Skip to main content

Decision making structure

Introduction

The main responsibilities of the role of Information Commissioner are set out in the Data Protection Act 2018, the Freedom of Information Act 2000 and other related laws.

The role acts as a Corporation Sole. This means that, in law, the ICO’s formal powers and duties sit with the role of Commissioner as an individual office holder. Commissioners have, however, chosen to establish a Management Board, made up of Executive and Non-Executive Directors, to help oversee the ICO’s work.

The Management Board makes decisions collectively, and the committees and boards that support it work in the same way. Where members cannot agree, decisions are normally made by majority vote. However, as Chair of the Board, a Commissioner may decide on a different course of action. If this happens, the reasons are explained in the Annual Governance Statement within the Annual Report and Accounts laid before Parliament.

Current governance arrangements

If there is a vacancy in the office of Commissioner, or if the Commissioner is unable to act, deputy commissioners can carry out the functions of the role of Commissioner in line with the Scheme of Delegations.

This is set out in law - under Schedule 12 (6) of the Data Protection Act 2018, the Commissioner is required to appoint one or more Deputy Commissioners. The Act sets out that, during any period where there is a vacancy in the office of Commissioner, or where a serving Information Commissioner is unable to act, the Deputy Commissioners take on the non-delegable Information Commissioner’s responsibilities. Our Scheme of Delegations sets out how this works in practice.

Following the resignation of Mr Edwards on 19 June 2026, there is now a vacancy in the office of Information Commissioner. 

In line with the Scheme of Delegations, Paul Arnold, who has Deputy Commissioner responsibilities, has taken on the Information Commissioner’s non-delegable responsibilities. The Deputy Commissioners are also temporarily responsible for decisions under section 36 of the Freedom of Information Act. In addition, the Department for Science, Innovation and Technology (DSIT), the UK government department that oversees and sponsors the ICO, has designated Paul Arnold as Temporary Acting Accounting Officer for the ICO.

The Scheme of Delegations also explains how powers and responsibilities are delegated on a day to day basis across the ICO so that services and regulatory work can be delivered effectively.

We also publish agendas, minutes and reports for the Management Board, its committees and the Executive Team on our website.

 Purpose of the Committees

Management Board

The Management Board meets at least quarterly and advises the Commissioner on matters which affect the strategic direction of the organisation, significant corporate risks and performance and delivery across the ICO’s responsibilities. It reviews progress against corporate strategies and plans and advises on significant issues being managed by the Executive Team. The Management Board is chaired by the Information Commissioner.

The Management Board’s work and terms of reference reflect the five key areas of focus identified in the Treasury and Cabinet Office’s “Corporate governance in central government departments: code of good practice”, namely: strategic clarity, commercial sense, talented people, results focus, and management information. 

The Terms of Reference are available here.

Audit and Risk Committee

The Audit and Risk Committee meets quarterly and advises the ICO’s Accounting Officer and supports the Management Board in respect of the effectiveness of the ICO’s risk management system and procedures and its internal controls. It does this by reviewing the comprehensiveness and reliability of assurances on governance, risk management, the control environment and the integrity of financial statements and the annual report. It has particular engagement with the work of internal audit, risk management, the external auditor, financial management and reporting issues. During the current vacancy in the office of Commissioner, Paul Arnold has been designated Temporary Acting Accounting Officer by DSIT.

The Audit and Risk Committee is chaired by a Non-Executive Director. The Information Commissioner is normally invited to attend all meetings of the Committee but is only required to attend the meeting at which the Committee reviews the ICO’s Annual Report and financial statements. The Chair may also ask the Commissioner, or the person carrying out relevant Commissioner functions during a vacancy, to attend any specific meeting. The Committee is also attended by the ICO’s internal and external auditors and includes an independent member.

Terms of Reference are available here.

People Committee and Renumeration Advisory Sub Committee

The People Committee supports Management Board by independently overseeing the effective mitigation of all people related corporate risks and assuring Management Board of the effective execution and delivery of their associated strategies and plans, for example the ICO People Strategy.

The Committee provides assurance to the Board regarding the delivery of people related strategies and plans, the over-arching principles and parameters of people performance at the ICO, the organisational structure and culture and organisational capability. The People Committee is chaired by a Non-executive director.

