Transparency data

Information Commissioner’s Office - Management agreement 2018-2021

Published 19 September 2018

1. Part A: The Information Commissioner’s priorities, funding and engagement

Statement of priorities

1.1. The Information Commissioner (IC) is the UK’s independent regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and Freedom of Information Act 2000 (FOIA). The IC has a number of additional regulatory and legislative duties, which are covered by separate specific legislation, see Annex A.

1.2. The IC is a corporation sole (as set out in the DPA). The European Union’s General Data Protection Regulation (GDPR) requires all Member States to establish an independent supervisory authority to regulate data protection legislation. The IC (with the support of their office) carries out this function for the UK and specific responsibilities in this regard are set out in the DPA and its subordinate legislation. As set out in Article 52 of the GDPR, the IC must be completely independent, remain free from external influence, whether direct or indirect, and neither seek nor take instructions from anybody in performing their tasks and powers as a national supervisory authority. This Management Agreement has therefore been developed in line with this requirement. The agreement has been drawn up by the Department for Digital, Culture, Media and Sport (DCMS) in consultation with the IC.

1.3. The IC and the Secretary of State share the aim that the Information Commissioner’s Office (ICO) is, and continues to be, a world class regulator working effectively across the UK, and enabling the frictionless flow and safeguarding the exchange and protection of personal data once the UK leaves the EU. As a world class regulator, the ICO protects and promotes individuals’ rights in relation to their data and improves standards of information rights practice by supporting individuals and organisations across the UK to implement robust data protection practices. This is achieved through clear, inspiring and targeted engagement and influence, as well as by ensuring that relevant legislation is upheld and appropriately enforced. The ICO also has regard to the desirability of encouraging growth and innovation when undertaking its functions.

1.4. Key priorities for the IC, as set out in the ICO’s Information Rights Strategic Plan, include:

  • to increase the public’s trust and confidence in how data is used and made available;

  • improve standards of information rights practice through clear, inspiring and targeted engagement and influence;

  • stay relevant, provide excellent public service and keep abreast of evolving technology;

  • enforce the laws the IC helps shape and oversee;

  • to maintain and develop the UK’s influence within the global data protection community;

  • to be an effective and knowledgeable regulator for cyber related privacy issues.

1.5. Further details are set out in the IC’s Information Rights Strategic Plan 2017-2021.

1.6. The above priorities, set independently by the IC, align with the following DCMS objectives:

  • Global: Drive international trade, attract investment and promote shared values around the world – promoting the UK as a great place to live, work and visit.

  • Growth: Grow an economy that is creative, innovative and works for everyone.

  • Digital connectivity: Continually drive the UK’s connectivity, telecommunications and digital sectors.

  • Society: Make our society safe, fair and informed, online and offline.

1.7. These are set out further in the DCMS Single Departmental Plan.

Financial allocation

1.8. The IC’s financial settlement for 2016-20 is as set out in its Spending Review Settlement letter and any further allocation letters.

1.9. The IC and their office are funded through a combination of charges levied on relevant public stakeholders and grant in aid funding paid out of money provided by Parliament. Further details are set out below.

Charges

1.10. Expenditure on data protection activities is financed through the retention of data protection charges collected from data controllers in accordance with the Data Protection (Charges and Information) Regulations 2018 laid in Parliament on 20 February 2018.

1.11. Most changes to these Regulations require secondary legislation subject to the affirmative resolution procedure, although changes to increase the charges in line with an appropriate index would only be subject to the negative resolution procedure. DCMS will consult the IC and relevant stakeholders on any proposed changes to these charges before bringing forward legislation. The IC may also submit proposals to the Secretary of State for amendments to the data protection charges regulations. At a minimum, the regulations need to be reviewed every five years.

Grant in aid

1.12. The Secretary of State may make payments to the IC out of money provided by Parliament under Paragraph 9 of Schedule 12 to the DPA 2018. After consultation with the IC, DCMS will pay to the IC appropriate sums (the grant in aid) for ICO administrative costs and the exercise of the IC’s functions in relation to a number of specific functions, including freedom of information. Additional grant in aid may be paid by other Departments in accordance with the requirements of relevant legislation.

1.13. Each income stream is used to fund directly attributable costs, for example staff costs. Costs which cannot be attributed to a specific income stream, (for example IT, accommodation, finance) are funded from the income remaining after directly attributable costs are taken into account.

1.14. The IC’s capital expenditure limit is agreed as part of the budget setting process with the DCMS.

1.15. Such funds as are necessary to meet any liabilities at the end of the financial year (such as creditors), or unspent funds up to a maximum of 3% of total annual data protection charge income (whichever is the greater), may be carried over to the following financial year. If there is a budget impact from the utilisation of the retained funds in future financial years, the IC must request and DCMS must agree the additional budget cover prior to the IC committing the spend.

1.16. Any cleared funds in excess of the provisions specified at paragraph 15 above must be remitted to DCMS to be remitted to the Consolidated Fund at the end of each financial year.

Performance measures

1.17. Performance measures for the IC are detailed in the ICO’s four year rolling plan available on its website at http://www.ico.org.uk/

1.18. The ICO’s performance is reported on in the Annual Report and Accounts; copies of which are also available at ico.org.uk/. The Annual Report measures the performance of the ICO against its key priorities as identified in its Information Rights Strategic Plan. The Annual Report will also include key operational, financial and performance indicators.

1.19. The ICO will report on performance against the ICO’s Information Rights Strategic Plan strategic goals, set out in section 1.4, on a quarterly basis.

1.20. The IC is directly accountable to Parliament and reports against agreed key performance indicators to the DCMS Select Committee. These indicators will be developed with DCMS during the life of this Management Agreement.

Engagement

1.21. DCMS and the IC have agreed an engagement calendar as set out below. This contact will be in addition to routine and policy led contact between DCMS, the IC and their office. The DCMS Finance and HR Teams may agree a separate calendar of engagement with the ICO Finance and HR teams.

