Skip to Content

UK Information Commission takes shape with non-executive board appointments; DSIT opens data-use consults

The U.K. Department for Science, Innovation and Technology and Information Commissioner's Office announced the seven inaugural non-executive board members who will lead the reorganized data protection regulator's corporate model later this year.

Published
Subscribe to IAPP Newsletters

Contributors:

Alex LaCasse

Staff Writer

IAPP

The new U.K. Information Commission is beginning to come into focus. On 15 July, the U.K. Department for Science, Innovation and Technology and the Information Commissioner's Office announced the appointment of seven non-executive directors to the commission.

The commission is set to replace the ICO's current single-commissioner format later this year, a change brought by modernization provisions under the Data (Use and Access) Act. The new corporate structure includes a commission chair, CEO and executive directors to go with the non-executive board.

Members of the inaugural Information Commission Board include former international media executive Laurie Benson, former Deputy Chair of the Office of Communications Maggie Carver, global investor Stephen Cohen, Board of the Regulator of Social Housing member Sukhvinder Kaur-Stubbs, former IBM executive Gary Kildare, British Science Association Chair Hilary Newiss and longtime government official Scott McPherson. 

In a statement, DSIT Secretary of State Liz Kendall said the non-executive roles will require "strong leadership, clear values, and a Board that upholds the highest standards of conduct and accountability where staff at all levels are treated with respect and dignity."

"The Information Commission must be an organisation that people trust — and trust starts with culture," Kendall said in a statement. "I'm delighted to welcome seven new Non-Executive members who bring the breadth of experience needed to build that culture from the ground up. Together they will work with the leadership team to help shape an organisation that is open and accountable, building public trust in the responsible use of data."

In coordination with the appointments, DSIT also launched an effort to recruit a chair of the commission, who will lead the board and work alongside Information Commission CEO Paul Arnold. The chair will be responsible for working with the board to set the strategic direction of the Information Commission. Applications for the position close 19 Aug. 

Arnold presented the agency's new corporate strategy in a LinkedIn post 10 July. The strategy will include regulatory focus on children's data, AI, public sector data use and cyber resilience.

Arnold said the U.K. finds itself in a "moment of genuine tension" between realizing public benefits of "data-driven innovation" and significant harms caused by data breaches and cutting-edge technologies being weaponized by bad actors. The corporate strategy seeks to "build trust in responsible data use and innovation, and the regulatory outcomes most likely to achieve it."

"The UK cannot afford to squander that promise through regulatory uncertainty, irresponsible data use and the resulting erosion of public trust." Arnold wrote. "I want to be clear: this is not a trade-off. I do not accept that our remit means choosing between protecting people, enabling innovation and having regard for economic growth. If harnessed effectively, they should be inseparable."

DSIT launches calls for evidence on data-use matters

Arnold's outline of the corporate strategy offered a window into how the Information Commission will interpret and uphold data protection laws, but the U.K. government will also seek stakeholder input on some of the thornier issues the new regulator will face.

DSIT announced 15 July three requests for information efforts related to data transfers, understanding how data protection regulations impact the development of AI and costs associated with reusing public data for improving government services. Each consultation runs through the beginning of September.

The data flows consultation asks for input from parties with experience with international data flows in "real-world settings," who can offer either a legal or technical perspective to help shape future transfer policy and better understand how the U.K. General Data Protection Regulation and wider data protection frameworks.

DSIT seeks studies and practical examples from stakeholders offering insight to how they engage in transfers under the country's current data protection regime, governance decision-making processes related to transfers, operational details on implementation and any existing analyses stakeholders may have undertaken on the subject. 

With the consult on data protection and AI, stakeholders are to provide practical examples of how personal and nonpersonal data regulation interacts with AI and other data-intensive technologies. The consultation seeks information regarding how regulations covering the use of personal and nonpersonal data operate under frameworks including the U.K. GDPR, and the Data Protection Act 2018, access to both cohorts of data in terms of governance and sharing agreements, and sector-specific frameworks. 

DSIT requests stakeholders to provide examples of how they use AI and account for data protection regulations, or examples of initiatives they would like to undertake but fail to do so out of concern for potential violations of data protection law, descriptions of decision-making processes and operational detail on implementation. 

The consultation on the cost of public-sector data reuse focuses on whether public bodies should be able to collect fees beyond the current legal limit in order to support increased data availability, data quality and better public services. The fee structure would eliminate a marginal cost restriction contained in the Re-Use of Public Sector Information Regulations 2015, which represents the incremental cost of providing requested data each time it is subsequently requested.

Government releases Model Action Plan for 'significant data breaches' 

Adding to the flurry of U.K. data-related developments, the U.K. Cabinet Office also released a major proposal to reform how the entire government responds to large-scale data breaches. 

The model plan defines a "significant data breach" as an attack that affects a large number of data subjects, poses national security risks, affects multiple entities, including those that originate from third-party contractors, and likely causing significant harms. 

Any breach that meets that criteria would require the affected entities to lodge a report with the Information Commissioner. 

The Model Action Plan, as proposed, contains four key action phases, as well as a "Phase 0" that directs government agencies on how to best prepare for a potential breach. The action phases require agencies to "confirm and escalate" a breach within 24 hours, conduct a risk and severity assessment within 48 hours, report the incident to the ICO within 72 hours, and review the incident and implement corrective measures after it is resolved.   

CPE credit badge

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Contributors:

Alex LaCasse

Staff Writer

IAPP

Tags:

EnforcementFrameworks and standardsInternational data transfersLaw and regulationRegulatory guidancePrivacyAI governance

Related Stories