Introduction
The Information Commissioner is the UK’s independent regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and Freedom of Information Act 2000 (FOIA), as well as a range of other related legislation. As set out in the DPA, the Information Commissioner is a Corporation Sole.
Corporate governance structure
Click the image below to open a larger version.
As a Corporation Sole, all formal powers and duties of the ICO rest with the Commissioner. Due to the scale and complexity of the ICO's role and remit, and in line with good practice, the Commissioner has chosen to constitute a Management Board consisting of Executive and Non-Executive Directors. The Information Commissioner has responsibility for setting the strategic direction for the ICO, and achieves this through the work of the Management Board, which the Commissioner chairs.
The Commissioner has designated that the Management Board will operate on a collective decision-making model, and the same model is used for the various Committees and Boards which support the Management Board. The Board operates on a ‘majority vote’ principle in circumstances where a consensus view cannot be reached. The Commissioner, as a Corporation Sole, will always have the right to set a course of action that is contrary to the majority view of the Board. In such circumstances, the Commissioner will publish the rationale for their decision as part of the Commissioner’s Annual Governance Statement in the Annual Report and Accounts to Parliament.
In terms of the Executive leadership of the ICO, the Commissioner has formally delegated the responsibility for the regulatory functions, administrative leadership and performance of the organisation through the Executive Team. The Commissioner also attends meetings of the Executive Team, with these meetings chaired by the Deputy Chief Executive to facilitate the Commissioner holding the Executive to account on behalf of the Board.
The Executive Team discharges its responsibilities through the Senior Leadership Team (SLT) and various SLT Boards which focus on specific aspects of SLT’s responsibility for the delivery of the ICO's strategic objectives.
The relationship between the formal decision-making bodies at the ICO is detailed in the diagram above and in the Terms of Reference for the various committees listed below. The work of all of these committees is supported by the Planning, Risk and Governance Department, which is responsible for the ICO’s corporate governance policies and procedures, and for ensuring that the policies and procedures are followed.
The Scheme of Delegations is available online. This formally describes how the Commissioner's powers and responsibilities are delegated throughout the ICO to facilitate the effective delivery of services and outcomes across a regulator with a complex and broad remit.
Agendas, minutes and reports of the Management Board and its Committees and the Executive Team and Senior Leadership Team are published on the ICO’s website.
Purpose of the Committees
Management Board
The Management Board meets at least quarterly and advises the Commissioner on matters which affect the strategic direction of the organisation, significant corporate risks and performance and delivery across the ICO’s responsibilities. It reviews progress against corporate strategies and plans and advises on significant issues being managed by the Executive Team. The Management Board is chaired by the Information Commissioner.
The Management Board’s work and terms of reference reflect the five key areas of focus identified in the Treasury and Cabinet Office’s “Corporate governance in central government departments: code of good practice”, namely: strategic clarity, commercial sense, talented people, results focus, and management information.
The Terms of Reference are available here.
Audit and Risk Committee
The Audit and Risk Committee meets quarterly and advises the ICO’s Accounting Officer (the Commissioner) and supports the Management Board in respect of the effectiveness of the ICO’s risk management system and procedures and its internal controls. It does this by reviewing the comprehensiveness and reliability of assurances on governance, risk management, the control environment and the integrity of financial statements and the annual report. It has particular engagement with the work of internal audit, risk management, the external auditor, financial management and reporting issues.
The Audit and Risk Committee is chaired by a Non-executive director. The Information Commissioner is invited to attend all meetings of the Committee but is only required to attend the meeting at which the Committee reviews the ICO’s Annual Report and financial statements. The Chair may also ask the Commissioner to attend any specific meeting. The Committee is also attended by the ICO’s internal and external auditors and contains an independent Non executive director member.
Terms of Reference are available here.
People Committee and Renumeration Advisory Sub Committee
The People Committee supports Management Board by independently overseeing the effective mitigation of all people related corporate risks and assuring Management Board of the effective execution and delivery of their associated strategies and plans, for example the ICO People Strategy.
The Committee provides assurance to the Board regarding the delivery of people related strategies and plans, the over-arching principles and parameters of people performance at the ICO, the organisational structure and culture and organisational capability. The People Committee is chaired by a Non-executive director.
