PART ONE: PROGRESS TOWARDS THE IMPLEMENTATION OF THE FREEDOM OF INFORMATION ACT 2000

INTRODUCTION

  1.  The Freedom of Information Act received Royal Assent on 30 November 2000. It includes a provision that it will come into force no later than five years from Royal Assent. An implementation timetable was announced by the then Lord Chancellor on 13 November 2001.

  2.  FOIA established the post of Information Commissioner, with responsibility for promoting good practice by pubic authorities in observing the requirements of FOIA, raising public awareness about FOIA and enforcing the legislation. In respect of the last of these FOIA gives the Commissioner a clear responsibility for considering and determining complaints about non-compliance by public authorities. These responsibilities are additional to the Commissioner's functions under the Data Protection Act.

  3.  I took up the office of Information Commissioner in December 2002, as successor to Elizabeth France CBE.

  4.  The Committee has been supplied with copies of my Corporate Plan for 2004-07 which was published externally in March. This is the principal outcome of the strategic review of my office which I announced soon after my appointment. The review took place during Autumn 2003 and involved considerable internal and external consultation and discussion. The plan spells out our new overall purpose in terms of:

"Promoting public access to official information and protecting your personal information."

  5.  The Plan recognises our central challenge which is to absorb Freedom of Information alongside Data Protection and deal with the consequential organisational growth. We must transform ourselves from a mature data protection organisation into a body which is equally well-regarded for handling Freedom of Information. The Plan makes clear that, over the next three years, top priority must be given to our successful implementation of our responsibilities under the Freedom of Information Act ("FOIA"). We must decide cases in ways which command public and organisational confidence and get well down the road towards a genuine "open government" culture.

  6.  The Plan articulates our two top Aims, and related Objectives as follows:

  Aim 1 (FOI)—Decide cases robustly and correctly where there is a dispute about access to information held by a public body.

—  Objective 1: By January 2005 implement the FOI Project Plan (updated as necessary) to set up, and then operate, a robust decision-making system which will resolve 50% of cases within 60 working days;

—  Objective 2: Ensure high quality decision-making so that, by 2007, our approach is endorsed in 75% of decision notices taken to the Information Tribunal;

—  Objective 3: ensure that the system is user-friendly for applicants and commands the confident of public bodies.

  Aim 2 (FOI)—Promote open government and bring about a culture where public bodies make as much official information available as possible.

—  Objective 1: By September 2004 approve 100% of Publication Schemes submitted to us;

—  Objective 2: By 2006 to have adopted new criteria for approving Publication Schemes which deliver ever greater openness;

—  Objective 3: Fulfil a programme of active work with others (including DCA, National Archives, the media and user organisations) to promote an openness culture across the public sector.

  7.  The Government has stated that the core of the Freedom of Information Act will be implemented in January 2005, now less than eight months away. Our preparations have been largely guided by a Project Plan for the period June 2003-December 2004. A copy is enclosed with this submission. This Plan was developed and published as a matter of some urgency, following an early decision I took to refocus the FOI work of the ICO by creating a separate FOI team under the leadership one of my existing Assistant Commissioners. This took effect from 1 April 2003 and additional staff were recruited, a first round of recruitment taking place in May/June of last year and a second in January/February of this year. As the work has progressed it has also become clear that a separate focus on FOI, in the short term at least, will enable us to identify those features of the Act and enforcement work which are likely to be significantly different from those under the Data Protection Act.

  8.  This submission summarises our progress towards FOI implementation by reference to the various headings in the project plan.

PUBLICATION SCHEMES

  9.  It is estimated that there are over 100,000 public authorities within the scope of FOIA. These have been divided into six "waves" for the purposes of publication schemes. Central Government Departments and some NDPBs were required to adopt and publish information according to publication schemes from 30 November 2002. The subsequent waves have been required to adopt their schemes at four month intervals thereafter as follows:

TIMETABLE FOR ADOPTION OF PUBLICATION SCHEMES

Wave 1	November 2002	Central Government (except the Crown Prosecution Service and Serious Fraud Office), Parliament, National Assembly for Wales, Non-departmental Public Bodies currently subject to the Code of Practice on Access to Information.
Wave 2	February 2003	Local Government (except police authorities).
Wave 3	June 2003	Police, Police Authorities, Crown Prosecution Service, Serious Fraud Office.
Wave 4	October 2003	National Health Service.
Wave 5	February 2004	Schools, Universities, remaining Non-departmental Public Bodies.
Wave 6	June 2004	Remaining public authorities.

