A new agreement governing the working relationship between the Information Commissioner’s Office and the government could help restore damaged public trust in the state’s use of their data, the regulator has claimed.
The two parties have unveiled a new memorandum of understanding which clarifies each’s “respective roles to protect people’s information [and] sets out an enduring framework and approach to co-operation and collaboration”.
The document details a range of underlying principles agreed upon by both government and the ICO, as well outlining actions that each will take – individually and jointly.
The two parties have committed to “work together to ensure the public can see real benefits in sharing their data and trust that it will be protected” and also to “work collaboratively and transparently, taking a ‘no surprises’ approach”.
To ensure this cooperation takes place, the ICO and government – which will be represented by the Cabinet Office and the Department for Science, Innovation and Technology – will meet at least once a year “to review the progress and relevance of the MOU”, and will also “jointly provide an update on our work together on a regular basis”.
For its part, government has pledged to “publish an annual assurance statement on how people’s data is being kept safe and how new and proposed technologies and processes have been designed with trust and privacy in mind”.
Other clear actions enshrined in the new agreement include the establishment of “a clear process for responding to a personal data breach” – which all civil servants will be asked to follow. Government will also “seek the ICO’s expert advice when it has identified that the use of personal data in the delivery of a policy or a system carries a significant risk” and take steps to “ensure that, at all times, there is an accountable and named individual responsible… for managing cross-government data protection risk and compliance” – a responsibility which is currently held by the government chief data officer, Aimee Smith.
Other, less measurable commitments include a promise to focus on “prioritising public trust and confidence in the government’s handling of personal data” and to help cultivate “a cross-government culture of continuous learning around improving information security”.
“This includes gathering intelligence and learning lessons from personal data breaches and ‘near misses’ and implementing actions that would prevent a future similar breach,” the MOU adds.
Government also plans to “raise awareness of civil servants on how to share data safely… and inform [them] of the real-world consequences of inadvertent personal data breaches”.
The commitments will be supported by efforts to “track key indicators that monitor civil service maturity and awareness of information management”.
‘Trends and risks’
In fulfilling its part of the deal, the ICO vows to “use its expertise and resources” to assist with government’s efforts to train civil servants on issues of data security, as well as supporting the creation of the new blueprint for responding to a data breach.
The data watchdog also promises to “use its intelligence, including from breach reports and contact with the ICO advice services, to identify trends and potential risks and share their insights and trends with government to take action”.
Another pledge contained in the MOU is to “provide regulatory certainty by producing timely and relevant products including guidance, codes of practice, advice notes, opinions and audits that support government and the public sector to use people’s data safely”.
When there is an incident to which the regulator needs to respond, the ICO says that it will “be transparent with the public when holding an organisation to account for a breach”.
Other commitments set out in the arrangement include a stipulation that the data regulator will “provide independent and expert advice in response to government raising a substantial risk” and, finally, that it “will recognise that senior responsible officers in DSIT and Cabinet Office are responsible for driving collaboration between departments and… will work with both officers to support that”.
Following the publication of the MOU – which was undersigned by security minister Dan Jarvis, digital government minister Ian Murray, and information commissioner John Edwards – the ICO issued a statement claiming that the new arrangement has come in light of “several serious, high-profile data breaches that undermined public trust in government, some of which also placed lives at risk”.
“We have been clear that government needs to do more and move faster to improve data security as part of wider data protection practices, and we welcomed the government’s commitments to the chair of the Science, Innovation and Technology Committee in 2025,” the ICO added.
“This MOU formalises that action, setting clear expectations and a pathway for government to address concerns about its approach to data protection, rebuild trust with the public and improve transparency and accountability in how government departments treat and handle people’s personal information. This MOU is further strengthened by the leadership of the government chief data officer and expert network of departmental data protection officers who play a vital role in embedding good data practice and culture across government.”
In a written ministerial statement on the MoU, Jarvis said: “It is essential that we have strong public trust in the government’s protection of sensitive personal information. This Memorandum of Understanding sets out a shared understanding of how government and the ICO will work towards better government data security and use.
"The Memorandum of Understanding will help ensure that the measures we have in place to protect sensitive data are robust and support this government’s ambition to use new technologies to transform public services, create a modern digital government, and drive economic growth.”