The Committee is not directly responsible for any matters in relation to remuneration, reward or objectives for individual members of the Executive Team. These are in the remit of the Remuneration Advisory Sub-Committee.
The Renumeration Advisory Sub-Committee provides challenge, advice and scrutiny to the Commissioner on matters of Executive Team remuneration and development. No members of the Executive Team are members of the Sub-Committee and the Sub-Committee is chaired by a Non- executive director. The Information Commissioner attends all meetings of Sub-Committee.
Terms of Reference are available here.
Regulatory Committee
The Regulatory Committee supports the Management Board in providing strategic oversight of the ICO’s regulatory delivery, including methodologies, decision making and processes in line with our strategic enduring objectives, to ensure that these are effective and fit for purpose.
The Committee is responsible for scrutinising regulatory impact, performance and service provision by the ICO. The Committee does not have any role in advising on individual cases. The Committee is chaired by the Information Commissioner.
Terms of Reference are available here.
Executive Team
The Executive Team sets the overall strategic direction and priorities for the organisation, in line with the vision agreed by the Management Board. The Executive Team meets formally once per month to consider and make decisions on the issues of greatest strategic importance to the ICO. The Executive Team also meets informally once per week, enabling the Executive Team members to collaborate effectively. Meetings are chaired by the Deputy Chief Executive Officer (Chief Operating Officer), which enables the Commissioner, as Chair of the Management Board, to more independently scrutinise and challenge the work of Executive Team.
Terms of Reference are available here.
Executive Team is supported in its role by Portfolio Board (see below) and Establishment Committee, which makes decisions regarding recruitment to permanent and temporary roles. Establishment Committee is supported by People Services.
Portfolio Board
Portfolio Board is effectively a sub-committee of Executive Team and provides oversight of the totality of the ICO’s investment in change. It collectively holds responsibility for monitoring portfolio progress and resolving issues that may compromise delivery and benefits realisation.
Terms of Reference are available here.
Senior Leadership Team
The Senior Leadership Team is responsible for overseeing the delivery of the strategic direction set by the Executive Team. It does this through having responsibility for managing the delivery of priorities and goals across the ICO.
SLT has delegated authority to deliver this work to a range of Boards, Terms of Reference for which are set out below. The purpose of the SLT Boards is to deliver SLT’s purpose of strategic oversight and delivery of cross-office priorities and plans. The Boards were created to ensure that there is sufficient capacity within these meetings for consideration, challenge, and scrutiny to deliver SLT’s collective role. SLT meets as required to consider any strategic, cross cutting issues which cannot adequately be considered by its Boards.
The purpose of the committee structure is to provide oversight, support and challenge to the people responsible for all aspects of the ICO’s work. In most cases, this means reviewing reports which give assurance on progress and delivery of strategic pieces of work, and giving guidance to the teams responsible for this work on any further steps that can be taken. Sometimes these matters will be considered as a matter of course, because of the importance of the work. At other times, these will be considered because further support or assurance is needed about a specific piece of work.
Terms of Reference are available here.
Communications and Engagement Board
This Board is responsible for the identification, co-ordination and execution of the strategic communication and engagement plans needed to underpin our most high profile and priority activities.
Terms of Reference are available here.
This Board is responsible for providing EDI leadership and overseeing the delivery of our EDI objectives, as an employer, as a regulator and as a service provider. The Board also supports and oversees the work of our EDI staff networks.
Equality Diversity & Inclusion (EDI) Board
This Board is responsible for providing EDI leadership and overseeing the delivery of our EDI objectives, as an employer, as a regulator and as a service provider. The Board also supports and oversees the work of our EDI staff networks.
The EDI Board is supported by the EDI Steering Group, which represents the voice of staff on EDI issues, provides a formal mechanism to raise issues or areas of concern and plays a vital role of advice and input to the EDI Board, providing feedback on decisions taken by the EDI Board, as well as championing issues for consideration by the EDI Board.
Terms of Reference are available here.
Policy Board
The Policy Board is responsible for ensuring the ICO has clear policy positions in place to both guide and underpin our work as a regulator. The Board is also responsible for supporting and developing the ICO’s policy profession and our policy development methodology.
Terms of Reference are available here.
Regulatory Delivery Board (RDB)
This Board is responsible for reviewing resourcing of the ICO’s regulatory work, approving work plans and scrutinising the direction and approach to delivering specific regulatory projects. It monitors performance against agreed KPIs, impact measures and strategies and monitors current and emerging risk and issues in relation to the ICO’s regulatory functions. It is responsible for the oversight and delivery of regulatory strategies and for the performance of front line services.
Terms of Reference are available here.
Resources Board
This Board is responsible for ensuring the ICO’s people, financial, physical and technical resources and infrastructure remain fit for purpose, are developed in line with the ICO’s medium and long-term capacity and capability needs, and are deployed efficiently, effectively and with value for money.
Terms of Reference are available here.
Risk and Governance Board
This Board is responsible for assisting the Information Commissioner and Senior Leadership Team with the governance of the organisation and management of risk to achieving its strategic priorities and service delivery. It achieves this purpose by reviewing and scrutinising the development, maintenance and implementation of the ICO’s risk and governance management frameworks, including monitoring and reporting arrangements. This Board is also responsible for management of the ICO’s own information risks through its sub-committee, the Information Risk Governance Group.
Terms of Reference are available here.
This Board is currently paused. The Board’s role in oversight, support and challenge are being provided through line management chains and consultation outside of meetings as required.
Role of the Information Commissioner and Accountability
The Information Commissioner is directly accountable to Parliament. The Commissioner must be completely independent, remain free from external influence, whether direct or indirect and neither seek nor take instructions from anybody in performing their tasks and powers.
Although the corporation sole structure creates a legal environment in which there is potential for significant power to be held by an individual, there are a range of accountability measures to mitigate this risk, both internally and externally. These include, but are not limited to, the following:
External
- The Information Commissioner’s Office has a sponsoring department within government. This is the Department for Science, Innovation and Technology (DSIT). The nature of the relationship is set out in the ICO’s Management Agreement with its sponsoring department. The Management Agreement is available online and sets out how the priorities of the ICO and DSIT align, and the expectations for the Information Commissioner in terms of performance measures, engagement, staffing, financial controls and other related issues.
The Management Agreement set outs that the Information Commissioner and the Secretary of State for DSIT share the aim that the ICO is, and continues to be, a world class regulator working effectively across the UK, and enabling the frictionless flow and safeguarding the exchange and protection of personal data once the UK leaves the EU. It also sets out a range of oversight mechanisms to ensure the ICO is run effectively, efficiently and in line with good practice. These include, but are not limited to, performance measures, engagement with the sponsor department, financial controls in line with Managing Public Money, spending and procurement controls, internal and external audit and the governance and accountability mechanisms in place.
The Management Agreement also sets out the Information Commissioner’s responsibilities with regards to the role of Accounting Officer as well as the responsibilities of the Management Board.
- The Information Commissioner is held to account overall by the Parliamentary Select Committees, before which the Commissioner usually appears two to four times per year.
- The ICO engages in various and regular reviews with Government and DSIT. The ICO also makes bids for funding (via DSIT) to Treasury spending reviews.
- The ICO publishes an annual report, reporting on our most impactful work over the previous year. The report also includes information on our accountability mechanisms and our financial performance. The report is audited by the Comptroller and Auditor General.
- The Information Rights Tribunal provides scrutiny and oversight of the Commissioner’s regulatory decision-making, application of powers, and progression of statutory work. All of these components are appealable to the tribunal in different ways. The effect of this arrangement is that should the Commissioner take inappropriate or unfair decisions, misapply their powers, or fail to progress complaints made about Data Protection or Freedom of Information matters there is direct judicial oversight and remedy of this. This can include requiring the Commissioner to deal with the matters or substituting the Commissioner’s decision in some circumstances with that of the tribunal. There are roughly 300 appeals made to this tribunal each year, and the ICO successfully defends its position in roughly 75% of those. The UK is the only Data Protection or Freedom of Information jurisdiction in the world that has its own dedicated tribunal chamber specialising in the subject matter of the authority. This is a strong accountability arrangement, which has been commented upon favourably in reviews of the UK's application of these laws including by The United Nations Special Rapporteur.
- The Parliamentary and Health Service Ombudsman (PHSO) provides scrutiny and oversight of the service provided by the Commissioner, particularly its progression and handling of approximately 45,000 complaints the office deals with each year.