  10.  All but a handful of the schemes in Waves 1-4 were submitted on time and all of those were approved on time. This has been a considerable achievement, both for my office and for the large number of public bodies concerned. I have been generally encouraged by the positive attitude adopted by the vast majority of public bodies. Although some have done little more than include information which they were already making available, others took the opportunity to publish much more. I hope the message continues to get through that inclusion of more material in a publication scheme on a voluntary basis should avoid considerable effort in dealing with later individual requests under FOIA.

  11.  There has been a slight delay with some Wave 5 schemes (Education, Non-Open Government Code NDPBs, Publicly Owned Companies), due to a variety of factors including a high proportion of "bespoke schemes" (see below), some late submissions, and temporary staff shortages.

  12.  Section 19 of the Act requires the Commissioner to approve publication schemes. A scheme may either be "bespoke", that is one describing the classes of information published by the authority adopting it, or "model", that is one which may be adopted by a public authority falling into the category for which the scheme was designed. For instance model schemes have been designed and approved for GPs, schools and parish councils. Schemes are approved for a limited period of time, usually 4 years, after which they must be renewed.

  13.  For the first round of approvals, we have not set particularly stringent approval criteria, reasoning that the most important thing has been to ensure that schemes are adopted and that processes are established for scheme development, review and renewal. This does not mean, however, that the importance of publication schemes as engines of openness is underestimated. Among other things we have instituted a wide ranging review of schemes, looking at their content, the effectiveness of particular schemes, the efficiency of our approvals systems, IT choices available to public authorities and the use made by the public of schemes. This work will lead to revised approval criteria for the second round of approvals and to a review of our own systems and procedures.

  14.  Initially all public authorities, whether adopting "bespoke" or "model" schemes were asked to either submit the scheme for approval or advise us of adoption of a model. This meant, for instance, that all parish councils and parish meetings of which there are around 10,000, virtually all of which have adopted a model scheme were required to notify us that they had adopted the model and that we had to record that fact. In the case of parish council and others, for instance GP practices, dentists and community pharmacists, this process did not even provide an indication of which authorities had failed to adopt schemes since there are no comprehensive lists of those authorities. Accordingly, in order to simplify the process for all concerned, for some of the later waves of public authorities for whom model schemes have been approved, we have publicised the existence of the model and the obligation to adopt a scheme but have not required a formal return. Once the first round of approvals has been completed, we intend to carry out a check of a representative sample of those authorities who should have adopted a model scheme to ascertain whether this "light touch" approach has been effective.

  15.  To date there appears to have been a good rate of adoption of schemes. All Wave 1 and 3 authorities have adopted schemes. Some 75% of parish councils and parish meetings have adopted schemes. One District Council has failed to submit a scheme for approval and is currently the subject of enforcement proceedings.

CASEWORK MANAGEMENT SYSTEM

  16.  The ICO, and to a large extent the Act itself, is likely to be judged by the effectiveness with which complaints about failures to comply with requests for information are dealt.

  17.  A considerable amount of work has gone into analysing the process of complaints handling from receipt, evaluation, the issuing of decision notices through to possible appeal to the Information Tribunal. This work had primarily been directed at the specification for the ICO's casework management system due be delivered for piloting and training in early autumn 2004. Analysis of the process will also inform staffing decisions (see STAFFING below).

  18.  The casework management system has also been designed to support enforcement work in general, including the serving of practice recommendations, and the publication schemes approval process.

POLICY DEVELOPMENT

  19.  Successful management of our likely casework will depend partly upon the availability of an effective IT system and, more importantly upon a detailed understanding of the requirements of the Act and the development of policy around the application of the exemptions in Part 2 of the Act and the public interest test. It is envisaged that the bulk of this development work will be completed by the end of July 2004, allowing a reasonable period of time for training of case officers and the further dissemination of relevant advice to public authorities (see also "PROMOTION OF THE ACT WITH PUBLIC AUTHORITIES" below).

  20.  A considerable amount of work has been done on the procedural or technical issues arising out of Part 1 of the Act. These includes the issues of fees and refusal notices; consideration of the means by which information should be communicated the identification of vexatious and repetitious requests; the development of policy around disability and other access issues, and the provisions relating to records held by the National Archives. This stream of work has been coupled with work around the s 45 and s 46 Codes of Practice and on records management issues in general. While much of this work has been inward-facing, we have also issued advice to public authorities on the life-cycle of requests for information and provided comment to both the DCA and the National Archives on possible amendments to the Codes of Practice.

