The ICO exists to empower you through information.

Our approach to achieving our purpose is informed by the strategic context in which we operate.

Our privacy and information rights are built into the historic DNA of UK democracy and society. The laws we oversee are concerned with personal information as well as public information. This means we regulate government and the public sector as well as the rest of the economy.

Our purpose as a regulator is informed by a range of statutory duties across 11 separate legal frameworks.

These legislative frameworks are set by Parliament. While we are independent in how we set and deliver our objectives, we are accountable to Parliament and the public for the outcomes we achieve through a variety of regulatory interventions.

For example:

    • the provision of advice;
    • offering guidance and tools;
    • publishing formal Opinions;
    • undertaking audits and inspections;
    • issuing recommendations from complaints and breach reports;
    • mandating changes to practice or processes; and
    • where necessary, issuing monetary penalties.

Our aim is to provide certainty. We deliver a range of services to help organisations understand and comply with their obligations, always aware of the difference between minimum legal requirements and good practice advice. We also work to ensure people know their rights, and to enable wide-ranging societal and economic benefits.

We recognise that our approach to providing this certainty cannot be static. Societal change, the pace of technological change and innovation and the increasing sophistication of data use in our digital age, means the landscape we regulate is constantly transforming. The UK Government is also seeking to make changes to the legislative framework in which we operate, to ensure the law keeps pace with this fast moving environment.  

In response, we must work collaboratively and cooperatively to maximise our effectiveness. For example, across the UK devolved administrations through our teams in Edinburgh, Belfast and Cardiff, with UK digital regulators through the Digital Regulation Cooperation Forum (DRCF), through effective bilateral relationships with other UK regulators and with our international counterparts on a range of cross-border issues. Whilst we work collaboratively, we must also remain alert to those risks and opportunities where we are uniquely able to act.

The Government intends to legislate for a further upgrade to UK data protection law midway through the life of this plan. This includes the intention to introduce a new constitutional governance model for the ICO.

These are changes to our remit and constitution, but this ICO25 plan anticipates, embraces and looks beyond those changes. It provides certainty for a longer-term future for the organisations we regulate, the public whose interests we serve and for all ICO colleagues.