The ICO exists to empower you through information.

Context

The Information Commissioner’s Office (ICO) conducted a consultation on its Enterprise Data Strategy (EDS) starting on January 30, 2024. The consultation period concluded on March 12, 2024.

During this consultation, we sought feedback on how we intend to utilise data to shape our corporate, regulatory, and strategic priorities. We outlined our current strengths and weaknesses, articulated the role we envision for data within the ICO in the future, and summarised our implementation plans.

In addition to gathering input through the consultation survey, we actively sought responses from partners who regularly access ICO data or have specific requirements for it.

What follows is a summary of the key themes that emerged from the responses and where we will make changes to the data strategy or associated plans in light of the feedback received. This summary is not intended to be a comprehensive record of all the views expressed, nor to be a comprehensive response to all individual points raised by respondents.

We thank everyone who took the time to comment and share their views.

Consultation responses and ICO’s views

We received nine responses to our consultation. Of these, seven were made on behalf of organisations (four from businesses, two from the public sector and one did not say), one from an academic and one from an individual member of the public. Despite a modest nine responses to our public consultation, we have gained invaluable insights from external stakeholders on our strategy and plan.

All responses were positive and supportive, with some respondents welcoming our vision to be an exemplar for responsible innovation in the use of data. However, several respondents suggested the strategy lack of an actionable plan and detail on implementation approach, delivery milestones and timelines.

Published as a consultation on our initial plans, the draft strategy aimed to paint an initial picture of our vision. We see the consultation as the initiation of a dialogue with our customers to identify their requirements. Our plans are flexible, designed to evolve over time and prioritise value. We are committed to shaping our future plans based on genuine customer requirements rather than our assumptions of what they might be.

It is worth noting that, in parallel to the consultation, the ICO informally met with seven organisations who we already share data with or who have led a data strategy implementation, and we can learn from their experience. The insights from these conversations do not form a part of this summary but have inform the shaping of our future plans.

The main changes that we have made in response to the feedback received during the consultation are:

  • We have published an implementation plan. This sets out practical details of what we will deliver in Year 1. This plan is grounded in existing knowledge and remains flexible to accommodate updates as we refine our project definition over time.
  • All our projects are guided by specific customer needs. Our data strategy includes a copy of our scorecard which shows how our data maturity will improve based on our Y1 activities.
  • We will adopt an openness by default approach. We will make our data more visible and create a data catalogue of our data assets that is accessible via the ICO website.
  • We will establish robust data governance practices to uphold our openness by default approach. Staff members handling data directly will receive training in data ethics, and a data ethics self-assessment toolkit will be accessible to all employees involved in data-driven insights.
  • This consultation marks the beginning of an ongoing conversation. Our survey will remain open, serving as a continuous feedback mechanism for organisations and members of the public to share their perspectives on our strategy and priorities. This input will help shape our future plans. 

What have we learnt from our consultation?

Is our Enterprise Data Strategy something you support?

Summary of responses: All nine responses received indicated support for our strategy. Respondents noted that our approach is like other sector bodies, who have either implemented, or are now implementing, their own data and digital focused strategies. They viewed this as a positive. As the data regulator they seen the ICO as being in a unique position, to ‘educate, empower and advise,’ and the move towards ‘data innovation,’ as well as retaining our ‘how-to’ role, is welcomed.

The ICO’s response: The ICO welcomes the supportive comments about the approach we have taken. We also acknowledge concerns raised about how our vision on being an exemplar for responsible innovation in the use of data could shift our focus from our regulatory responsibilities. This is not our intention. We believe the approach we have taken will help us become a more modern and effective regulator.

Can our strategy empower any particular groups or individuals?

Summary of responses: There is a recognition that our strategy has the potential to empower groups and individuals by promoting transparency and efficiency in our data holdings. There is a big demand for high quality, trusted data that can easily be consumed across other government departments, trusted research organisations, healthcare, analysts, and the wider public. Several responses indicated that the datasets we already share or make available on our website, are helpful (particularly the Cyber and incidents trends reports).

The ICO’s response: The ICO welcomes these comments.

Could our plans adversely affect any particular groups or individuals?

Summary of responses: We need to be cautious about providing access in the right way (e.g. consideration of data security implications, easy-to-access, using open data standards) so that we continue to remain transparent. We should also ensure our data has high quality and can be trusted. We should also be mindful of wider data privacy implications, bias and inequality risks, ethical issues, and accessibility. Robust data governance frameworks, data literacy, and ethical oversight can help with this.

The ICO’s response: The ICO acknowledges these comments and notes that one of the five areas of strategic capability we identified for investment is data quality. We want to design and implement a framework for data governance and data quality standards and processes. In particular, we aim to increase data quality practices to optimise our operations or increase our effectiveness.

Have we missed anything?

Summary of responses: In its current form, the strategy is very high level, and so it is difficult to evaluate whether elements are missing. We need to focus on security and governance, providing a ‘single source of truth’, ethical frameworks for AI, and sustainability considerations. The strategic objective of “we’re daring” needs to be a genuine ambition – ICO processes are constraining, and the organisation is often critical of those who are innovative or ‘daring’ with their own information management decisions.

The ICO’s response: The ICO has taken this feedback into consideration. We are satisfied that the final data strategy paints a clearer picture of what we aim to achieve and how we are going to make it happen in a responsibly and innovatively.

List of respondents and consultees 

In alphabetical order:

  • Clue
  • Department of Health (Northern Ireland)
  • Envitia
  • Lloyds Banking Group
  • Police Service of Northern Ireland (PSNI)
  • Sciensus
  • Snowflake
  • Solicitors Regulation Authority (SRA)