UK's data protection watchdog preps to 'get its hands dirty' with beta of regulatory sandbox

Scheme to test compliance of innovative products accepting applications until 24 May

The UK's data protection watchdog has said it wants to "get its hands dirty" as it launched a scheme that will help it figure out how to regulate innovative products using personal data before they get on to the market.

The Information Commissioner's Office today opened the beta phase of its regulatory sandbox programme for applications from organisations that are working on ideas that use personal data in new ways.

Successful applicants will work with the ICO team – there are three full-time staffers on the project – as they develop their product or service, with the aim being to make sure they comply with data protection rules.

elizabeth denham

Facebook political data probe: £2.5m. Powers for the ICO: Priceless


The plan is part of the ICO's efforts to be taken seriously by the tech firms it regulates as it pushes the message that data protection shouldn't get in the way of innovation. It has also indicated it wants to play a part in building up public trust in the use of personal data.

Such messaging has stirred debate in data protection circles as many argue the regulator should dedicate more of its limited time and resources to enforcement, echoing complaints that too much was spent on the high-profile Facebook-Cambridge Analytica case.

Critics say the ICO's job is to keep organisations in line, not to champion innovation – and have questioned how often data protection rules have genuinely prevented innovative products from being a success.

But the ICO's head of assurance, Chris Taylor, who is leading the sandbox project, argued in an interview with El Reg that "prevention is better than cure".

The only way for it to keep pace with the increasingly varied and complex uses of personal data was to "get its hands dirty" and work with "people genuinely trying to do innovative stuff with personal data", he said.

"For multiple cases and enforcement actions in the past, it would have been much better to be involved early on... rather than run expensive enforcement action [afterwards]."

Over time, Taylor said, the aim is to develop a bank of knowledge it can use for guidance and practical case studies. Although the ICO doesn't control the law, he said it was possible the work would eventually allow it to provide advice "further up the chain".

But in the short term, the ICO is focusing on the beta project, and for the past couple of months it has held a pre-application process asking organisations that might be interested to get in touch.

hospital patient

Guess who's working on a health data-slurping digital tool? Bzzt! Nope, it's the UK Department for Work and Pensions


Taylor said the most interest had come from the healthcare and patient administration sector, making up about 16 per cent of these responses. Others areas included legal, education, financial, advertising, insurance and recruitment, as well as government departments and regulators.

About half of all responses were from micro-organisations, and a quarter from larger bodies, which Taylor said was an "encouraging" spread. The ICO is hoping to have public, private and voluntary sector bodies in the beta phase so it can understand the different approaches it will need to take for each.

For instance, one of the ICO team might sit in on a startup's sprint to observe and advise on the data protection rules, while a government department might already have a detailed programme of work that the ICO can feedback on.

Taylor said that part of the idea of the beta stage is to figure out what the best use of the ICO's time and resources are, and how they can fit in with different organisations. "We'll be as flexible as we can, to fit in where we can."

There is also some flexibility in the ICO's regulatory approach to the projects in the sandbox – although this can only go so far.

Taylor said that if an organisation works with transparency and in good faith, and takes action quickly if a breach of some kind happens, the starting point would not be to take enforcement action.

"If someone in the sandbox goes completely off-script, that's completely different," Taylor said.

"We recognise that this line will be one we've got to tread. But one of the only ways to get to grips [with emerging tech's use of personal data] is getting in there and bearing that sort of risk."

The ICO will also offer a "negative assurance" letter that will effectively say that when the product left the sandbox there weren't any glaring data protection concerns.

But this isn't long-term assurance or endorsement. "The ICO can never offer an entire carte blanche, or a safe space," he said. "We're all grown-ups... it is the organisation's responsibility to ensure they comply, this won't be a way of providing endorsement."

The ICO is accepting applications from now until 24 May, and Taylor emphasised that the team is ready to take calls from people weighing up whether to apply. ®

Similar topics

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMBs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading
  • Meta hires network chip guru from Intel: What does this mean for future silicon?
    Why be a customer when you can develop your own custom semiconductors

    Analysis Here's something that should raise eyebrows in the datacenter world: Facebook parent company Meta has hired a veteran networking chip engineer from Intel to lead silicon design efforts in the internet giant's infrastructure hardware engineering group.

    Jon Dama started as director of silicon in May for Meta's infrastructure hardware group, a role that has him "responsible for several design teams innovating the datacenter for scale," according to his LinkedIn profile. In a blurb, Dama indicated that a team is already in place at Meta, and he hopes to "scale the next several doublings of data processing" with them.

    Though we couldn't confirm it, we think it's likely that Dama is reporting to Alexis Bjorlin, Meta's vice president of infrastructure hardware who previously worked with Dama when she was general manager of Intel's Connectivity group before serving a two-year stint at Broadcom.

    Continue reading
  • Lithium production needs investment to keep pace with battery demand
    Report says $42b will need to be poured into industry over next decade

    Growing demand for lithium for batteries means the sector will need $42 billion of investment to meet the anticipated level of orders by the end of the decade, according to a report.

    Lithium is used in batteries that power smartphones and laptops, but there is also rising use in electric vehicles which is putting additional pressure on supplies.

    The report, Benchmark Mineral Intelligence, predicts that demand will reach 2.4 million tons of lithium carbonate equivalent by 2030, roughly four times the 600,000 tons of lithium forecast to be produced this year.

    Continue reading

Biting the hand that feeds IT © 1998–2022