Meeting between the Minister of State for DCMS (Minister for Digital and the Creative Industries) and the IC Monthly.
Liaison meetings between the DCMS Sponsorship Team and ICO Deputy Commissioner - Policy, Deputy Chief Executive and Director of Corporate Affairs and Governance. Monthly. Management papers are presented and discussed on a quarterly basis.
Bilateral meetings between the Director of Cyber Security and Data Protection and the IC. Monthly.
Regular scheduled meetings between DCMS and ICO policy leads. Various.

1.22. The Deputy Director for Data Protection in DCMS is the primary contact for the IC and their office within DCMS. The IC should aim to work collectively with the DCMS and other members of the DCMS ‘family’ of arm’s length bodies in support of each other and the group as a whole. In addition to the areas covered in this agreement, the key responsibilities of DCMS, as sponsoring department, include: ensuring that the IC is adequately funded and resourced; representing the interests of the IC to Parliament and other Government departments; ensuring that there is a robust national data protection framework in place; and providing guidance and support to the ICO on corporate issues such as estate issues, leases and procurement.

ICO staff

1.23. In accordance with paragraph 1 Schedule 12 of the DPA, the IC and their officers and staff are not to be regarded as servants or agents of the Crown and are not classified as Civil Servants. The Act also specifies the duties of the IC towards ICO staff.

1.24. Within the arrangements set in statute under the DPA, the IC will have responsibility for the recruitment, retention and motivation of ICO staff, and has broad responsibilities toward their staff to ensure that:

  • the rules for recruitment and management of staff create an inclusive culture in which diversity is fully valued; appointment and advancement is based on merit: there is no discrimination on grounds of gender, marital status, sexual orientation, race, colour, ethnic or national origin, religion, disability, community background or age; and

  • the level and structure of its staffing, including grading and staff numbers, are appropriate to its functions and the requirements of economy, efficiency and effectiveness.

1.25. The ICO is required to report on diversity at Board level and in their staff population as part of their Annual Report to Parliament.

1.26. Under paragraph 5 Schedule 12 of the DPA the IC has responsibility for determining the pay and conditions of ICO staff. They should ensure that arrangements are conducive to the recruitment and retention of the staff needed to enable them to fulfil their statutory duties. Pay and conditions are expected to be affordable, proportionate and responsible, including senior salaries.

1.27. In January 2018 the ICO was granted pay flexibility up to 2020/21 so it can review its pay and grading structure. During this period, the IC will have the flexibility to determine the levels of pay necessary for the ICO to maintain the expertise it needs to fulfil its functions as supervisory authority subject to the following conditions:

  • ICO to keep HM Treasury (HMT) and DCMS updated with what they are going to do with the flexibility once they have conducted their review;

  • the assumption will be that matching market averages is the upper limit to what the ICO can do, since a public sector organisation should ordinarily pitch itself below averages in the wider market;

  • ICO to consult with HMT at official level on their pay plans;

  • senior pay controls and other controls on the pay of senior executives in the organisation will remain; and

  • in line with the financial regulatory controls agreed between DCMS and ICO, the pay increases do not result in new net costs to the Exchequer or against budget, either directly or indirectly.

1.28. Following this period of pay flexibility the ICO will revert to being subject to standard public sector pay policy guidelines issued by HMT (unless otherwise negotiated).

1.29. The IC will submit an annual pay remit to DCMS for approval although this is no longer subject to a 1% cap on pay increase. During the IC’s three year period of pay flexibility, this will be for information purposes only.

1.30. Any proposal by the IC to move from the existing pension arrangements, or to pay any redundancy or compensation for loss of office under the Civil Service Compensation Scheme or an analogous scheme, requires the prior approval of the Cabinet Office. Proposals on severance must comply with the rules in chapter 4 of Managing Public Money and will require Treasury approval. The IC must follow the processes set out in the DCMS “Guidance on Staff Exits”.

1.31. The IC is subject to the Procurement Policy Note 08/15 – Tax Arrangements of Public Appointees, and any guidance that may supersede it. The IC shall not remunerate employees via special purpose companies or by means of any other tax avoidance devices. Senior staff with significant financial responsibility must be on the payroll, unless there are exceptional temporary circumstances, which must be agreed by the IC Accounting Officer and not exceed a period of six months. The IC is also responsible for ensuring that any temporary off-payroll workers employed are meeting their tax obligations.  

2. Part B: financial controls

Delegated financial limits

2.1. All delegations are subject to the requirement that spending proposals falling within Managing Public Money Annex 2.2, box A.2.2C should be referred to DCMS. These are:

  • items which are novel, contentious or repercussive, even if within delegated limits;

  • items which could exceed the agreed budget and Estimate limits;

  • contractual commitments to significant spending in future years for which plans have not been set;

  • items requiring primary legislation (e.g. to write off NLF debt or PDC);

  • any item which could set a potentially expensive precedent; and

  • where Treasury consent is a specific requirement of legislation.

Unlimited (unless otherwise specified)

Capital expenditure

Expenditure on new construction, land, extensions of, and alterations to, existing buildings and the purchase of any other fixed assets (eg machinery, plant, and vehicles), art works and additions to the collection with an expected working life of more than one year. Also includes exchanges of fixed assets. £50,000
Expenditure on the signing of new leases, renewals of existing leases, the non-exercise of lease break options, any new property acquisitions (including those made through a Public Finance Initiative Provider), new build developments, sale and leaseback, and any freehold sales as part of national property controls. £0 (no delegated limit) Approval for leases over £100,000 can only be given by the Chief Secretary to the Treasury and must provide value for money for Government as a whole or demonstrate exceptional circumstances.

Single tender contracts

2.2. The delegation for single tender contracts is set at £50,000 for each contract. Proposals for awarding single tender contracts outside this delegated limit must have the prior approval of DCMS before any contract is awarded.

2.3. “Single tender contracts” means contracts awarded to a supplier without a general call for competition in accordance with Regulation 32 of the Public Contracts Regulations.

Gifts

Gifts received by the IC Unlimited. The ICO publishes a register of all gifts and hospitality received on an annual basis.
In a financial year, any one gift or total of gifts by the IC to one person/organisation; and staff. Gifts to staff are subject to guidance set out by the Cabinet Office £1000

2.4. Proposals for making gifts outside this delegated limit must have the prior approval of DCMS. The ICO must keep a record of gifts given. Details of gifts to one person/organisation should be noted in the annual accounts if individually or collectively, they exceed £1,000.

