Oakland

Setting the Standards for Responsible Data Use with the ICO’s Data Strategy

The Information Commissioner’s Office (ICO) is an independent regulator in charge of upholding the public’s information and data privacy rights. Data is core to their organisation, and they had an ambitious business strategy (ICO25) that needed underpinning with a tailored data strategy.

The ICO regulates and enforces the UK General Data Protection Regulation, the Data Protection Act 2018, and the Freedom of Information Act 2000, so they had a unique opportunity to set the tone for responsible and innovative data use in the public sector.

Why did the ICO need a data strategy?

Organisations are increasingly recognising the need to manage and treat their data as a corporate strategic asset. This means approaching data in the same way they protect, cultivate, and use other ‘assets’, such as intellectual property, financial resources, or people. Treating data as an asset underpins the delivery of significant organisational benefits, reduces risk of data misuse and can reflect an organisation’s culture and ethical stance.

They recognised they needed a data strategy for five reasons:


Data is critical to delivering their ICO25 ambitions, particularly those around impact, culture, capacity, and capability.
External factors set the expectations for the public sector’s use of data, including the National Data Strategy.
Technologies built on data, especially artificial intelligence (AI), offer the ICO the opportunity to develop radically transformed experiences for customers and colleagues. This automation enhances decision-making and informs them of AI’s practical uses and risks to deepen their understanding as aregulator.
The assessed data maturity of the ICO is low. For this to measurably grow they needed to move from a culture of risk aversion to one of curiosity and experimentation grounded on modern interoperable systems.
The ICO have a unique opportunity to set the tone for responsible and innovative data use in the public sector.

This strategy first and foremost helps the ICO, their people and their partners understand their vision, direction and ambition. Informing the choices they make day-to-day, and their longer term decisions on strategic investments.


It was also important to help their customers – whether members of the public or commercial, public or third sector organisations – understand their plans and intentions, consistent with their support for transparency in the public sector. Helping organisations that rely on them for information or guidance understand the role data is expected to play in delivering services in the future. Including how data can be shared with industry and other public bodies.

Why Oakland?

After a competitive tender process, Oakland was chosen for several reasons:

Our response to the brief really paid attention to the ICO’s needs, showing a lot of consideration for the organisation’s unique requirements.

The ICO was using a brand new data maturity assessment for the government. This is a new standard framework developed by the Central Digital and Data Office. Oakland’s willingness to learn and spend our own time getting up to speed with the framework, while considering how it could be used alongside our existing assessment methods, made it clear to the ICO that Oakland could be trusted with this important project.

The Goals

The Data Maturity Assessment for Government (DMAG) was the ICO’s preferred method to assess the data maturity. The ICO needed help applying this framework across their organisation. Findings were to be taken to drive forward an enterprise data strategy for a complex organisation where data protection is paramount.

The Scope

To help the ICO achieve its ICO25 strategic plan, Oakland supported in these key areas:

Tailoring the solution

Using our robust discover, define, and plan approach, we discovered the current position through a tailored data maturity assessment aligned to the data maturity assessment for government (DMAG) framework.

This was applied organisation-wise, across all employment grades, and from almost all departments. The data maturity assessment looked at ten capability areas and was assessed against five maturity levels: beginning, emerging, learning, developing, and mastering.

Using three methods to collect evidence gave a more robust view and allowed us to obtain quantitative and qualitative outputs. With a mix of workshops, interviews, and surveys, we got the depth and breadth of detail on the data maturity and vision. The define stage built out the strategic pillars and recommended actions, whilst the plan phase, based on business priorities and our understanding of existing accelerators, constraints, and dependencies, delivered the actionable roadmap.

Mobilise

Discover

Define

Plan

What was the outcome?

The ICO published their data strategy for public consultation in January 2024 and have subsequently published their data strategy with the confidence that they have a solid roadmap to deliver.

The data maturity assessment has provided quantitative KPIs of current data capability that can be used to track maturity progress over time. Future development can be successfully managed and scaled while testing and adapting the approach through lighthouse projects for early value realisation from data.

The ICO now understand their current data maturity state and have developed a view of the role that they want data to play in the ICO of the future. This has allowed them to centre on a vision, four guiding principles, and two overarching goals.

“The data strategy is a hugely important piece of work that will put our own use of data at the heart of how we operate and transform as a regulator. It was important to see external views, and we teamed up with an experienced team at Oakland to deliver this milestone project.”

Rob Holtom – Executive Director of Digital, Data and Technology (DDaT) ICO

If you would like to talk about any elements of this case study, please drop us a line at hello@weareoakland.com