Heathrow Airport and NHS Digital chosen to take part in new ICO data protection Sandbox scheme

The UK’s data regulation - the Information Commissioner’s Office (ICO) - has this week announced which participants it has selected to take part in its new data protection Sandbox scheme, which aims to provide support to organisations wanting to use the public’s personal data for innovative services. 

Some of the organisations selected include Heathrow Airport, NHS Digital and Greater London Authority. 

The thinking behind Sandbox is that the ICO will be able to support organisations that want to user personal data for new services that have a “clear public benefit”. Participants will be able to draw on the ICO’s expertise and advice on data protection by design, with the aim of mitigating any risks as they test their new services, ensuring that appropriate protections and safeguards are in place. 

Some of the services being developed, which will be tested and scrutinised for compliance with data protection law, will include projects focused on housing, road traffic management, student welfare and tackling bias in artificial intelligence.

Elizabeth Denham, Information Commissioner, said: 

The ICO supports innovation in technology and exciting new uses of data, while ensuring that people’s privacy and legal rights are protected. We have always said that privacy and innovation are not mutually exclusive and there doesn’t need to be an either-or choice between the two.

The sandbox will help companies and public bodies deliver new products and services of real benefit to the public, with assurance that they have tackled built-in data protection at the outset.

Engaging with businesses and innovators in the sandbox is also a valuable exercise in horizon scanning - the ICO can identify new developments in technology and innovation and the potential opportunities and challenges they may provide.

Some of the principles under GDPR, for which these services will likely be tested, include ensuring data is: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; and processed using appropriate technical or organisational measures. 

The chosen projects

The ICO said that it had 64 applications to participate in the Sandbox. It has chosen 10 to progress to the initial beta phase. These include (and have been quoted directly from the ICO, to avoid inaccuracy):

• FutureFlow - a RegTech start-up designing a Forensic Analytics platform that monitors the flow of funds in the financial system. Its platform enables multiple financial institutions, regulators and agencies to leverage each other’s intelligence on Electronic Financial Crime without heavy reliance on Personally Identifying Information. This collaborative approach to tackling financial crime opens the prospect of higher detection rates with lower false positives, while reducing the burden of scrutiny on each individual and business consumer.
   
• Greater London Authority - in order to reduce levels of violence in London, the Mayor has set up a Violence Reduction Unit (VRU) which is taking a public health approach to this issue. As part of this work, the VRU needs to better understand how public health and social services can be managed to prevent and reduce crime, with a focus on early intervention. There is increasing interest from the VRU, the Mayor’s Office of Policing and Crime (MOPAC) and the Greater London Authority (GLA), for health, social and crime data to be looked at in an integrated and collaborative way.
   
• Heathrow Airport - Heathrow Airport’s Automation of the Passenger Journey programme aims to streamline the passenger journey by using biometrics. Facial recognition technology would be used at check-in, self-service bag drops and boarding gates to create a seamless experience for passengers travelling through the airport. Current processes require passengers to present different forms of documentation, such as boarding cards and passports, at different points in their journey to prove their identity and show that they are authorised to travel. By offering passengers the option of using facial recognition technology they would have the choice to enjoy a frictionless journey through the airport.
   
• Jisc - Jisc is developing a Code of Practice with universities and colleges wishing to investigate the use of student activity data to improve their provision of student support services. This will help them protect both privacy and wellbeing.
   
• The Ministry of Housing Communities and Local Government - The Ministry of Housing, Communities and Local Government's project partners with Blackpool Council and the Department of Work and Pensions, and seeks to match personal information controlled by multiple parties in order to create a dataset that will allow MHCLG to understand more about the private rented sector in Blackpool, who lives there, and how we can help improve the quality of properties.
   
• NHS Digital - NHS Digital is working on the design and development of a central mechanism for collecting and managing patient consents for the sharing of their healthcare data for secondary use purposes, including medical research and regulated clinical trials.
   
• Novartis Pharmaceuticals - Novartis is exploring the use of voice technology within healthcare. Through its Voice Enabled Solutions project, Novartis is working with healthcare professionals to design solutions to make patient care easier, and addressing the data privacy challenges posed by this emerging technology.
   
• Onfido - Onfido will research how to identify and mitigate algorithmic bias in machine learning models used for remote biometric-based identity verification.
   
• Tonic Analytics - The Galileo Programme was launched in 2017 and is jointly sponsored by the National Police Chiefs’ Council and Highways England. Galileo’s primary focus is on the ethical use of innovative data analytics technology to improve road safety while also preventing and detecting crime.
   
• TrustElevate - TrustElevate provides secure authentication and authorisation for under- 16s. TrustElevate is the first company globally to provide verified parental consent and age checking of a child. It is working to enable companies to comply with regulatory requirements, and to make the Internet a safer environment for children, facilitating a more robust digital ecosystem and economy.

The next stage of the process will be to agree and develop detailed plans for each Sandbox participant before work starts on testing their products and services, according to the ICO. 

It is envisaged that all participants will have ‘exited’ the Sandbox by September 2020.