Fraud

2.5. No delegation. All cases of attempted, suspected or proven fraud, irrespective of the amount involved, must be reported by the ICO to DCMS as soon as it is discovered.

Non-statutory contingent liabilities

2.6. Up to £100,000.

Losses and special payments

2.7. The write-off of losses or approval of special payments should only be carried out by staff authorised to do so by and on behalf of the ICO’s Accounting Officer. The ICO should consult DCMS where cases:

  • involve important questions of principle;

  • raise doubts about the effectiveness of existing systems;

  • contain lessons which might be of wider interest;

  • are novel or contentious;

  • might create a precedent for other Departments in similar circumstances; or

  • arise because of obscure or ambiguous instructions issued centrally.

Classification of losses

Type Description Delegation
A. Losses  
(i) Cash losses: Physical losses of cash and its equivalents (eg banknotes, credit cards, electronic transfers, payable orders) £100,000
(ii) Book keeping losses: unvouched or incompletely vouched payments, including missing items; charges to clear inexplicable or erroneous debit balances. £100,000
(iii) Exchange rate fluctuations: Losses due to fluctuations in exchange rates or revaluations of currencies. £100,000
(iv) Losses of pay, allowances and superannuation benefits paid to civil servants, members of the armed forces and NDPB employees: £100,000
  overpayments due to miscalculation, misinterpretation, or missing information £100,000
  unauthorised issues, eg inadmissible payments £100,000
  losses arising from other causes, e.g. non-disclosure of full facts by the beneficiary, short of proven fraud. £100,000
(v) Losses arising from overpayments of social security benefits, grant, subsidies, etc. arising from miscalculation, misinterpretation or missing information. £100,000
(vi) Losses arising from failure to make adequate charges for the use of public property or services. £100,000
B. Stock write offs and impairments: The accounting loss incurred as a result of the reduction of the holding value of stock or inventory to an impaired or nil fair value in accordance with the relevant accounting principles. £100,000
C. Losses of accountable stores  
(i) because of proven or suspected fraud, theft, arson or sabotage, or any other deliberate act (including repairable damage caused maliciously to buildings, stores etc even where a legal claim is not possible). £100,000
(ii) Losses arising from other causes £100,000
D. Fruitless payments and constructive losses £100,000
E. Claims waived or abandoned £100,000

2.8. A record of losses should be maintained and if the total of losses or special payments in the year exceeds £300,000, the annual accounts should include a statement, with any individual losses and special payments exceeding £300,000 specifically identified.

Special payments

2.9. Special severance payments: There is no delegation for special severance payments (payments made to the employee outside their statutory or contractual entitlement upon termination of their employment contract). Each payment, regardless of value will require HM Treasury approval before an offer can be made.

2.10. Redundancy payments: All redundancy payments outside contractual terms, require DCMS and Cabinet Office permission in all cases.

Special payments:
(i) extra-contractual and ex gratia payments to contractors; £100,000
(ii) other ex gratia payments; £100,000
(iii) compensation payments; £100,000
(iv) extra-statutory and extra-regulatory payments. £100,000
(v) consolatory payments: A special payment to address an inconvenience or hardship to a third party, arising from administrative failures ie where the organisation has not acted properly or provided a poor service. These can include: wrong advice, discourtesy, mistakes and delays. £500

Disposal of assets

2.11. Limit for land and buildings: £20,000.

2.12. All assets disposals, regardless of value, should be notified to DCMS through the routine monthly financial reporting processes.

Retention of receipts

2.13. The ICO will inform the DCMS at the Winter Supplement Estimate (November) if there is likely to be any material change to the forecast income totals set out in the table below:

2017/18 Forecast (£’000) 2018/19 Forecast (£’000) 2019/20 Forecast (£’000) 2020/21 Forecast (£’000)
Projected charges income £19,580 £20,755 £22,000 £23,320

Spend controls

2.14. The ICO is subject to the latest Cabinet Office spend controls and the DCMS thresholds for spend controls, as set out in the latest DCMS Spend Control Guidance. The only exception to this is that for all advertising and marketing expenditure under £100,000, the IC is only required to request approval directly from the DCMS Sponsorship team (represented by the Deputy Director for Data Protection in DCMS), as opposed to completing the formal approval process detailed in the Spend Control Guidance. For expenditure in excess of £100,000 the standard process, including obtaining Cabinet Office approval, will apply.

2.15. All Cabinet Office spend controls apply to the IC.

Procurement

2.16. The ICO must comply with the Public Contracts Regulations 2015 (PCR) in its procurement activity. Further, as a public body, as set out in the Public Contracts Regulations 2015, ICO is subject to certain thresholds when tendering for a procurement opportunity, as detailed in Procurement Policy Note - Reforms to make public procurement more accessible to SMEs (Information Note 03/15) and ojec.com/threshholds.aspx.

2.17. The ICO shall:

  • acquire goods and services through fair and open competition, using LEAN methodology where appropriate, delivering value for money through procurement, and operating in line with European law, including restrictions on state aids and current best practice, inclusive of open procurements for requirements under £100,000 where appropriate and restricted use of Pre-Qualification Questionnaires.

  • Comply with current requirements on additional spend controls, delegated authorities and authorisations on procurement and leases as notified to them by DCMS.

  • Support collaborative procurement and commercial efforts across DCMS and its family of other ALBs.

Efficiency

2.18. In the Spending Review Settlement Letter, the ICO was asked to find an efficiency saving of at least 1% year-on-year, calculated against its RDEL grant-in-aid funding for that year, across the Spending review period, which can be recycled into frontline services. The ICO will be required to provide an annual return outlining their efficiency plans, as well as projected and actual savings.

Management information

2.19. The table below sets out the management information that DCMS expects the ICO to provide in the course of a 12 month period. These may be subject to change depending on future information requirements.

