Supporting NHS COVID-19 vaccine research in the pandemic

Supporting NHS COVID-19 vaccine research in the pandemic

15 December 2020

The ICO has been working with NHS Digital during the pandemic as part of the sandbox to help them deliver

a mechanism to sign volunteers up to COVID-19 vaccine research. A focus of this support has been ensuring ‘data protection by design’ into the service.

The full details are published in a report.

In July 2020, NHS Digital launched the COVID-19 Vaccine Studies Permission to Contact Service (‘PtC’) or the COVID-19 Vaccine Registry as it is also sometimes referred to publicly, in partnership with the National Institute of Health Research (NIHR), the research partner of the NHS in England.

This first of its kind, the UK-wide NHS-developed online service allows members of the public to register their details to give their permission to be contacted by researchers working on the NIHR approved UK coronavirus vaccine about participating in their studies.

Members of the public are provided with a link to the NIHR’s ‘Be Part of Research website’ which provides individuals with information about the COVID-19 vaccine studies and practical details about being involved in the research.

They are asked to give their email address and are taken through some health-related and other questions, with the answers provided helping to ensure that any information shared with researchers running a vaccine study is limited to people who are potentially eligible to take part.

When NHSD joined the beta phase of the sandbox as one of the first participants, in 2019, they began to explore the development of a central consent mechanism through which individuals could agree to share their health data for purposes beyond their direct care and treatment, such as research. The plan centred around three use cases, one of which was a ‘permission to be contacted consent model’.

As the pandemic became a priority, the project was re-scoped in June 2020 to focus on the delivery of a mechanism to support the COVID-19 vaccine trials. The earlier work already carried out within the sandbox provided a valuable head-start.

The ICO Sandbox provided support to NHS Digital whilst developing the PtC user journey, drafting of the data protection impact assessment (DPIA) to identify any risks posed by the processing, and the user privacy notice.

Although it was a challenge to turn this around within such a tight timescale, it is rewarding to be able to respond and contribute to a `real world’ challenge and collaborate with organisations to put data protection considerations at the heart of an innovative new project from the start – which is ultimately what the sandbox aims to do.

Sandbox helps develop innovative tools to combat financial crime

05 November 2020

Two innovations to help companies tackle financial crime are the latest results to come out of the sandbox. Both have been developed as part of the beta phase and follow the first two reports on Heathrow Airport and JISC which were published In July.

Onfido: Mitigating bias in customer identity verification 

Onfido Limited has worked in the Sandbox to identify and mitigate bias present in the biometric identity verification technology it designed to enable its clients to prove that their customers are who they claim to be.

For example, a financial institution would likely use the technology to prove the identity of a customer who wants to open a bank account. That customer will be asked to provide a digital photo of their identity document and a selfie taken using a mobile phone or other device.

Onfido will then analyse those images to determine the likelihood that the identity document is genuine; and the face in the selfie matches the face in the identity document, and that the selfie image does not display evidence of signs of fraud or facial spoofing. If the identity verification check is successful, the customer will be able continue with the rest of the process. Onfido’s work in the Sandbox ensures that its product is fair and inclusive for all users undergoing identity verifications.

Future Flow: Data flows

Future Flow Research Inc provides an analytics platform which monitors the flow of funds in the financial system with the potential to combat financial crime. The platform enables financial institutions to contribute pseudonymised transactional data in bulk, enabling multiple financial institutions, Regulators, and agencies to work together to detect and ultimately tackle electronic financial crime.

This collaborative approach to fighting financial crime opens up the prospect of higher detection rates with lower false positives, while reducing the burden of scrutiny on each individual and business consumer.

Organisations who are considering developing tools and services in data sharing and children’s privacy online can register their interest to take part in the next phase of the sandbox

First reports published from the Regulatory Sandbox

23 July 2020

The first reports from participants in our regulatory sandbox have been published, revealing the outcomes of collaborations between the ICO and two of the organisations who were among the participants in the pilot phase of the scheme.

This beta phase set out to road test’ the scheme ahead of a full launch. We were seven months in when the pandemic struck, impacting businesses and organisations across the board in different ways.

As a result some of our participants were unable to continue working in the same way - so we worked flexibly with them to rescope their work with us. For some projects we have agreed extensions, and others have continued as planned and are now nearing the natural end of their projects

JISC and Heathrow Airport Ltd reports mark the first steps towards achieving the aim of the sandbox: to show that data protection can be combined with real world innovative solutions. 

When we launched the scheme in September 2019, we were extremely encouraged by the calibre and number of applications we received (63) from a broad range of sectors. The ten programmes that were selected, were chosen because they were viable and because of the real public benefit they could deliver through ground breaking products and services.

What was heartening for us was the fact that so many organisations wanted to work with us to prioritise data protection and incorporate it into their ideas from the outset. It was clear that both public and private sectors wanted to adopt a data protection by design approach – a cornerstone of the GDPR.

These are the first two reports, the other projects from the beta phase are at earlier stages in the scheme and their reports will be published on completion.

JISC – Wellbeing Code of Practice

JISC is a not-for-profit organisation serving the higher and further education and skills sectors. It champions the importance and potential of digital technologies for UK education and research.