The Committee is not directly responsible for any matters in relation to remuneration, reward or objectives for inpidual members of the Executive Team. These are in the remit of the Remuneration Advisory Sub-Committee. 

The Remuneration Advisory Sub-Committee provides challenge, advice and scrutiny on matters of Executive Team remuneration and development. No members of the Executive Team are members of the Sub-Committee, and the Sub-Committee is chaired by a Non-Executive Director. The Information Commissioner normally attends all meetings of the Sub-Committee. During any vacancy in the office of Commissioner, attendance and decision-making arrangements operate in line with the Scheme of Delegations and agreed governance arrangements.

Terms of Reference are available here.

Regulatory Committee

The Regulatory Committee supports the Management Board in providing strategic oversight of the ICO’s regulatory delivery, including methodologies, decision making and processes in line with our strategic enduring objectives, to ensure that these are effective and fit for purpose.

The Committee is responsible for scrutinising regulatory impact, performance and service provision by the ICO. The Committee does not have any role in advising on individual cases. The Committee is normally chaired by the Information Commissioner. During any vacancy in the office of Commissioner, chairing arrangements operate in line with the Scheme of Delegations and agreed governance arrangements.

Terms of Reference are available here.

Executive Team

The Executive Team sets the overall strategic direction and priorities for the organisation, in line with the vision agreed by the Management Board. The Executive Team meets formally once per month to consider and make decisions on the issues of greatest strategic importance to the ICO. The Executive Team also meets informally once per week, enabling Executive Team members to collaborate effectively. Meetings are currently chaired by Paul Arnold. This supports scrutiny and challenge provided through the Management Board and its committees.

Terms of Reference are available here.

Executive Team is supported in its role by Delivery Group and Regulatory Group. Delivery Group and Regulatory Group make decisions and provide direction under delegated authority from Executive Team to ensure the effective and impactful leadership and continuous evolution of the ICO. At the time of writing (December 2024) these groups are currently operating on a pilot basis. 

Delivery Group 

Delivery Group provides assurance to the Executive Team of the effectiveness of the ICO’s organisational delivery, resourcing and performance. It does this by providing leadership and taking, and overseeing the taking of, delegated decisions on behalf of the ET in relation to the planning and execution of the full range of ICO activity.  

In particular, the Group oversees and directs all our change and transformation work, as well as our organisational and operational performance and mitigation of corporate risks. This includes: 

  • Considering and taking decisions across the strategic change and transformation programmes as well as business plan delivery to ensure maximum efficiency and alignment and provides assurance to ET that these are achieving the desired impact; 

  • Ensuring the change and transformation portfolio is delivering against strategic priorities, mitigating corporate risk and enhances organisational efficiency and productivity where appropriate; and

  • Evaluating, challenging and taking decisions to ensure organisational productivity and effectiveness. 

Terms of reference are available here.

Regulatory Group 

Regulatory Group provides assurance to the Executive Team of the effectiveness of the ICO’s regulatory interventions. It does this by providing leadership and taking, and overseeing the taking of, delegated decisions on behalf of Executive Team in relation to the planning and execution of the full range of ICO preventative and reactive regulatory activity.  

In particular, the Group oversees and directs the prioritisation of all our regulatory work and resources so that our regulatory interventions are:  

  • informed by insight, evidence and clear policy positions; 

  • agile and efficient;  

  • making a demonstrable impact towards the achievement of our causes and enduring strategic objectives;  

  • conducted in line with agreed risk appetite; and   

  • increasing confidence in ICO regulatory action. 

Terms of reference are available here. 

Policy Sub-Group

The Policy Sub-Group supports Regulatory Group and is responsible for ensuring the ICO has clear policy positions in place to both guide and underpin our work as a regulator. The Sub-Group is also responsible for supporting and developing the ICO’s policy profession and our policy development methodology.

Terms of reference are available here. 

Establishment Sub-Group

Establishment Committee supports Delivery Group by providing control and governance of recruitment activity. Establishment Committee is responsible for the approval of immediate staffing resource allocation, covering all requests to recruit. Establishment Committee also agrees all updates to Target Operating Models.

Terms of Reference are available here.

Role of the Information Commissioner and Accountability

The role of Information Commissioner is directly accountable to Parliament. The Commissioner must be completely independent, remain free from external influence, whether direct or indirect and neither seek nor take instructions from anybody in performing their tasks and powers. During the current vacancy in the office of Commissioner, Paul Arnold has taken on the Commissioner’s non-delegable responsibilities in line with the Scheme of Delegations, and those exercising Commissioner functions do so within the same statutory framework of independence and accountability.

Although the corporation sole structure creates a legal environment in which there is potential for significant power to be held by an individual, there are a range of accountability measures to mitigate this risk, both internally and externally. These include, but are not limited to, the following: 

External accountability 

  • The Information Commissioner’s Office has a sponsoring department within government. This is the Department for Science, Innovation and Technology (DSIT). The nature of the relationship is set out in the ICO’s Management Agreement with its sponsoring department. The Management Agreement is available online and sets out how the priorities of the ICO and DSIT align, and the expectations for the Information Commissioner in terms of performance measures, engagement, staffing, financial controls and other related issues. 
     
    The Management Agreement sets out that the Information Commissioner and the Secretary of State for DSIT share the aim that the ICO is, and continues to be, a world-class regulator working effectively across the UK, supporting the safe and trusted use of information and the protection of personal data. It also sets out a range of oversight mechanisms to ensure the ICO is run effectively, efficiently and in line with good practice. These include, but are not limited to, performance measures, engagement with the sponsor department, financial controls in line with Managing Public Money, spending and procurement controls, internal and external audit and the governance and accountability mechanisms in place. 

    The Management Agreement also sets out the Information Commissioner’s responsibilities in relation to the role of Accounting Officer, as well as the responsibilities of the Management Board. During the current vacancy in the office of Commissioner, DSIT has designated Paul Arnold as Temporary Acting Accounting Officer for the ICO.

  • The Information Commissioner is held to account overall by the Parliamentary Select Committees, before which the Commissioner usually appears two to four times per year. During the current vacancy in the office of Commissioner, accountability to Parliament continues through those exercising Commissioner functions under the Scheme of Delegations, including Paul Arnold in relation to the Commissioner’s non-delegable responsibilities.

  • The ICO engages in various and regular reviews with Government and DSIT. The ICO also makes bids for funding (via DSIT) to Treasury spending reviews. 

  • The ICO publishes an annual report , reporting on our most impactful work over the previous year. The report also includes information on our accountability mechanisms and our financial performance. The report is audited by the Comptroller and Auditor General.  

  • The Information Rights Tribunal provides scrutiny and oversight of the Commissioner’s regulatory decision-making, including decisions taken by those exercising Commissioner functions under the Scheme of Delegations, application of powers, and progression of statutory work. All of these components are appealable to the tribunal in different ways. The effect of this arrangement is that should the Commissioner take inappropriate or unfair decisions, misapply their powers, or fail to progress complaints made about Data Protection or Freedom of Information matters there is direct judicial oversight and remedy of this. This can include requiring the Commissioner to deal with the matters or substituting the Commissioner’s decision in some circumstances with that of the tribunal. There are roughly 300 appeals made to this tribunal each year, and the ICO successfully defends its position in roughly 75% of those. The UK is the only Data Protection or Freedom of Information jurisdiction in the world that has its own dedicated tribunal chamber specialising in the subject matter of the authority. This is a strong accountability arrangement, which has been commented upon favourably in reviews of the UK's application of these laws including by The United Nations Special Rapporteur.

  • The Parliamentary and Health Service Ombudsman (PHSO) provides scrutiny and oversight of the service provided by the Commissioner, particularly its progression and handling of approximately 45,000 complaints the office deals with each year. 

  • For some of our more intrusive investigative powers we come under the inspection remit of the Investigative Powers Commissioner. They inspect us annually to ensure we are exercising these powers appropriately, including making the right judgments as to risk. 

  • As Accounting Officer, the Commissioner is directly accountable to the DSIT Permanent Secretary for financial stewardship of the ICO and is subject to a range of Government spending controls. During the current vacancy in the office of Commissioner, Paul Arnold has been designated Temporary Acting Accounting Officer by DSIT.

  • The funding model for the ICO is determined by legislation (agreed by Parliament) and the level of fees and charges that the ICO can levy is agreed by the Secretary of State for DSIT. 