Timescale What How Purpose
Monthly (9th working day of each month) Grant-in-aid requests Via Finance Partnership Webpage To get the ALB’s latest forecast income and expenditure for reporting to Board and HM Treasury. Also the mechanism for paying GIA to the National Gallery.
Monthly Consultancy return (including nil returns) By email to DCMS Procurement and Commercial Team To enable Cabinet Office to keep track of the number of public sector consultancy contracts.
Monthly Cash management figures within GBS accounts By email to Finance To supply HM Treasury with forecast for cash management inside GBS
Monthly Spend over Ł25,000 On the ALB’s website Transparency: to inform public how public money is spent.
Quarterly Management reports By e-mail to DCMS Sponsor team To facilitate effective sponsorship governance.
Quarterly Key metrics (total procurement spend, spend with SMEs and the Voluntary, Community and Social Enterprise sector) By e-mail to DCMS Procurement and Commercial Team Benchmarking of procurement spend and provision of data on economic effect of spend by Departments and ALBs.
Quarterly Exchequer funds held in commercial bank accounts By e-mail to Finance To supply HM Treasury with details of how much government funding is held outside GBS.
Quarterly Medium Term Financial Model returns By e-mail to Finance To get the ALB’s latest capital profiles for internal management and reporting to Finance Committee
Six-monthly Publication of senior salaries and organograms On the ALB’s website or hosted on DCMS website Transparency: to inform public how public money is spent.
Annually Alignment/WGA Alignment consolidation packs, WGA transactions and balances exercise Alignment: to consolidate the ALB’s resource accounts within the DCMS resource accounts. WGA: to gather counter-party details for consolidation.
Annually Sustainability data By email to Finance and DCMS Sustainability Champion To meet HM Treasury requirement to supply centre with sustainability data.
Annually EU public procurement statutory return (Schedule 1 or Schedule 2 as appropriate) By email to Cabinet Office Legal requirement to provide data on number of tenders advertised in the European Journal.
Annually - Mid August Country and Regional analysis data By email to Finance HM Treasury requirement - feeds into the Core Tables for the Annual Report and Accounts.
Annually Annual report and accounts By email to Finance as per timetable (separate guidance is issued on this) Statutory obligation
Annually, following the three year pay flexibility period Pay Remit and pay remit outturn By email to ALB Team To ensure spend on pay is aligned across Government.
Annually Publication of salaries over £150k By email to ALB Team (for publication on Cabinet Office website) Transparency: to inform public how public money is spent.
Quarterly Sharing of Strategic Risk Register By email to DCMS Sponsor Team Enable timely and appropriate response to risk.
Annual Efficiency return Pro-forma To provide evidence that the 1% target has been met, to demonstrate what measures have been taken to achieve this and to demonstrate how these savings have been recycled back into frontline services.
Ad hoc immediate as required Completion and updating of e-Pims database Directly into e-Pims system To ensure accurate property and estate information is maintained at all times.
On request Sharing of audit strategy, periodic audit plans and annual audit report, including the Head of Internal Audit’s opinion on risk management, control and governance. With Finance and Head of, on request Assurance of financial management.

3. Part C: The ICO Governance Framework

Introduction

3.1. This document sets out the broad framework within which the IC and their office will operate. The document does not convey any legal powers or responsibilities. It is signed and dated by DCMS and the IC. Copies of the document will be placed in the Libraries of both Houses of Parliament and made available to members of the public on the ICO’s website, with a link to it on .gov.uk.

3.2. The agreement will remain in place until it is superseded by a new agreement. The agreement should be treated as a living document and reviewed by both sides annually in March. Any changes to ministerial priorities, policy requirements and KPIs will be made by exchange of letters between the Minister and the IC; all other changes will be made by exchange of letter between the DCMS Permanent Secretary and the IC.

3.3. Legislative changes will take precedence over any part of this document. Significant variations will be cleared with the Treasury or the Cabinet Office as appropriate.

3.4. Nothing under this agreement shall prevent the IC from carrying out their legal duties under its founding legislation or under any other legislation which impacts on its functions, activities or powers.

Governance and accountability

3.5. The European Union’s General Data Protection Regulation (GDPR) requires all Member States to establish an independent supervisory authority to regulate data protection legislation. The tasks and powers of these supervisory authorities are set out in this legislation (Articles 57 and 58 of the GDPR).

3.6. The IC is the UK’s independent supervisory authority. Specific powers and responsibilities of the IC are set out in the DPA and FOIA, with additional regulatory responsibilities under a number of associated legislative frameworks.

3.7. The terms of appointment of the IC are as set out in the DPA. The IC is appointed by Her Majesty by Letters Patent, in compliance with the Code of Practice for Public Appointments.

3.8. The IC is directly accountable to Parliament. The Secretary of State and other members of the DCMS Ministerial Team will represent the IC’s interests in Parliament where appropriate.

3.9. The respective responsibilities of the DCMS Principal Accounting Officer and Accounting Officers for NDPBs and other arm’s length bodies are set out in Chapter 3 of Managing Public Money which is sent separately to the Accounting Officers on appointment and summarised below.

The Information Commissioner’s responsibilities

3.10. The IC is a corporation sole, with responsibility to Parliament for ensuring that the ICO fulfils its statutory purpose as set out in its founding legislation, that where the IC deems it appropriate the ICO’s policies are consistent with those of the Secretary of State, the responsible DCMS Minister is kept informed of developments which are likely to affect the ICO’s ability to fulfil its aims and objectives and that the ICO’s affairs are conducted with probity. The IC is also responsible for good governance and for ensuring that the principles set out in the ‘DCMS Guidance on Board Appraisal Processes for ALBs’ are followed.

3.11. As a corporation sole there is no statutory requirement for the IC to have a Board. In order to help fulfil their responsibilities, the IC has constituted a Management Board. The IC is the Chair of the Management Board, as well as Chief Executive of the Information Commissioner’s Office and the delegated Accounting Officer for the Information Commissioner’s Office. Given its role as a non-statutory advisory board to the IC, as far as is applicable, the Management Board will operate in line with the Government’s Code of Practice on Corporate Governance.

