The ICO exists to empower you through information.

Our purpose is to empower you through information. We have set ourselves four enduring objectives which explain what we will do to make sure our work is focused on delivering our purpose.

We will set our annual priorities against these objectives and report our progress to Parliament and our wider stakeholders.

Our enduring objectives guide what we will do, as well as what we will not do. They also show how we will allocate our resources to support the delivery of each objective.

Objective one: Safeguard and empower people

Particularly the most vulnerable, by upholding our information rights and enabling us all to confidently contribute to a thriving society and sustainable economy.

  • We will do more to understand the views and concerns of the diverse UK public and use these to guide our priorities. We will focus our interventions on areas of greatest harm and risk and take enforcement action where necessary to make a real difference to people’s lives.
  • We will help people to understand their information rights so they can confidently decide how best to use and trust the products and services in our daily lives that require our information.
  • We will continue to tackle predatory marketing, in particular where it is focused on vulnerable people, using the anticipated increase in our powers to have a greater impact.
  • We will do more to supervise the cyber security of relevant digital service providers and systems to protect people’s information.
  • We will be transparent in the decisions we take when using our legitimate discretion, recognising that we have finite resources and we are unable to look into every matter raised with us.

Objective two: Empower responsible innovation and sustainable economic growth

By providing regulatory certainty about what the law requires, reducing the cost of compliance and clarifying what we will do if things go wrong. This enables those we regulate to confidently plan, invest and innovate with confidence.

  • We will support the responsible use and sharing of personal information to drive innovation and economic growth, focusing our efforts on those at the cutting edge of innovation or legitimately without in-house support, such as SMEs.
  • We will create a fairer playing field for those demonstrating good practice by taking action against those who try to gain unfair advantage through unlawful or irresponsible actions.
  • We will take an evidence-led and predictable approach to our enforcement action based on the potential risk posed or actual harm caused. We will help organisations learn from mistakes.
  • Our interventions will always be justified. We will make them in a timely and effective manner, providing certainty for organisations and a clear deterrent against serious non-compliance leading to significant harm.
  • We will cooperate and collaborate with our regulatory counterparts and a range of stakeholders domestically and internationally. This provides consistency in the law, maximises certainty for people on what protections they can expect, and gives clarity to businesses and organisations on what standards we expect. It also helps minimise costs to businesses straddling multiple regulatory regimes.
  • We will amplify our advice and guidance through sectoral regulators and sector representative associations where our regulatory responsibilities align.

Objective three: Promote openness, transparency and accountability

Supporting the development of a modern Freedom of Information Act (FOIA) and Environmental Information Regulations (EIR) practice framework in the UK, inspiring confidence in public services and democracy.

  • We will support administration of FOIA or the EIR by helping public authorities to be more open through advice, tools, practice directions and promoting proactive publication of information routinely.
  • We will evolve the FOIA and EIR framework within our jurisdiction by experimenting with ways to encourage public authorities to be more transparent and open, avoiding the need for people to escalate appeals to the ICO.
  • We will ensure we provide timely responses, in our role as adjudicator, leading by example and inspiring the public sector to do the same.
  • We will innovate when looking for improved outcomes for people and efficiencies from our appeals service. We will be transparent in our approach, explaining any necessary trade-offs as we work to provide best value for money for the government grant-in-aid which funds this important work.

Objective four: Driven by our values, we’ll continuously develop the ICO's culture, capability and capacity

To deliver impactful regulatory outcomes, be recognised as an effective provider of public services, a knowledgeable and influential regulator and a great place to work and develop.

To do this, we believe ICO25 calls for a shift of approach in five key elements of our work. They are:

  • Prioritising with simplicity and agility ­­­– understanding what we are prioritising and why, what we aim to achieve and how to achieve it at pace. We must also understand when and how to move on to our next priority.
  • Being more inclusive and empathetic in our regulatory interventions ­­­­­– improving our insight and understanding of the challenges and opportunities faced by those we regulate and the people we protect. We must reach new audiences, particularly the ones most in need of our support and protection, using language and tone which demonstrates our understanding of the world we regulate and not just the laws we oversee.
  • Operating transparently to provide great customer service – giving special focus to sharing our information, knowledge and insight routinely and extensively. We must do this in ways which support its reuse and through tools, products and services which provide practical outcomes as well as advice.
  • Improving regulatory certainty – allowing our expectations to be understood, our actions to be predicted and our advice relied on. We do this to clearly prevent serious harm and reduce the cost of compliance. For instance, we will not tolerate organisations who are using people’s information to exploit them or expose them to harm, and we will not take action against organisations who share data to safeguard vulnerable people. Regulatory certainty does not mean we will provide certainty about every aspect of the law in every individual case.
  • Maximising the technical capability of our people and systems – transforming our workforce capability, realising the full benefits of digital tools and our data assets to increase our impact from the resources we invest. We must approach all that we do in ways which improve productivity, efficiency and the value we offer for the tax payers and fee payers who fund our work.