Internal accountability 

  • The Commissioner has appointed a Senior Independent Director (SID), whose role leverages the collective contribution of the ICO’s Non-Executive Directors (NEDs) as part of the ICO’s unitary Board arrangements, facilitating their role in bringing effective support, scrutiny and challenge to the Executive whilst respecting the ultimate statutory authority and accountability held by the Information Commissioner as a Corporation Sole. The duties of the SID include conducting an annual appraisal for the Commissioner, serving as an intermediary for the other NEDs to support them in challenging and contributing effectively, providing support and guidance in the event of concerns about the performance of the Commissioner, building and maintaining a relationship with DSIT, and being the main point of contact for the succession process for the Commissioner’s role. During any vacancy in the office of Commissioner, these arrangements operate in line with the Scheme of Delegations and agreed governance arrangements.

  • There is an Audit and Risk Committee, which comprises two Non-Executive Directors and an independent member. The Commissioner normally attends these meetings as required, including attending when the Committee reviews the ICO’s annual report, prior to publication. During any vacancy in the office of Commissioner, attendance arrangements operate in line with the Scheme of Delegations and agreed governance arrangements. The Committee supports the Accounting Officer and Management Board in their role in respect of the effectiveness of the ICO’s risk management system and procedures and its internal controls, by reviewing the comprehensiveness and reliability of assurances on governance, risk management, the control environment and the integrity of financial statements and the annual report. These meetings are also attended by Internal Auditors, provided by a third-party firm, and External Auditors, provided by the NAO, to ensure that there is strong scrutiny of this role.

  • In addition to attending Audit and Risk Committee meetings, the externally appointed internal auditors conduct a full internal audit programme over a rolling annual programme. This programme is agreed annually by the Audit and Risk Committee.  

  • Management Board is also supported by the People Committee and Regulatory Committee, who provide independent assurance as to the mitigation of people and regulatory risks respectively and the delivery of relevant strategies.  

  • The Remuneration Advisory Sub-Committee provides challenge, advice and scrutiny on matters of Executive Team remuneration and development. This supports internal accountability by ensuring senior pay and reward matters are subject to appropriate Non-Executive oversight. During any vacancy in the office of Commissioner, related decision-making arrangements operate in line with the Scheme of Delegations and agreed governance arrangements.

  • The Management Board agrees the ICO’s key strategies. Progress in achieving the goals within each of these strategies is provided to the Board, alongside a Corporate Scorecard outlining performance. The Management Board also conducts a review of its effectiveness on a regular basis. 

  • The ICO has an approach of delegated decision making, which ensures that decisions are taken by ICO staff at the most appropriate level, in line with the mechanisms for consistency of approach across the ICO’s varied areas of work.

    As set out earlier, the approach of collective decision-making principles used by Management Board is replicated throughout the ICO’s governance structure. Delegation of decision making also extends to the corporate governance structure, where decisions are taken by Management Board, Audit and Risk Committee, People Committee, Regulatory Committee, Executive Team, Senior Leadership Team (SLT) or SLT’s Boards, as appropriate. The Information Commissioner normally chairs the Management Board and Regulatory Committee; the other groups are chaired by either Non-Executive Directors or ICO staff. During any vacancy in the office of Commissioner, chairing and decision-making arrangements operate in line with the Scheme of Delegations and agreed governance arrangements.

Alignment with best practice

The Information Commissioner has agreed to comply with the Corporate governance in central government departments: Code of good practice 2018. In line with the “comply or explain” principle of the Code, the ICO does not adopt all aspects of the Code, but the Board considers that there are justifiable reasons for this, given the nature of the organisation as a corporation sole. Explanations for these deviations are provided in the ICO’s annual report. In particular: 

  • The Management Board does not have the powers and duties of a Board in which is vested the ultimate authority of the organisation. This is because the Information Commissioner is a corporation sole.  However, although the Information Commissioner has responsibility for setting the strategic direction for the ICO, they achieve this through the work of the Management Board, which they Chair. The Commissioner has designated that the Management Board will operate on a collective decision-making model, and the same model is used for the various Committees and Boards which support the Management Board 

  • Although the ICO has a Remuneration Advisory Sub-Committee to advise the Information Commissioner on remuneration policies related to Executive Team pay, as a corporation sole, the Information Commissioner retains ultimate authority in this area. During the current vacancy in the office of Commissioner, related decision-making arrangements operate in line with the Scheme of Delegations and agreed governance arrangements. 

  • In respect of an operating framework, the Board operates within the overall system of corporate governance at the ICO.