Management Board

3.12. The Management Board is specifically responsible for advising the IC, as a corporation sole, on:

  • ensuring that the ICO is in a position to enable the IC to fulfil the aims and objectives set out in the founding legislation;

  • determining the steps necessary to deal with any developments which are likely to affect the ICO’s ability to fulfil its aims and objectives;

  • ensuring that any statutory or administrative requirements for the use of public funds are complied with; that the IC operates within the limits of their statutory authority, within any delegated authority agreed with the sponsor Department, and in accordance with any other conditions relating to the use of public funds; and that, in reaching decisions, the IC takes into account guidance issued by the sponsor Department;

  • ensuring that financial information regarding the management of the ICO is reviewed regularly;

  • demonstrating high standards of corporate governance at all times, including using its Audit Committee to help the IC and Management Board to address key financial and other risks; and

  • ensuring that any public functions of the IC and their office are carried out in compliance with statutory duties.

3.13. As Chair, the IC has an obligation to ensure that:

  • the performance of the Management Board and its individual members are reviewed annually and operate effectively and to instigate remedial action should this not be the case;

  • the Management Board has a balance of skills appropriate to directing the ICO’s business, as set out in the Government Code of Good Practice on Corporate Governance;

  • Management Board members are fully briefed and understand their terms of appointment, duties, rights and responsibilities;

  • when required, the IC, together with the other Management Board members, receives appropriate training on financial management and reporting requirements and on any differences that may exist between private and public sector practice;

  • the IC assesses the performance of individual Management Board members when being considered for re-appointment; and

  • there is a code of practice for Management Board members in place consistent with the Cabinet Office Code of Conduct for Board Members of Public Bodies.

3.14. Individual Management Board members are appointed by the Chair. They should:

  • comply at all times with the Board Members’ Code of Practice and with the rules relating to the use of public funds and to conflicts of interest;

  • not misuse information gained in the course of their public service for personal gain or for political profit, nor seek to use the opportunity of public service to promote their private interests or those of connected persons or organisations;

  • comply with the Management Board’s rules on conflicts of interest and the acceptance of gifts and hospitality; and

  • act in good faith and in the best interests of the IC and their office.

Accounting Officer responsibilities

3.15. The DCMS Permanent Secretary, as Principal Accounting Officer for the DCMS family of ALBs, is accountable to Parliament for the issue of any grant-in-aid to the IC and is also responsible for ensuring arrangements are in place to:

  • monitor the ICO’s activities on a continuous basis to ensure that they are appropriate and affordable;

  • address significant problems in the ICO affecting delivery of its legislative tasks and organisations goals, making such interventions as are judged necessary;

  • periodically carry out an assessment of the risks both to DCMS and ICO objectives and activities;

  • inform the IC of relevant government policy in a timely manner; and

  • bring concerns about the activities of the body to the IC; requiring explanations and assurances that appropriate action has been taken.

3.16. Subject to any overriding legal rights or obligations, the IC will provide access to DCMS to all the ICO’s records and personnel for the purposes of supporting the Principal Accounting Officer in the fulfilment of their responsibilities.

3.17. The DCMS Principal Accounting Officer has appointed the IC to be the Accounting Officer for the body. The duties of the ICO’s Accounting Officer are set out in full in the Permanent Secretary’s appointment letter. The Accounting Officer is responsible for accounting to Parliament, DCMS and other stakeholders.

3.18. The ICO’s Accounting Officer is personally responsible for safeguarding the public funds for which they have charge; for ensuring propriety and regularity in the handling of those public funds; and for the day-to-day operations and management of the ICO and the achievement of its strategic aims and legislative requirements. In addition, they should ensure that the ICO as a whole is run on the basis of the standards, in terms of governance, decision-making and financial management that are set out in Box 3.1 to Managing Public Money (at the time of writing).

3.19. The key accountabilities are:

  • signing the accounts and ensuring that proper records are kept relating to the accounts and that the accounts are properly prepared and presented in accordance with Treasury guidance and with any directions issued by the Secretary of State;

  • signing a Statement of Accounting Officer’s responsibilities, for inclusion in the annual report and accounts;

  • signing a Governance Statement concerning the organisation’s management and control of resources during the year and setting out how risk has been managed, for inclusion in the annual report and accounts;

  • ensuring that effective procedures for handling complaints about the ICO are established and made widely known within the body;

  • acting in accordance with the terms of this document, Managing Public Money and other instructions and guidance issued from time to time by DCMS, the Treasury and the Cabinet Office; and

  • giving evidence, normally with the Accounting Officer of the sponsor Department, when summoned before the PAC on the IC’s stewardship of public funds.

3.20. Particular responsibilities to DCMS are:

  • informing DCMS of activities that may contribute to DCMS’s own policy objectives as defined in the single Departmental plan;

  • ensuring that financial considerations are taken fully into account at all staged in reaching an executing decisions, and that financial appraisal techniques are followed;

  • ensuring that timely forecasts and monitoring information on performance and finance are provided to DCMS; that DCMS is notified promptly if over or under spends are likely and that corrective action is taken; and that any significant problems whether financial or otherwise, and whether detected by internal audit or by other means, are notified to DCMS in a timely fashion; and

  • ensuring that financial information regarding the management of the ICO is reviewed regularly and that, where relevant, the Principal Accounting Officer is informed in a timely manner about any concerns; and providing positive assurance to DCMS that appropriate action has been taken on such concerns.

3.21. The IC should ensure that effective arrangements are in place to provide assurance on risk management, governance and internal control and the effectiveness of the internal control and risk management systems. The Management Board has nominated an Audit Committee chaired by a non-executive member. The Audit Committee should support the Management Board and IC, in the IC’s role as Accounting Officer, by providing advice and assurance on risk management, governance and internal control.

3.22. Where the Management Board does not consider issues relating to staff remuneration itself, it shall ensure that an effective mechanism for such consideration exists, eg a remuneration committee or similar body performing the same purpose.

3.23. The remuneration of the IC is determined by Parliament.

Publications and information strategy

3.24. The IC will have responsibility for contributing to the Government’s system of democratic accountability by making information available to the public on the quality and productivity of its services, value for money, performance and progress on delivery. The IC and their office will:

  • provide timely and accurate information required for Parliamentary Questions, and assist DCMS where appropriate in responding to Ministerial and public correspondence. The IC will be responsible for responding to requests under the Freedom of Information Act within the statutory time limit;

  • publish, or cause to be published, an annual report of its activities together with its audited resource accounts after the end of each financial year. The IC shall provide DCMS with the ICO’s finalised (audited) accounts in accordance with the annual guidance produced by DCMS; and

  • publish other information as required by DCMS in the interests of transparency and as communicated from time to time.

