Delivered on 14 July at the ICO25 launch event at Woburn House in London
Check against delivery
I wanted to start today with a story about the ICO’s work.
On 31 May, we published a Commissioner’s Opinion. It set out changes we wanted to see to the data protection approaches of police forces, in relation to victims of rape and serious sexual assaults. It was, in many parts, a technical report, explaining the requirements of the law.
This is the work my office does.
Also on 31 May, I received an email, from someone who had been a victim of insensitive and intrusive police practices in the aftermath of a traumatic assault. She described her experience of those practices as an ordeal.
Another survivor spoke about being constantly on edge. Both spoke of how powerful our work was, in prompting change and in seeing their experiences.
This is why we do this work.
And this is what modern data protection looks like. It is what modern regulation looks like.
I want – we all want – a regulator who empowers.
Empowering people to confidently share their information to use the products and services that drive our economy and society.
Empowering organisations to use information responsibly and confidently to invest and innovate.
And empowering people to hold government to account, driving transparency that helps us all better trust in the decisions taken by public bodies.
These are the principles that will underpin our work for the next three years.
But these are not ambitions that we can simply talk into being. We need a clear plan, that not only sets out the work we will do to reach these goals, but also the work we will not do.
And so we have ICO25. A vision of the regulator we want to be, and the world we want to shape. And a practical plan of how we get there.
It is a plan informed by the community. Through my meetings with many of you, and through your contributions to the listening tour. Through the views of my staff, who bring so much experience to the table. And through hearing the voices of the people we want to empower.
We start from a strong position. The ICO is fortunate to be one of the best resourced data protection authorities in the world.
But we have a challenge too. Our remit stretches across every conceivable aspect of life.
Do we spread ourselves thinly across the whole economy?
Or do we target our resources where we have greatest effect?
Each choice comes with an opportunity cost. Each project we advance means one has to be left on the shelf. Each investigation picked up represents one not started.
The plan I am presenting you today suggests the progress we can make by allocating those resources deliberately and thoughtfully for the greatest benefit, to the greatest number.
We need to be transparent about how we make those decisions.
The trade-offs we make are not equal, and they are not straightforward. And so we need a fundamental set of priorities to ensure we can empower all
That is what ICO25 seeks to be.
But what does that mean in practice? Today I want to talk through the practical changes you will see in the coming months. I’ll do that by going through the different communities we work with. And there will be time for questions at the end.
Let’s start by thinking about what this means to business.
In my first media interview in the UK, I spoke to the Financial Times about the importance of providing greater certainty and flexibility to business.
Certainty and flexibility remain the two pillars of what I offer to business today, and in how we will support the successful implementation of a new data protection law.
Certainty in what the law requires, coupled with a predictable approach to enforcement action, that allows businesses to invest and innovate with confidence.
And the flexibility to reduce the cost of compliance. I believe the package of actions I am setting out today will bring enormous savings across the economy. I’ve challenged the team to save businesses at least £100 million across the next three years.
Central to that will be investment in a series of services, tools and initiatives to enable organisations to benefit from our advice and the experience of others.
This means publishing our internal data protection and freedom of information training materials. Creating a database of all the advice we have provided to organisations and the public. We spend once, at the centre, prompting savings for thousands of businesses across the economy. Producing a range of off the shelf templates to help organisations develop their own approaches to working within the law.
It means creating a platform for organisations to discuss and debate compliance, and share information and advice under our moderation. And developing a range of ‘data essentials’ training, specifically aimed at those SMEs for whom personal information is simply a by-product of their core activity.
Our support recognises that different organisations need different support from the ICO.
When I’ve spoken with those organisations most looking to innovate around data, I’ve heard they want certainty sooner. Early support around new business models, products and services will encourage investment from organisations and raise standards. That will be the focus of our new iAdvice service, which will offer a direct, fast-paced expert advice service to support innovators.
And we’ll look into providing binding rulings, so we can declare our position on a business practice or question of law in advance, rather than always coming along after the fact, maybe even when people have already been harmed. Greater certainty, to empower greater innovation.
This is not a new concept. In New Zealand, as in other jurisdictions, it is common for businesses to take a position to tax regulators, asking: how will you consider this? The regulator offers certainty, allowing the business to move forward and invest with confidence. We can replicate that within data protection law.
We want to work with organisations to get it right, to make compliance easy, and improve outcomes for the individual customers, before they can be harmed
But I have a message for those who choose not to play by the rules.
To those who seek to target and exploit vulnerable communities, who seek an advantage over law abiding competitors by misusing personal information: you will find yourselves on the receiving end of our most punitive regulatory tools.
I know many of you in the room are plugged into the work we do at the ICO, and appreciate the support we provide, and particularly the guidance. We want to build on that success.
We’ll be producing more sector specific work, asking representative groups to co-design materials to provide tailored and targeted advice. We’ll go out and find what businesses want, and create tools that meet them where they are. We’ll continue to look to the support of stakeholders when we consult on the tools we create. And we’ll be producing a clear guidance pipeline so you know what to expect and when.
We’ll be intelligence lead too, monitoring the many inputs into the ICO to identify trends and patterns and responding fast to get ahead of emerging issues.
Finally, for those businesses who rely on international data flows, we will be ambitious about refining existing tools as well as working with DCMS and others to resolve core problems. The ICO has a role to play in maximising certainty for people on the protections they can expect, and minimising costs for businesses straddling multiple regulatory regimes.
I‘ve used the term business throughout here, but that should not be taken to be limited to the private sector.
When I have spoken with those of you in the public sector, I heard a similar desire for support to improve standards and enable innovation.
And in the public sector, this is fuelled by the opportunities of often vast quantities of personal data, alongside an awareness of often vulnerable legacy infrastructure and a pressure to do more with less. I’ve seen too that uncertainty in what the law requires can drive risk aversion that gets in the way of innovation.
And so in addition to the support I’ve already set out, we need to consider a bespoke response for what is the UK’s biggest sector. And we need to emphasise an approach that is supportive and collaborative.
Central to that is a revision of the ICO’s approach to public sector fines. This is a recognition that public money is best used to support the delivery of essential services, and a clear signal too that our regulation works best when we are alongside organisations, encouraging change and improvement.
With that in mind, we are in the process of launching a Cross Whitehall Senior Leadership Group to drive compliance and high standards of information across government departments. I am pleased to confirm a commitment from DCMS and the Cabinet Office in making this happen.
I hope you will agree that is a wealth of support for businesses and organisations across the private and public sector.
Support for business and public sector is important in itself, but it is ultimately a means to an end.
To quote a Maori proverb:
He aha te mea nui o te ao - What is the most important thing in the world?
He tangata, he tangata, he tangata
It is the people, it is the people, it is the people.
My most important objective is to safeguard and empower people, by upholding their information rights.
We help business to help people.
The gains the government hopes to achieve in a new law would only be possible if we maintain strong protections for consumers and citizens.
My office will focus our resources where we see data protection issues are disproportionately affecting already vulnerable or disadvantaged groups. I have spoken already today about the impact we can have on people’s lives. That is the measure of our success.
We will help people by being more visible. By listening more. And by acting on their behalf.
I’ve said before that my view is there are groups of people who need the support of privacy law, but who are simply not aware of the rights they have.
Awareness of the regulator’s work here in the UK sits far lower than the awareness I was used to in Asia Pacific.
My concern with that lower awareness is that people cannot assert rights they don’t know they have. That must change.
There is a role for the entire sector to play here, but civil society and NGOs especially are key. We will rely on you to hear where our office can make a difference. We will work with groups that can afford us access to communities as yet unreached by us. And we will ask you to hold us to account, on behalf of the communities you represent.
How we respond to what we learn from civil society, and from communities directly, is how we empower people.
That is reflected in our action plan for the coming year. Recognising the impact that predatory calls are having, especially in the context of the cost of living crisis. Working with support groups to respond to targeted ads for gambling.
Looking at the impact AI tools for screening job applicants could be having on groups of people who might not have been part of the development of the tool, such as neuro diverse people or people from ethnic minorities. Our ongoing support of children’s privacy.
The list goes on. It should be clear that we will focus our resources where we can have the biggest impact.
And note too, that the proposed DP law reforms will let us go even further on this. At the moment, a significant proportion of our investigative work is demand driven – we have to respond to the complaints we receive. But a crucial – and overlooked – aspect of the new law gives us greater control over how we allocate our resources. We’ll have discretion over the matters we pursue, so we will be better able to respond to a fast changing world. We will exercise the capacity that gives us to stand up investigations to focus on the cases that matter the most.
What about freedom of information? There are few regulators who can say their work is of fundamental importance to the functioning of democracy. But that is the value of the Freedom of Information Act. My role is to ensure the administration of that law is fit for the modern world.
But to achieve that requires fundamental change. And that change has to start in my office.
The story of the ICO’s regulation of FOI is one of doing more with less in real terms. Limited funding, a sustained increase in cases brought to us, an increased need to support stretched public authorities and the impact of the pandemic on staffing have created a perfect storm. We cannot continue in the same way.
The proposals I set out today involve trying different approaches. Some may work well, some may not work, some may need tweaking. But it is absolutely clear to me that in a world of increasing demand, and shrinking resources, we simply cannot keep doing what we’ve been doing and expect the system to improve.
And so we need to look at different approaches. One of those might be expediting cases for review where there is a clear public interest in the information that has been sought.
That might be controversial to some, and brings some risks. It will need clear, published criteria against which we make those decisions and are accountable for them
I’ll be asking my staff to explicitly adopt a dispute resolution stance in more cases, bringing holder and requester together to get the latter the information they need in a way that does not cause the problems the former is trying to avoid.
In this fast paced digital environment, information delayed is information denied. We’re going to need to be open with stakeholders about the trade off’s necessary to deliver timely access.
I want us to support public authorities to make information available. I want us to be clearer on when and how we will enforce where standards are not met. But most of all I want the FOI community – requestors, public authorities, civil society – to be part of the discussion on how we fix a system that clearly needs fixing.
That openness to discussion applies across the proposals set out today. ICO25 is built on the feedback we’ve heard from you, when you’ve spoken with the ICO and when you’ve been part of the listening tour. And it will now be finessed by you, through a consultation across the summer.
We want your help to get this right.
I hope what has been clear today is that we want to offer certainty around that change. Certainty in our ambitions, in our approach and in our proposals.
The ICO25 strategy we have published today sets those out clearly. And it includes an action plan, making clear what you can expect to see of us over the next year. Many of the changes I’ve outlined today are part of that action plan.
Our plan shows how we will safeguard and empower people… Our intention to take our work to new audiences... People will see us take the opportunity to design our own future and focus our investigations where we have the greatest potential to change their lives.
Our action plan shows how we will empower organisations. You’ll see us support responsible innovation, bring down the cost of compliance, engage with organisations, and share our knowledge and insight more extensively to bring clarity to the law. We will empower your organisation to confidently invest in responsible information use.
And where organisations actively choose not to follow the law, we’ll take action.
We set out how we will promote openness, transparency and accountability - and how we will change our approach to handling FOI complaints.
And finally, the action plan shows our commitment to continuously develop the ICO’s culture, capability and capacity.
It comes down to those words you saw on the screen as I came on stage earlier.
We exist to empower you through information.