The Information Commissioner is the UK’s independent regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and Freedom of Information Act 2000 (FOIA), as well as a range of other related legislation. As set out in the DPA, the Information Commissioner is a Corporation Sole.
Corporate governance structure
Note: the Regulatory Panel provides impartial advice on directly to the decision-maker on specific investigations, and does not feed into the other Boards.
As a Corporation Sole, all formal powers and duties of the ICO rest with the Commissioner. Due to the scale and complexity of the ICO's role and remit, and in line with good practice, the Commissioner has chosen to constitute a Management Board consisting of Executive and Non-Executive Directors, and has formally delegated responsibility for the setting of the strategic direction of the ICO to the Management Board, which the Commissioner then Chairs.
The Commissioner has designated that the Management Board will operate on a collective decision-making model, and the same model is used for the various Committees and Boards which support the Management Board, including an Audit and Risk Committee and Nominations Committee.
In terms of the Executive leadership of the ICO, the Commissioner has formally delegated the responsibility for the regulatory functions, administrative leadership and performance of the organisation through the Executive Team. The Commissioner also attends meetings of the Executive Team, with these meetings chaired by the Deputy Chief Executive to facilitate the Commissioner holding the Executive to account on behalf of the Board.
The Executive Team discharges its responsibilities through the Senior Leadership Team (SLT) and various SLT Boards which focus on specific aspects of SLT’s responsibility for the delivery of the ICO's strategic objectives.
The relationship between the formal decision-making bodies at the ICO is detailed in the diagram above and in the Terms of Reference for the various committees listed below. The work of all of these committees is supported by the Planning, Risk and Governance Department, which is responsible for the ICO’s corporate governance policies and procedures, and for ensuring that the policies and procedures are followed.
The Scheme of Delegations is available online. This formally describes how the Commissioner's powers and responsibilities are delegated throughout the ICO to facilitate the effective delivery of services and outcomes across a regulator with a complex and broad remit.
Agendas, minutes and reports of the Management Board, Audit and Risk Committee, Nominations Committee, Executive Team and Senior Leadership Team are published on the ICO’s website.
Purpose of the Committees
The Management Board meets at least quarterly and advises the Commissioner on matters which affect the strategic direction of the organisation, significant corporate risks and performance and delivery across the ICO’s responsibilities. It reviews progress against corporate strategies and plans and advises on significant issues being managed by the Executive Team. The Board operates based on collective decision-making principles and a 'majority vote' in circumstances where a consensus view cannot be reached. The Commissioner, as a Corporation Sole, will always have the right to set a course of action that is contrary to the majority view of the Board. Any instances of this would be reported in the ICO’s annual report. There have been no such instances of this.
The Management Board’s work and terms of reference reflect the five key areas of focus identified in the Treasury and Cabinet Office’s “Corporate governance in central government departments: code of good practice”, namely: strategic clarity, commercial sense, talented people, results focus, and management information.
Audit and Risk Committee
The Audit and Risk Committee meets quarterly and advises the ICO’s Accounting Officer (the Commissioner) and supports the Management Board in respect of the effectiveness of the ICO’s risk management system and procedures and its internal controls. It does this by reviewing the comprehensiveness and reliability of assurances on governance, risk management, the control environment and the integrity of financial statements and the annual report. It has particular engagement with the work of internal audit, risk management, the external auditor, financial management and reporting issues.
The Nomination Committee is responsible for Management Board, Audit and Risk Committee and senior management recruitment i.e. Non-Executive Directors (NEDs), independent members, and Executive Team roles. Its role is to ensure that there is a proactive approach to succession planning, recruitment, and the assessment and evaluation of the effectiveness of the Management Board, Audit Committee and Executive Team. The Committee has oversight to ensure that these processes are aligned with the ICO’s strategic priorities, and that they factor in external environment threats and opportunities, to ensure organisational success in both the short and longer term. It considers the expected values and behaviours required for appointments at this level, whether potential candidates exhibit the desired corporate culture, and it agrees and has oversight of the recruitment process. The Nomination Committee does not have any role in the appointment of the Information Commissioner, which is the responsibility of the Department for Culture, Media and Sport (DCMS).