3.25. The IC must keep proper accounts and other records in relation to the accounts and prepare a statement of account for each financial year in such form as the Secretary of State may direct.

3.26. The IC has a duty under Section 139 of the DPA to lay before each House of Parliament a general report on the exercise of their functions under the Act. The annual report must:

  • cover any corporate, subsidiary or joint ventures under the ICO’s control;

  • comply with the Treasury’s Financial Reporting Manual (FReM);

  • contain a governance statement, setting out the ways in which the Accounting Officer has managed and controlled the resources used in the organisation during the course of the year, demonstrating how well the organisation is managing risks to the achievement of its aims and objectives; and

  • outline main activities and performance during the previous financial year and set out in summary form forward plans.

3.27. The Comptroller and Auditor General shall examine and certify the report and account and lay copies of it together with his report thereon before each House of Parliament. The report and accounts shall also be made available on the ICO’s website and GOV.UK, in accordance with the guidance in the FReM, a copy will be provided to DCMS for information. The accounts should be prepared in accordance with the relevant statutes and specific accounts direction issued by DCMS as well as the FReM.

3.28. Additionally the IC will be expected to publish information relating to the delivery of the ICO’s services and policies. In particular this should include information that will help the public to: (i) see progress against activity which the IC has made a public commitment to deliver; (ii) judge if the services and/or outputs offer value for money; and (iii) consider whether the way in which the body operates gives rise to any issues around fairness. Such information will be published at www.ico.org.uk.

3.29. Where the IC or their office conducts or commissions social or economic research, relevant professional standards should be applied to ensure that research is impartial, of sufficient quality, legal and ethical. Further guidance on conducting research can also be obtained from the DCMS Evidence and Analysis Unit.

Internal audit

3.30. The IC shall:

  • establish and maintain arrangements for internal audit in accordance with the Treasury’s Public Sector Internal Audit Standards (PSIAS);

  • ensure the Head of Internal Audit is appropriately competent and qualified in accordance with the requirements for approving appointments in accordance with PSIAS;

  • forward the audit strategy, periodic audit plans and annual audit report, including the IC Head of Internal Audit’s opinion on risk management, control and governance to the sponsor Department on request;

  • have effective controls to prevent fraud and theft; and

  • report all cases of attempted, suspected or proven fraud, irrespective of the amount involved, and notify DCMS of any unusual, novel or major incidents as soon as they are discovered, irrespective of the amount involved.

3.31. The ICO has chosen to set up an Audit Committee of its Management Board. This Committee will operate in accordance with the Cabinet Office’s Guidance on Code of Practice for Public Bodies and the Audit Committee Handbook.

3.32. DCMS’s internal audit service has a right of access to all documents prepared by the ICO’s internal auditor, including where the service is contracted out, for the purpose of obtaining assurance as to the ICO’s handling of public funds and effectiveness of financial controls.

External audit

3.33. The Comptroller & Auditor General (C&AG) audits the ICO’s annual accounts.

3.34. In the event that the ICO has set up and controls subsidiary companies:

  • the ICO will ask (or will have asked) HM Treasury to designate the company as either profit making or non-profit making;

  • where HM Treasury determines that the company is non-profit making, it will be (or will have been) included in a GRAA Order, which will make (or will have made) the C&AG its statutory auditor. The company should appoint the C&AG as auditor by agreement until such time as the GRAA Order is issued;

  • where HM Treasury determines that the company is profit making, it should either appoint the C&AG when its audit contract next comes up for renewal or, where they are required to go out to tender for audit services, the C&AG should be invited to compete. Where the C&AG is not appointed, the company must clearly explain the reasons for selecting a different auditor to DCMS.

3.35. The C&AG:

  • will consult DCMS and the ICO on who – the NAO or a commercial auditor – shall undertake the audit(s) on his behalf, though the final decision rests with the C&AG;

  • has a statutory right of access to relevant documents, including by virtue of section 25(8) of the Government Resources and Accounts Act 2000, held by another party in receipt of payments or grants from the IC;

  • will share with DCMS information identified during the audit process and the audit report (together with any other outputs) at the end of the audit, in particular on issues impacting on DCMS’s responsibilities in relation to financial systems within the IC upon request and inform the IC; and

  • will, where asked, provide Departments and other relevant bodies with Regulatory Compliance Reports and other similar reports which Departments may request at the commencement of the audit and which are compatible with the independent auditor’s role and inform the IC.

3.36. The C&AG may carry out examinations into the economy, efficiency and effectiveness with which the ICO has used its resources in discharging its functions. For the purpose of these examinations the C&AG has statutory access to documents as provided for under section 8 of the National Audit Act 1983. In addition, the ICO shall provide, in conditions to grants and contracts, for the C&AG to exercise such access to documents held by grant recipients and contractors and sub-contractors as may be required for these examinations; and shall use its best endeavours to secure access for the C&AG to any other documents required by the C&AG which are held by other bodies.

Managing public money and other government-wide corporate guidance and instructions

3.37. Unless agreed by DCMS and (as necessary) HM Treasury, the ICO shall follow the principles, rules, guidance and advice in Managing Public Money, referring any difficulties or potential bids for exceptions to DCMS in the first instance. A list of guidance and instructions with which the IC and their office should comply is in Annex B.

3.38. Once the overall budget has been allocated by DCMS and subject to any restrictions imposed by statute, the responsible minister’s instructions or this document, the IC and their office shall have authority to incur expenditure approved in the budget without further reference to DCMS, on the following conditions:

  • the IC and their office shall comply with the delegated financial limits agreed with DCMS. These delegations shall not be altered without the prior agreement of DCMS;

  • the IC and their office shall comply with Managing Public Money regarding novel, contentious or repercussive proposals;

  • inclusion of any planned and approved expenditure in the budget shall not remove the need to seek formal Departmental approval where any proposed expenditure is outside the delegated limits;

  • the IC and their office shall provide DCMS with such information about its operations, performance individual projects or other expenditure as the sponsor Department may reasonably require; and

  • the IC and their office shall comply with any additional requirements notified to them by DCMS, for instance on spending controls or delegated authorities.