- For some of our more intrusive investigative powers we come under the inspection remit of the Investigative Powers Commissioner. They inspect us annually to ensure we are exercising these powers appropriately, including making the right judgments as to risk.
- As Accounting Officer, to Commissioner is directly accountable to the DSIT Permanent Secretary for financial stewardship of the ICO and is subject to a range of Government spending controls.
- The funding model for the ICO is determined by legislation (agreed by Parliament) and the level of fees and charges that the ICO can levy is agreed by the Secretary of State for DSIT.
Internal
- The Commissioner has appointed a Senior Independent Director (SID), whose role leverages the collective contribution of the ICO’s Non-Executive Directors (NEDs) as part of the ICO’s unitary Board arrangements, facilitating their role in bringing effective support, scrutiny and challenge to the Executive whilst respecting the ultimate statutory authority and accountability held by the Information Commissioner as a Corporation Sole. The duties of the SID include conducting an annual appraisal for the Commissioner, serving as an intermediary for the other NEDs to support them in challenging and contributing effectively, providing support and guidance in the event of concerns about the performance of the Commissioner, building and maintaining a relationship with DSIT, and being the main point of the contact for the succession process for the Commissioner’s role.
- There is an Audit and Risk Committee, which comprises two non-executive directors and an independent member. The Commissioner attends these meetings as required, including attending when the Committee reviews the ICO’s annual report, prior to publication. The Committee supports the Commissioner and Management Board in their role in respect of the effectiveness of the ICO’s risk management system and procedures and its internal controls, by reviewing the comprehensiveness and reliability of assurances on governance, risk management, the control environment and the integrity of financial statements and the annual report. These meetings are also attended by Internal Auditors (provided by a third-party firm) and External Auditors (provided by the NAO) to ensure that there is strong scrutiny of this role.
- In addition to attending Audit and Risk Committee meetings, the externally appointed internal auditors conduct a full internal audit programme over a rolling annual programme. This programme is agreed annually by the Audit and Risk Committee.
- Management Board is also supported by the People Committee and Regulatory Committee, who provide independent assurance as to the mitigation of people and regulatory risks respectively and the delivery of relevant strategies.
- The Renumeration Advisory Sub-Committee provides challenge, advice and scrutiny to the Commissioner on matters of Executive Team remuneration and development.
- The Management Board agrees the ICO’s key strategies. Progress in achieving the goals within each of these strategies is provided to the Board, alongside a Corporate Scorecard outlining performance. The Management Board also conducts a review of its effectiveness on a regular basis.
- ICO has an approach of delegated decision making, which ensures that decisions are taken by ICO staff at the most appropriate level, in line with the mechanisms for consistency of approach by the various working practices throughout the ICO’s varied areas of work.
- As set out earlier, the approach of collective decision-making principles used by Management Board is replicated throughout the ICO’s governance structure. Delegation of decision making also extends to the corporate governance structure, where decisions are taken by Management Board, Audit and Risk Committee, People Committee, Regulatory Committee, Executive Team, Senior Leadership Team (SLT) or SLT’s Boards, as appropriate. The Commissioner chairs the Management Board and the Regulatory Committee; the other groups are chaired by either Non-Executive Directors or ICO staff.
Alignment with best practice
The Information Commissioner has agreed to comply with the Corporate governance in central government departments: Code of good practice 2018. In line with the “comply or explain” principle of the Code, the ICO does not adopt all aspects of the Code, but the Board considers that there are justifiable reasons for this, given the nature of the organisation as a corporation sole. Explanations for these deviations are provided in the ICO’s annual report. In particular:
- The Management Board does not have the powers and duties of a Board in which is vested the ultimate authority of the organisation. This is because the Information Commissioner is a corporation sole. However, although the Information Commissioner has responsibility for setting the strategic direction for the ICO, they achieve this through the work of the Management Board, which they Chair. The Commissioner has designated that the Management Board will operate on a collective decision-making model, and the same model is used for the various Committees and Boards which support the Management Board.
- Although the ICO has a Remuneration Advisory Sub-Committee to advise the Information Commissioner on remuneration policies related to Executive Team pay, as a corporation sole, the Information Commissioner retains ultimate authority in this area; and
- In respect of an operating framework, the Board operates within the overall system of corporate governance at the ICO.