Remuneration Advisory Panel
The Remuneration Advisory Panel meets up to three times per year and provides challenge, advice and scrutiny to the Commissioner on matters of Executive Team pay and development.
The Executive Team sets the overall strategic direction and priorities for the organisation, in line with the vision agreed by the Management Board. The Executive Team meets formally once per month to consider and make decisions on the issues of greatest strategic importance to the ICO. The Executive Team also meets informally once per week, enabling the Executive Team members to collaborate effectively. Meetings are chaired by the Deputy Chief Executive Officer (Chief Operating Officer), which enables the Commissioner, as Chair of the Management Board, to more independently scrutinise and challenge the work of Executive Team
Senior Leadership Team
The Senior Leadership Team is responsible for overseeing the delivery of the strategic direction set by the Executive Team. It does this through having responsibility for managing the delivery of priorities and goals across the ICO.
SLT has delegated authority to deliver this work to a range of Boards, Terms of Reference for which are set out below. The purpose of the SLT Boards is to deliver SLT’s purpose of strategic oversight and delivery of cross-office priorities and plans. The Boards were created to ensure that there is sufficient capacity within these meetings for consideration, challenge, and scrutiny to deliver SLT’s collective role. SLT meets as required to consider any strategic, cross cutting issues which cannot adequately be considered by its Boards.
Communications and Engagement Board
This Board is responsible for the identification, co-ordination and execution of the strategic communication and engagement plans needed to underpin our most high profile and priority activities.
Equality Diversity & Inclusion (EDI) Board
This Board is responsible for providing EDI leadership and overseeing the delivery of our EDI objectives, as an employer, as a regulator and as a service provider. The Board also supports and oversees the work of our EDI staff networks.
The Policy Board is responsible for ensuring the ICO has clear policy positions in place to both guide and underpin our work as a regulator. The Board is also responsible for supporting and developing the ICO’s policy profession and our policy development methodology.
Regulatory Delivery Board (RDB)
This Board is responsible for to overseeing, managing and coordinating the ICO’s work to deliver its regulatory functions, in line with the strategic direction set by the Management Board. The RDB will oversee development of the ICO’s regulatory business plans and ensure when presented to the Senior Leadership Team they are robust in terms of objectives, priorities, affordability, impact and key performance measures.
The RDB will not take any decisions as to individual cases; these will be taken by the respective staff members in line with the Commissioner’s scheme of delegations, with advice from the Regulatory Panel where sufficiently significant (further information on this Panel below).
This Board is responsible for ensuring the ICO’s people, financial, physical and technical resources and infrastructure remain fit for purpose, are developed in line with the ICO’s medium and long-term capacity and capability needs, and are deployed efficiently, effectively and with value for money.
Risk and Governance Board
This Board is responsible for assisting the Information Commissioner and Senior Leadership Team with the governance of the organisation and management of risk to achieving its strategic priorities and service delivery. It will achieve this purpose by reviewing all matters concerning the development, maintenance and implementation of the ICO’s risk and governance management frameworks, including monitoring and reporting arrangements. This Board is also responsible for management of the ICO’s own information risks.
The Regulatory Panel is responsible for making impartial recommendations to the decision maker regarding proposed regulatory action as a result of breaches of legislation by data controllers or data processors. This may include consideration of the range of fines and other corrective measures which it would consider to be appropriate in all the circumstances.
The Panel will be convened at the recommendation of the Commissioner, or at the instigation of the decision maker. The decision maker will be the Commissioner or the appropriate person to whom the Commissioner has delegated authority, in line with the Scheme of Delegations. The Panel will make recommendations to the decision maker in any specific case. The Panel is chaired by an ICO Non-Executive Director, and consists of an ICO Director who has not had any involvement in the specific case, and external member from the data protection community.
The Panel will usually advise on cases relating to breaches of the Data Protection Act 2018, General Data Protection Regulation (GDPR) or Network Information Systems (NIS) regulations, where the ICO’s Penalty Setting Meeting recommends a fine in excess of £5m, or in circumstances where any proposed penalty or regulatory action is likely to cause a very significant financial impact on the recipient’s business model. The Commissioner or decision maker may also choose to consult the Panel on other proposed regulatory action under DPA 18 (and GDPR) or NIS not falling within the above circumstances where they consider it appropriate to do so.