Risk management

3.39. The ICO shall ensure that the risks that they face are dealt with in an appropriate manner, in accordance with relevant aspects of best practice in corporate governance, and develop a risk management strategy, in accordance with Treasury guidance. The ICO should adopt and implement policies and practices to safeguard itself against fraud and theft, in line with the Treasury’s guide: Managing the Risk of Fraud. It should also take all reasonable steps to appraise the financial standing of any firm or other body with which it intends to enter into a contract or to give grant or grant-in-aid.

Business planning

3.40. To operate its business effectively, the ICO should produce management planning and information documents covering at least three financial years ahead. These may take the form of strategic or corporate plans (for three years ahead), and should include a business plan (one year ahead). The first year of the planning document can include the business plan incorporated as a single document.

3.41. DCMS should be sent copies of each of the completed planning documents. These plans should be made available to the public, via the internet if possible.

3.42. The business plan should include a forecast of income and expenditure suitably classified by activity and key objectives, taking account of guidance on resource assumptions and policies provided by DCMS at the beginning of the planning round. These forecasts should represent the ICO’s best estimate of its available income, including any grant or grant in aid or any other funding within the ICO.

Review

3.43. The ICO may be reviewed periodically, by DCMS in accordance with:

  • the business needs of DCMS and of the IC;

  • Cabinet Office and HM Treasury guidance; and

  • appropriate legislation or guidance.

Arrangements in the event that an Arm’s Length Body (ALB) is wound up

3.44. In the event of the decision being made to wind up the IC, the IC will be required to wind-up its affairs as soon as practicable and in accordance with the timetable agreed with DCMS and to put in place a plan for its closure. This will include arrangements for the handover of its residual business and assets and liabilities. 3.45. The draft wind-up plan should be forwarded to DCMS as soon as practicable and in accordance with the agreed timetable.

3.46. DCMS shall put in place arrangements to ensure that, when an ALB is wound up, this shall be done in an orderly manner. In particular DCMS should ensure that where an ALB is wound up, the assets and liabilities of the body are passed to any successor organisation and accounted for properly. (In the event that there is no successor organisation, the assets and liabilities should revert to the sponsor Department.) To this end, DCMS, in conjunction with the ALB, shall:

  • ensure that procedures are in place in the ALB to gain independent assurance on key transactions, financial commitments, cash flows and other information needed to handle the wind-up effectively and to maintain the momentum of work inherited by any residuary body;

  • where a body is audited by the National Audit Office; ensure that arrangements are in place to prepare closing accounts and pass to the C&AG for external audit and that funds are in place to pay for such audits;

  • arrange for the most appropriate person to sign the closing accounts. In the event that another ALB takes on the role, responsibilities, assets and liabilities, the succeeding ALB AO should sign the closing accounts. In the event that DCMS inherits the role, responsibilities, assets and liabilities, the Permanent Secretary should sign.

3.47. The ALB shall provide DCMS with full details of all agreements where the ALB or its successors have a right to share in the financial gains of developers. It should also pass to DCMS details of any other forms of claw-back due to the ALB.

Budgets and Grant in aid

3.48. Expenditure against resource and capital budgets must be recorded and monitored by the IC in accordance with the Treasury’s Consolidated Budgeting Guidance (or its successor). These are the net expenditure limits for the IC in each year - including any use of reserves for which budgetary cover has been given - and must be adhered to. Net expenditure above these limits may not be committed until or unless a revised budget has been agreed in writing by DCMS.

3.49. The IC may not breach the component parts of the capital and resource budgets (eg core capital). Approval must be sought in advance and in writing if the IC wishes to spend more in one category and less in another. In all these matters, DCMS may be required to refer a decision to the Treasury before granting approval.

3.50. Grant in aid is the amount payable by DCMS to the IC in each year and is independent of the budget figures, although derived from them. It does not include depreciation or any budgetary cover allocated by DCMS for the IC’s use of its own reserves.

3.51. The following costs are not eligible expenditure for grant in aid funding: Payments that support activity intended to influence Parliament, Government or political parties, or attempting to influence the awarding or renewal of contracts and grants, or attempting to influence legislative or regulatory action.

Grant in aid and any ring-fenced grants

3.52. Both the grant in aid provided by DCMS and the overall budgets set by it for the year in question will be voted in DCMS’s Supply Estimate and be subject to Parliamentary control.

3.53. The grant in aid will normally be paid in monthly instalments on the basis of written applications showing evidence of need. The IC will comply with the general principle, that there is no payment in advance of need. Cash balances accumulated during the course of the year from grant in aid or other Exchequer funds shall be kept to a minimum level consistent with the efficient operation of the ICO. Grant in aid not drawn down by the end of the financial year shall lapse. Subject to approval by Parliament of the relevant Estimates provision, where grant in aid is delayed to avoid excess cash balances at the year-end, DCMS will make available in the next financial year any such grant in aid that is required to meet any liabilities at the year end, such as creditors.

3.54. As a minimum, the IC shall continue to provide DCMS with monthly information via its grant in aid claims that will enable DCMS satisfactorily to monitor:

  • the IC’s cash management;

  • its draw-down of grant in aid;

  • forecast outturn; and

  • other data required for the Treasury’s Combined On-line Information System (COINS) or its successor.

Reporting performance to DCMS

3.55. The ICO shall operate management information and accounting systems that enable it to review in a timely and effective manner its financial and non-financial performance against the budgets and targets set out in the corporate and business plans. The ICO’s performance shall be reviewed by DCMS periodically in accordance with the engagement strategy.

Delegated authorities

3.56. The IC shall obtain DCMS’s prior written approval before:

  • entering into any undertaking to incur any expenditure that falls outside the delegations or which is not provided for in the IC’s annual budget as approved by DCMS;

  • incurring expenditure for any purpose that is or might be considered novel or contentious, or which has or could have significant future cost implications;

  • making any significant change in the scale of operation or funding of any initiative or particular scheme previously approved by DCMS;

  • redirecting funding provided by DCMS for one purpose to other purposes;

  • making any change of policy or practice which has wider financial implications that might prove repercussive or which might significantly affect the future level of resources required; or

  • carrying out policies that go against the principles, rules, guidance and advice in Managing Public Money.

