 7427 6798 or janine.regan@crsblaw.com.