The ICO exists to empower you through information.

Document purpose: Summary of responses to the Impact Assessment Framework Consultation and our response

Date: October 2023

Context

The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. On the 30 January 2023 we launched a consultation on our draft Impact Assessment Framework. The consultation period ran until 30 April 2023.

The Impact Assessment Framework sets out our approach to impact assessments (IAs), when we will and won't produce IAs, what we plan to include in IAs, and how they fit into our wider policy-making process.

IAs are a key way in which regulators balance different obligations and objectives, and ensure that regulatory action is both proportionate to the issue at hand and not unduly burdensome on those that they regulate. The framework sets out our approach to using IAs in our decision-making, as part of our commitment to regulatory good practice and providing regulatory certainty.

Consultation responses

We have received responses from Experian, IAB UK, Reset, and UK Finance. Generally, stakeholders welcomed our proposal to introduce an Impact Assessment Framework and some provided specific comments on how our proposed framework could be improved.

Here we summarise the key points from respondents and set out what we have decided below in response to the consultation feedback.

Respondent Summary of response
Experian

Overall the respondent agreed with approach. However, the respondent was not fully satisfied with the criteria and circumstances when we will and won't produce impact assessments. We stated that we would not expect to conduct IAs when conducting investigations or enforcement activities. This is because what is being enforced will have been put in place as a consequence of an IA for primary or secondary legislation. The respondent felt that this “applies to the legislative framework and the tools available to the ICO. It clearly cannot apply in the context of an individual investigation or enforcement activity. Without conducting impact assessments, the ICO risks carrying out disproportionate or stifling investigations or enforcement action.”

IAB UK

Overall the respondent fully supported the ICO’s approach to the IA Framework. They felt the IA Framework to be comprehensive, rigorous and balanced and specifically identified potential economic and competition impacts as key factors that will be considered. They welcomed the proposed approach to stakeholder engagement, i.e. ensuring that stakeholder engagement is at the heart of the impact assessment process.

Reset

The respondent was not opposed, in principle, to the ICO formalising its approach to impact assessments. However, the respondent had concerns about the IA Framework.

  • Firstly, it was felt it did not strike the right balance between business interests and society’s interests. It was thought that there was an emphasis on the cost of regulatory interventions to business and weighted towards viewing intervention via an economic lens, and not enough focus on the risks to society from data protection harms.
  • Secondly, it felt that it was inappropriate for the ICO to adopt an approach underpinned by government principles when deciding on regulatory interventions, such as HMT Green Book, as this was viewed as overly business and cost focussed by the respondent.

The submission provided details on the aspects of the draft IA Framework where it thought the language was overly business focussed or had an evidence bias towards businesses. There was also a request for more illustrative examples.

UK Finance

Overall the respondent had no significant concerns about the IA Framework. The respondent provided some minor observations, queries and suggestions, including on the following.

  • Whether more detail can be provided on consultation, such as about how decisions will be made about whether consult and for what period of time.
  • More detail on the review of guidance and codes post-implementation, and use of the Magenta Book.
  • Interaction with other regulators and regulations – how the ICO will consider the interaction of proposed interventions with other regulations, especially where appear to be in tension with each other.

What we have decided

We have decided to proceed with finalising our proposed Impact Assessment Framework and to apply it in future.

Based on the responses to the consultation we have made several changes to our framework. The key changes are summarised below.

  • Emphasising our commitment to inclusive impact assessment where interventions are viewed through both a societal and economic lens. In particular, we have listened to stakeholders’ concerns around the prominence of focus on business and we have clarified our language to be explicit that our approach is holistic and our focus wider than business and economic considerations. For example, societal considerations could include qualitative and quantitative review of data protection harms, where appropriate in our cost benefit analysis, as we already do in our published impact assessment reports.
  • In response to concerns, we have clarified our language to ensure it is clear that both evidence collection and consultation will be holistic and not solely focused on economic factors.
  • We have provided more detail on our approach to monitoring and evaluation, as requested by consultees. It should be noted our approach to evaluation will be detailed further in our forthcoming evaluation framework.
  • We have responded to feedback about the lack of an explicit contact route where there are queries about our application of the IA Framework. We now incorporate clear contact details about how you can contact us.
  • We have noted concerns about the lack of applicability of the IA Framework to our investigation or enforcement activity. Our approach in not applying our IA Framework to our investigation or enforcement activity is consistent with other UK regulators. Our approach is underpinned by the fact what is being enforced will have been put in place as a consequence of an IA for primary or secondary legislation. However, in response to the consultee concerns, we have included additional signposting to ongoing guidance development which will explain how we ensure our investigation and enforcement activity is proportionate.
  • Clarifying where appropriate panel exercises can feed into IA consultation.
  • Where appropriate we have included illustrative examples of intervention types in the IA Framework.