The Information Commissioner’s Office (ICO) has carried out the Data Controller Study, in order to broaden our understanding of organisations’ collection and use of personal data, inform our regulatory decisions with comprehensive insights and deliver our enduring objectives.
The Study involves a quantitative survey of a representative sample of 2,280 organisations and qualitative interviews of 20 organisations.
Motivation
In our increasingly digital society, sharing personal data, such as name, address, or card details, is often a pre-requisite to accessing services. From utility companies to airlines, healthcare organisations to non-profit organisations, sharing personal data has become vital for interactions across our society, including communication, social welfare, retail and entertainment. If we are to confidently use the products and services provided by organisations, we need to trust that our information rights will be respected.
But who are these organisations? Why do they collect personal data and how much information do they hold? How does data protection regulation such UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) inform the use of personal data across organisations?
As the UK's independent regulator set up to uphold information rights, the ICO’s enduring objectives include safeguarding and empowering people, empowering responsible innovation and sustainable economic growth, promoting openness, transparency and accountability and develop the ICO’s culture, capability and capacity. To achieve each of our objectives, it is essential that the ICO has a detailed understanding of how organisations within the UK economy collect, process and store personal data.
This will be used to help the ICO build a comprehensive picture to understand organisations’ experiences in collecting and processing personal data, which will in turn inform decision making, policy development and regulatory support going forward.
Research approach
The ICO commissioned IFF Research to conduct both quantitative and qualitative data collection with organisations that collect, process and store personal data. The mixed-method study comprises of a quantitative survey of 2,280 data controllers and in-depth qualitative interviews of 20 data controllers. A targeted sampling approach was used in order to achieve a representative sample of data controllers by organisation type (private, public, non-profit) and size (number of employees) and to capture respondents with responsibility for personal data processing within the organisation.
The quantitative survey fieldwork was conducted between October and November 2023, using Computer Assisted Telephone Interviewing (CATI) and online surveys. The qualitative interviews were conducted between November 2023 and February 2024. The Technical Report provides information on the quantitative and qualitative methodology, representative sampling approach, data collection and methodology limitations.
The quantitative survey data is presented in the interactive dashboard and the findings are discussed in the following sections. The quantitative survey data is also available in an excel file. A summary of the qualitative interviews findings is provided in an individual document.
Considerations
The quantitative survey was developed to achieve a representative sample by sector (private, public and non-profit) and by size (number of employees). The methodology is set out in the accompanying Technical Report. We note that due to the sample size for individual subgroups, results for subsample groups should be interpreted carefully and may not be representative of the full population. For example, filtering by private sector organisation with more than 250 employees or filtering by public sector organisations that reported being unaware of the ICO prior to taking part in the survey result in a weighted sample of less than 10 organisations respectively.