Role of the Information Commissioner and Accountability
The Information Commissioner is appointed by Parliament and is directly accountable to Parliament. The Commissioner must be completely independent, remain free from external influence, whether direct or indirect and neither seek nor take instructions from anybody in performing their tasks and powers.
Although the corporation sole structure creates a legal environment in which there is potential for significant power to be held by an individual, there are a range of accountability measures to mitigate this risk, but internally and externally. These include, but are not limited to, the following:
- The Information Commissioner’s Office has a sponsoring department within government. This is the Department for Digital, Culture, Media and Sport (DCMS). The nature of the relationship is set out in the ICO’s Management Agreement with its sponsoring department. The Management Agreement is available online and sets out how the priorities of the ICO and DCMS align, and the expectations for the Information Commissioner in terms of performance measures, engagement, staffing, financial controls and other related issues.
The Management Agreement set outs that the Information Commissioner and the Secretary of State for Digital, Culture, Media and Sport (DCMS) share the aim that the ICO is, and continues to be, a world class regulator working effectively across the UK, and enabling the frictionless flow and safeguarding the exchange and protection of personal data once the UK leaves the EU. It also sets out a range of oversight mechanisms to ensure the ICO is run effectively, efficiently and in line with good practice. These include, but are not limited to, performance measures, engagement with the sponsor department, financial controls in line with Managing Public Money, spending and procurement controls, internal and external audit and the governance and accountability mechanisms in place.
The Management Agreement also sets out the Information Commissioner’s responsibilities with regards to the role of Accounting Officer as well as the responsibilities of the Management Board.
- The Information Commissioner is held to account overall by the DCMS Select Committee, before which the Commissioner usually appears four times per year. The Commissioner or their staff regularly appear at other Select Committees when requested.
- The ICO engages in various and regular reviews with Government and DCMS. These have included a Constitutional Review of the ICO and the Triennial Review process. The ICO also makes bids for funding (via DCMS) to Treasury spending reviews.
- The ICO publishes an annual report each summer, reporting on our most impactful work over the previous year. The report also includes information on our accountability mechanisms and our financial performance. The report is audited by the Comptroller and Auditor General (and BDO on behalf of the National Audit Office). We aim to have a specific appearance before the DCMS Select Committee in late summer or early autumn to discuss the issues set out in the annual report.
- The Information Rights Tribunal provides scrutiny and oversight of the Commissioner’s regulatory decision-making, application of powers, and progression of statutory work. All of these components are appealable to the tribunal in different ways. The effect of this arrangement is that should the Commissioner take inappropriate or unfair decisions, misapply their powers, or fail to progress complaints made about Data Protection or Freedom of Information matters there is direct judicial oversight and remedy of this. This can include requiring the Commissioner to deal with the matters or substituting the Commissioner’s decision in some circumstances with that of the tribunal. There are roughly 300 appeals made to this tribunal each year, and the ICO successfully defends its position in roughly 75% of those. The UK is the only Data Protection or Freedom of Information jurisdiction in the world that has its own dedicated tribunal chamber specialising in the subject matter of the authority. This is a strong accountability arrangement, which has been commented upon favourably in reviews of the UK's application of these laws including by The United Nations Special Rapporteur.
- The Parliamentary and Health Service Ombudsman (PHSO) provides scrutiny and oversight of the service provided by the Commissioner, particularly its progression and handling of approximately 45,000 complaints the office deals with each year.
- A representative of DCMS, as sponsor department, sits on the interview panel for the appointment of NEDs.
- For some of our more intrusive investigative powers we come under the inspection remit of the Investigative Powers Commissioner. They inspect us annually to ensure we are exercising these powers appropriately, including making the right judgments as to risk. Their last inspection, last year, praised us for the very strong controls we have in place.
- As Accounting Officer, to Commissioner is directly accountable to the DCMS Permanent Secretary for financial stewardship of the ICO and is subject to a range of Government spending controls.
- The funding model for the ICO is determined by legislation (agreed by Parliament) and the level of fees and charges that the ICO can levy is agreed by the Secretary of State for DCMS.
