Organisations are increasingly recognising the need to manage and treat their data as a corporate strategic asset. This means approaching data in the same way they protect, cultivate and use other ‘assets’, such as intellectual property, financial resources or people. Treating data as an asset underpins the delivery of significant organisational benefits, reduces risk of data misuse and can reflect an organisation’s culture and ethical stance.
We recognised we needed a data strategy for five reasons:
- Data is critical to deliver our ICO25 ambitions, particularly those around impact, culture, capacity and capability.
- External factors set the expectations of public sector use of data, including the National Data Strategy.
- Technologies built on data, especially artificial intelligence (AI), offer us the opportunity to develop radically transformed experiences for customers and colleagues. This automation enhances decision making and informs us of AI's practical uses and risks to deepen our understanding as a regulator.
- The assessed data maturity of the ICO is low. For this to measurably grow we need to move from a culture of risk aversion to one of curiosity and experimentation grounded on modern interoperable systems.
- We have a unique opportunity to set the tone for responsible and innovative data use in the public sector.
This strategy first and foremost helps the ICO, our people and our partners understand our vision, direction and ambition. It informs the choices we make day-to-day, and our longer-term decisions on strategic investments.
It can also help our customers – whether members of the public or commercial, public or third sector organisations – understand our plans and intentions, consistent with our support for transparency in the public sector. It helps organisations who rely on us for information or guidance to understand the role we expect data to play in delivering our services in the future. This includes how we can better share data with industry and other public bodies – as outlined in case study 1 (below).
Data security incident trends
We became the custodian of one of the largest cyber breach datasets in the UK with the implementation of the Data Protection Act 2018 breach reporting requirements. We initiated a data-driven approach to enhance the understanding and response to emerging threats after recognising the crucial role reliable data plays in managing cyber risks. Our data security incident trends report provides valuable information to industry on emerging threats and vulnerabilities and helps facilitate timely risk mitigation planning and decision making.
In the 2023/24 financial year, there were 15,343 views of the page and 1,029 downloads of the more detailed background data. Industry reception has been positive with the Association of British Insurers recognising the ICO as a pioneer - the first in Europe to bring this level of transparency to breach data.
In line with our mission and fundamental duty to “empower through information” and promote “openness and transparency”, we plan to enhance our Data security incident trends report during 2024/25.