Within the sandbox, JISC has developed a Wellbeing Code of Practice with universities and colleges who want to investigate the use of student activity data to improve their provision of student support services, helping them protect both their privacy and wellbeing.

It shows that good data protection can enable higher education providers to provide their duty of care to students by using the resources and data they already have available to them.

Heathrow Airport Ltd - Automation of the Passenger Journey programme

Heathrow Airport’s Automation of the Passenger Journey programme aimed to streamline the passenger journey by using biometrics. Facial recognition technology would be offered at check-in, self-service bag drops and boarding gates to create a seamless experience for passengers travelling through the airport. Passengers would no longer have to present different forms of documentation, such as boarding cards and passports, at different points in their journey to prove their identity and show that they are authorised to travel.


This first phase of the sandbox has been a beneficial experience for all parties, in our March blog we provided an update which reviewed progress made and the positive experiences of participants.

They have gained an insight into how data protection does not hinder innovation and how the two can work together. By working alongside us, they have also been able to help develop our views on compliance issues which have informed our own advice and guidance.

The ICO sandbox team has, in turn, expanded its understanding of how it can support organisations that are striving to innovate in a world where technology is moving at a fast pace and people are increasingly aware of their privacy rights.

This successful trial run, has given us the opportunity to introduce improvements ahead of the full launch. We will be publishing details about this, the new themes we will be focusing on and how organisations can register their interest in the near future.

In the meantime, we are always keen to hear from you and if you have any enquiries please contact

Work begins on creating ICO Sandbox short list as application period closes

Applications for the ICO Sandbox have now closed and we have had a fantastic response, with 64 submissions received in total.

Organisations have clearly put a good deal of thought into how they want to work with us to help ensure that their innovative projects using personal information can comply with data protection law.

Our initial analysis suggests that there are many high quality, viable applications. There was also an interesting spread of applicants from different sectors and of varying size.

So what happens now?

The sandbox team will carry out an initial triage sift process of each application, scoring them against our selection criteria, before creating a short list. This will then go before an internal assessment panel for final decisions.

We anticipate around 10 projects will be chosen for the initial beta phase of the sandbox, although this may vary slightly depending on the nature of the successful applications.

It is anticipated the successful applicants will be informed in July, when our team will work with them to draw up detailed plans for their journey through the sandbox.

So we have reached ‘the end of the beginning’ and now the real, practical work begins in earnest. However, the sandbox team would like to take this opportunity to thank all who participated in the initial discussions, round table events and conference feedback sessions and helped to inform how this exciting new project will work in practice.

Please get in touch with any Sandbox queries as deadline for applications approaches

As the deadline for applying to take part in the ICO’s Regulatory Sandbox is fast approaching, we thought this would be an opportune time to provide a quick update on progress to date and to identify any additional issues we have encountered during our recent engagement with prospective applicants.

Since we opened the beta phase of our sandbox for applications at the end of March, we have had a great response. Lots of people and organisations have contacted the dedicated sandbox team to talk things through and we had some great questions and feedback at the workshops we held at the ICO’s annual Data Protection Practitioners’ Conference in Manchester last month.

We are really keen to promote further dialogue. Our specialist staff are on hand, ready to talk to people and organisations who might be thinking of putting an application in or who are unsure about whether or not the sandbox will be right for their product or service. We can help explain the principles, the process and what is needed in more detail.

We are very excited by the potential of some of the projects being discussed with us and full, completed applications have already started coming in, which is great.

We would like to take this opportunity to remind prospective applicants that the sandbox is open to organisations of all sizes and from all sectors. They should be developing a new, innovative product or service which uses personal data and which will benefit the public, but which may have some data protection risk identified.

Applicants really need to spell out the innovation and public benefit of what they are doing. They should use straightforward language to explain why their product is something genuinely new and exciting, and how it will benefit people.

Evidence is also vital. This doesn’t need to be masses of information but if an application is supported by a claim regarding the problem the product or service seeks to solve, its unique nature or its potential benefit to the public, then there should information to back this up. The application should then join the dots and spell out how your innovation will address this.

So don’t be scared to email us in first instance at or pick up the phone if you have already engaged with us. Early and direct engagement with the sandbox team can clear up any grey areas and will invariably lead to a stronger application. And that will lead to a potentially much better outcome for everyone concerned – the organisation, the ICO and, ultimately, the UK public.

The deadline for applications is noon on Friday 24 May.

New film sets out how organisations can benefit from ICO Sandbox

We have had an excellent response since opening our ICO regulatory sandbox Intention to Apply Survey last month – but we still want to hear from more of you.

Many organisations have already let us know they would like the ICO’s help in ensuring that their new, innovative products and services comply with data protection law.

We know there are many more – particularly large companies, and organisations from the public and third sectors – that are planning to apply to take part in the Sandbox but have yet to let us know.

We would appreciate you taking the time to fill out the survey so we can plan our processes and resources accordingly and ensure the sandbox works as effectively as possible for everyone.

Our recent Sandbox workshop in London was a huge success and we are grateful to all who attended. Their contributions were invaluable and we had some excellent feedback and suggestions.