3.57. The Employers’ Liability (Compulsory Insurance) Act 1969 does not require insurance to be effected by the IC.

Capital projects

3.58. All capital projects, whether already underway or beginning during this period, are subject to DCMS’s investment appraisal processes. Any capital expenditure that exceeds the IC’s delegated capital limit must be referred to the DCMS Finance Committee for approval at three stages of development, as set out in guidance issued by DCMS. The figure used in calculating whether the costs exceed the delegated limit is the lifetime cost of the capital project, including non-exchequer funding and any increased running costs ensuing from it.

3.59. Where projects are reliant on donations or sponsorship that have yet to be confirmed, demonstration of a staggered approach to completion (ie that takes account of the funds secured to date before proceeding with each stage) will be more likely to receive approval to proceed.

3.60. When considering the case for capital projects, the IC is expected to use the Treasury’s Green Book methodology (or its successor), as modified or enhanced by guidance from DCMS. This is the case for evaluating a capital project regardless of whether the project requires DCMS Finance Committee approval. DCMS reserves the right to receive copies of business cases for projects below the IC’s delegated limit or elements of it, such as the Net Present Value calculation.

Receipts

3.61. As a general principle the IC will remit all miscellaneous receipts to DCMS in accordance with Paragraph 10 of Schedule 12 of the DPA.

3.62. Exceptions to this general principle include:

  • receipts under the DPA or FOIA as amended by Section 107 of the Protection of Freedoms Act 2012;

  • in year receipts received from the recovery of legal fees awarded by the Courts and Tribunals;

  • receipts recovered from a claim made under POCA;

  • charges levied from staff for car parking at IC premises;

  • travel and subsistence costs recovered from external organisations; and

  • catering receipts.

3.63. Any charges will be on a cost recovery basis. Any income generated resulting in profit in the pursuit of these activities will be remitted to DCMS and then by DCMS to the Consolidated Fund, consistent with Section 6.1.4 of Managing Public Money.

3.64. Income from the activities listed under Part 5 DPA and section 47 FOIA may be included in the IC’s budget and may be retained by the IC. Any income from fees and charges not used by the end of the financial year shall be remitted to DCMS and subsequently the Consolidated Fund.

3.65. Money recovered from a confiscation order under the Proceeds of Crime Act 2002 should be used to drive up asset recovery performance. This could include the prevention and detection of offences committed under Section 170 DPA, and education of data controllers and data subjects about the risks these offences pose.

Compliance with the Equality Act 2010

3.66. In exercising public functions the IC is subject to the public sector equality duty in section 149 of the Equality Act 2010, requiring the IC to have due regard to the need to:

  • Eliminate unlawful discrimination, harassment, victimisation and any other conduct that is prohibited by or under the Equality Act 2010;

  • Advance equality of opportunity between people who share a relevant protected characteristic (age; disability, gender reassignment, pregnancy and maternity, race, religion or belief, sex, sexual orientation) and people who do not; and

  • Foster good relations between people who share a relevant protected characteristic and people who do not.

Cyber security

3.67. As part of its approach to risk management and information assurance the IC should ensure the robustness of its cyber security to protect itself against data breaches, service disruption, loss and reputational damage. The level of provision should be proportionate to the IC’s size and the level of risk it carries in terms of cyber vulnerability. A range of relevant Government advice and guidance can be found at gov.uk/government/collections/cyber-security-guidance-for-business. As a minimum, the IC should take steps to ensure it has basic cyber security controls in place. These should be at least at the level set out in the Cyber Essentials scheme. Further details of this scheme can be found at cyberstreetwise.co.uk/cyberessentials. Departmental officials can offer further guidance and support.

Signed by:

Minister for Digital and Creative Industries Date: 25/7/18

Information Commissioner Date: 30/7/18

Annex A: Legislation the Information Commissioner regulates

The General Data Protection Regulation (GDPR) and the Data Protection Act 1998 (DPA 2018) give important rights to citizens, including the right to know what information was held about them and the right to correct information that was wrong. They also protect the interests of individuals by obliging organisations to manage the personal information they hold in an appropriate way.

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by most public authorities. Aimed at promoting a culture of openness and accountability across the public sector, it enables a better understanding of how public authorities carry out their duties, why they make the decisions they do and how they spend public money.

The Privacy and Electronic Communications Regulations 2003 regulate the use of electronic communications for the purpose of unsolicited marketing to individuals and organisations, including the use of cookies.

The Environmental Information Regulations 2004 provide an additional means of access to environmental information. The Regulations cover more organisations than the FOIA, including some private sector bodies, and have fewer exceptions.

The Infrastructure for Spatial Information in the European Community Regulations 2009 (INSPIRE) give the Information Commissioner enforcement powers in relation to the pro-active provision by public authorities of geographical or location based information.

The Re-use of Public Sector Information Regulations 2015 (RPSI) gives the public the right to request the re-use of public sector information and details how public sector bodies can charge for re-use and license the information. The ICO deals with complaints about how public sector bodies have dealt with requests to re-use information.

The Investigatory Powers Act 2016 (IPA) imposes duties on communications service providers in respect of the retention of communications data for third party investigatory purposes where they have been issued with a notice from the Secretary of State. The Information Commissioner has a duty to audit the security, integrity and destruction of that retained data.

The Electronic Identification and Trust Services for Electronic Regulations 2016 (eIDAS) sets out rules for the security and integrity of trust services including electronic signatures, seals, time stamps and website authentication certificates. The ICO has a supervisory role towards organisations providing these trust services, including being able to grant qualified status to providers who demonstrate compliance with certain areas of the regulations and the ability to take enforcement action.

The Network and Information Systems Regulations 2018, (NIS), are derived from the European NIS Directive which establishes a common level of security for network and information systems. These systems play a vital role in the economy and wider society, and NIS aims to address the threats posed to them from a range of areas, most notably cyber-attacks.

Annex B: Compliance with guidance and instructions

The IC shall be aware of and, where necessary, comply with the following general guidance documents and instructions: