UK's ICO selects participants for Sandbox beta

Ten projects have been selected to take part in a program to leverage government-held data.

The UK’s Information Commissioner’s Office (ICO) is developing a data protection Sandbox aimed at helping companies and government bodies develop products with data protection built in at the outset.

The ICO has now selected the first 10 projects that will participate in the beta phase of the ICO Sandbox, which will run until September 2020.

The 10 projects were selected from a pool of 64 applications, based on criteria including how innovative and viable they are, and their potential for delivering benefits for UK residents.

They cover initiatives in crime prevention, health technology, housing, road traffic management, student welfare and tackling bias in AI.

Participants will be able to draw on the ICO’s advice on data protection as they develop and test their innovations, while ensuring that appropriate technical measures and safeguards are in place.

Participants in the program will be able to verify that their projects meet the requirements of local data protection and privacy legislation, as well as the EU’s General Data Protection Regulation (GDPR), which the UK is still currently bound by despite its decision to leave the Union.

The next stage of the beta program will involve the 10 initial participants developing detailed plans for their projects. Once accepted, the ICO will survey participants before tailoring a bespoke Sandbox plan for each organisation.

This bespoke plan will stipulate how closely the ICO will monitor the project based on the level of risk involved, as well as agreements for the provision of advice and consultation by the ICO to the participating organisations.

Participants will be issued a statement of “comfort from enforcement” stating that any inadvertent contravention of data protection regulation resulting directly from product or service development during participation in the Sandbox will not immediately lead to regulatory action.

While this is not a get out of jail free card and participants will still be required to report any breach within 72 hours in line with GDPR requirements, the ICO said it “will be very unlikely to undertake enforcement action” if participants are meeting the terms of their Sandbox agreement.

UK Information Commissioner Elizabeth Denham said the ICO Sandbox initiative reflects the Office’s belief that privacy and innovation are not mutually exclusive.

“The ICO supports innovation in technology and exciting new uses of data, while ensuring that people’s privacy and legal rights are protected. The Sandbox will help companies and public bodies deliver new products and services of real benefit to the public, with assurance that they have tackled built-in data protection at the outset,” she said.

“Engaging with businesses and innovators in the Sandbox is also a valuable exercise in horizon scanning — the ICO can identify new developments in technology and innovation and the potential opportunities and challenges they may provide.”

Because some projects within the Sandbox are expected to involve cutting-edge technologies, the ICO expects to potentially be able to use information collected from the program to uncover more fundamental questions related to data protection in various industries, and potentially to develop codes of conduct or identify areas where future regulatory reform may be required.

The EU GDPR requires organisations to ensure that personal data is processed lawfully, fairly and in a transparent manner in relation to individuals. The data can only be collected and used for specified, explicit and legitimate purposes, and companies are restricted to only collecting data that is necessary in relation to the purposes for which they are processed.

Data must also be accurate and kept up to date where necessary, and can only be kept in a form that can be used to identify data subjects for as long as necessary.

Finally, data must be “processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data”.

10 projects in beta phase

Three of the initial projects centre on data protection and privacy issues surrounding the use of biometric technology such as facial recognition.

Software company Onfido’s project will involve ways to identify and tackle algorithmic bias in machine learning models used for remote biometric-based identity verification. Onfido is developing technology to automate background checks for company employees and job applicants.

TrustElevate will likewise use the Sandbox to help develop improvements to its platform for providing secure authentication and authorisation for under-16s, including verified parental consent and age checking of a child, with the goal of making the internet a safer environment for children.

Heathrow Airport’s participation will focus on its Passenger Journey program, which aims to use facial recognition technology to streamline the check-in, baggage handling and boarding process.

Two projects focus on the ethical use of data to improve law enforcement and public safety.

Tonic Analytics will use the platform to support development of its Galileo program, which aims to ethically use data analytics technology to improve road safety while preventing and detecting crime. The program is jointly sponsored by the National Police Chiefs’ Council and Highways England.

Meanwhile, London’s newly established Violence Reduction Unit will explore how to use health, social and crime data to better prevent and reduce crime while maintaining data privacy.

The beta stage programs also include two health-related projects, including one from NHS Digital to design a central mechanism for collecting and managing patient consents for the sharing of their healthcare data for medical research, clinical trials and other secondary-use purposes.

Pharmaceutical giant Novartis is meanwhile exploring the use of voice-enabled solutions aimed at improving patient care while addressing data privacy challenges.

The remaining projects accepted for the beta phase are a project from UK non-profit Jisc aimed at using student activity data to improve the provision of support services, and an initiative from the Ministry of Housing Communities and Local Government and Blackpool Council aimed at using analytics to better understand the private housing sector in Blackpool.

Image credit: ©stock.adobe.com/au/Funtap

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.