- The Commissioner has appointed a Senior Independent Director (SID), whose role leverages the collective contribution of the ICO’s Non-Executive Directors as part of the ICO’s unitary Board arrangements, facilitating their role in bringing effective support, scrutiny and challenge to the Executive whilst respecting the ultimate statutory authority and accountability held by the Information Commissioner as a Corporation Sole. The duties of the SID include conducting an annual appraisal for the Commissioner, serving as an intermediary for the other NEDs to support them in challenging and contributing effectively, providing support and guidance in the event of concerns about the performance of the Commissioner, building and maintaining a relationship with DCMS, and being the main point of the contact for the succession process for the Commissioner’s role.
- There is an Audit and Risk Committee, which comprises two non-executive directors and an independent member. The Commissioner attends these meetings as required, including attending when the Committee reviews the ICO’s annual report, prior to publication. The Committee supports the Commissioner and Management Board in their role in respect of the effectiveness of the ICO’s risk management system and procedures and its internal controls, by reviewing the comprehensiveness and reliability of assurances on governance, risk management, the control environment and the integrity of financial statements and the annual report. These meetings are also attended by Internal Auditors (provided by a third-party firm) and External Auditors (provided by the NAO) to ensure that there is strong scrutiny of this role.
- In addition to attending Audit Committee meetings, the internal auditors conduct a full internal audit programme over a rolling annual programme. This programme is agreed annually by the Audit Committee. The internal auditors are appointed via an open procurement process, and members of the Audit Committee serve on the evaluation panel.
- The Nomination Committee and Remuneration Advisory Panel provide oversight, advice, scrutiny and challenge in relation to senior recruitment and senior pay respectively. This helps to ensure that senior recruitment and pay remain appropriate and that the Commissioner receives appropriate advice on these matters from independent colleagues on Management Board.
- There is also a Regulatory Panel to provide scrutiny and recommendations on some of the ICO’s most high-profile and impactful cases. While the UK was in the European Union, a similar role was fulfilled by the GDPR Article 60 process, where decisions effecting other EU data protection authorities were subject to review. With the end of the EU Exit transition period in January 2021, this no longer applies, but the Panel will provide a similar role of impartial challenge to regulatory decision making. The role of the Panel also extends beyond just those cases which would have required external review as part of the Article 60 process.
- The Management Board agrees the ICO’s key strategies, including the Information Rights Strategic Plan and the Capacity and Capability Plan. Progress in achieving the goals within each of these strategies is provided to the Board at least three times per year. The Management Board also conducts a review of its effectiveness on an annual basis.
- The ICO has an approach of delegated decision making, which ensures that decisions are taken by ICO staff at the most appropriate level, in line with the mechanisms for consistency of approach by the various working practices throughout the ICO’s varied areas of work. The Commissioner has also delegated authority to deal with many regulatory matters to the Chief Regulatory Officer, and responsibility for administrative leadership and performance from their Chief Executive role to the Deputy Chief Executive and Chief Operating Officer.
As set out earlier, the approach of collective decision-making principles used by Management Board is replicated throughout the ICO’s governance structure. Delegation of decision making also extends to the corporate governance structure, where decisions are taken by Management Board, Audit and Risk Committee, Nomination Committee, Executive Team, Senior Leadership Team (SLT) or SLT’s Boards, as appropriate. The Commissioner chairs the Management Board; the other groups are chaired by either Non-Executive Directors or ICO staff.
Alignment with best practice
The Information Commissioner has agreed to comply with the Corporate governance in central government departments: Code of good practice 2018. In line with the “comply or explain” principle of the Code, the ICO does not adopt all aspects of the Code, but the Board considers that there are justifiable reasons for this, given the nature of the organisation as a corporation sole. Explanations for these deviations are provided in the ICO’s annual report. In particular:
- The Management Board does not have the powers and duties of a Board in which is vested the ultimate authority of the organisation. This is because the Information Commissioner is a corporation sole. However, as set out above the Commissioner has formally delegated responsibility for the strategic leadership of the ICO to the Management Board, of which the Information Commissioner is the Chair.
- Although the ICO has a Remuneration Advisory Panel to advise the Information Commissioner on remuneration policies related to Executive Team pay, as a corporation sole, the Information Commissioner retains ultimate authority in this area; and
- In respect of an operating framework, the Board operates within the overall system of corporate governance at the ICO.