  21.  The project plan divided the exemptions crudely into those where we would develop our thinking largely through internal consideration of the requirements of the Act and those where external consultation is essential. Work has been done on s 21 (Information available by other means), s 22 (Information Intended for Future Publication). s 40 (Personal Information), s 41 (Information Provided in Confidence) and s 42 (Legal Professional Privilege). Guidance has been issued on each of these exemptions (see PROMOTION OF THE ACT WITH PUBLIC AUTHORITIES below). Frequently one piece of work will lead to another and it is anticipated that later in the year we will issue some specific advice on the exemption relating to future publications as it affects academic research, and on that relating to information accessible by other means, as it affects public records offices and archives. In both cases we expect to have detailed discussions with representatives of relevant public authorities.

  22.  Work is well advanced on development of our thinking around other exemptions, in particular s 29 (the Economy), s 30 (Investigations and Proceedings), s 31 (Law Enforcement), s 32 (Court Records), s 33 (Audit Functions), s 34 (Parliamentary Privilege), s 35 (Formulation of Government Policy), s 36 (Prejudice to the Effective Conduct of Public Affairs), s 37 (Communications with Her Majesty), s 38 (Health and Safety) and s 43 (Commercial Interests). In each of these cases we have had extensive discussions with stakeholders. In all cases these have included either relevant public authorities or representative bodies, and, wherever possible, representatives of likely users of the Right to Know.

  23.  It is important, as independent regulators of the legislation, that we take our own view of the meaning of the exemptions and the circumstances in which the public interest may or may not nevertheless require disclosure. At the same time we have been more than happy to contribute to the development of guidance on the exemptions and other aspects of FOIA by others, whether representative bodies such as the local Government Association or the Association of Chief Police Officers, or the Department for Constitutional Affairs. The latter is likely to be of particular significance for central government departments and, indeed, in a number of cases (for instance the exemptions relating to Defence and International Relations) we are effectively awaiting final draft guidance from the DCA working groups before deciding what additional work we may need to carry out ourselves.

  24.  Most of the exemptions from disclosure in FOIA are subject to a public interest override. The application of the public interest test is clearly going to be crucial to many decisions about disclosure. It is clear from contact with public authorities that there is a widely felt need for guidance in this area. Work has been commissioned from the Constitution Unit at University College London on the operation of the public interest test in other FOI jurisdictions, notably in the Republic of Ireland and in the Commonwealth or former Commonwealth countries. Its study has been published on our web site. We have also published our own general guidance.

  25.  Together these pieces of guidance give authorities a good idea of the sort of public interest factors which will favour disclosure. For example, informing public debate on significant issues, promoting transparency in decision-making, accountability for spending public money, exposing public health and safety issues. The exemptions themselves point to factors which will weigh against disclosure, hence the balancing test. Clearly the mere curiosity of a member of the public will rarely be sufficient to override genuine serious harm which would arise from disclosure.

PROMOTION OF THE ACT WITH PUBLIC AUTHORITIES

  26.  Our Introduction to the FOI Act 2000 was published in July of last year. We have published guidance for authorities on the development of publication schemes and the approvals process. We have also published advice on charging under publication schemes and on the lifecycle of a request for information.

  27.  We are publishing our guidance on exemptions on our web-site as it is developed. As indicated, we expect the bulk of our initial guidance to be completed by 31 July of this year. We have also developed a programme of high level guidance which has either already been published or is due to be published shortly. The "awareness guidance" published so far deals with:

—  Personal information.

—  Information received in confidence.

—  The public interest.

—  Legal professional privilege.

—  Commercial interests.

—  Information accessible by other means.

—  Information intended for future publication.

—  FAQs on records management.

  28.  A number of other topics for guidance have been identified, for instance advice on vexatious or repeated information requests. We also recognise that our guidance will need to be kept under continuous review as complaints give rise to decisions by ourselves and by the Information Tribunal.

  29.  The Act has also be promoted with public authorities through face to face meetings, often focussed on exemptions or groups of exemptions, and through seminars and conferences. Wherever possible we have responded positively to the many and various requests we have received to speak at such events. We have addressed audiences throughout the UK at conferences and seminars organised by the DCA, umbrella organisations such as the Local Government Association, professional associations, universities and private sector conference organisers. The demand has been constant and is now increasing further as we move towards 2005. We have addressed awareness raising seminars for several central government departments, for instance the MoD and DEFRA, and have spoken at a large number of events aimed at other authorities including local government, higher education and the NHS. The ICO's Northern Ireland office was launched at a major conference with FOI as its theme. This was attended by some 250 delegates from public authorities in Northern Ireland.

PROMOTION OF THE ACT WITH THE PUBLIC

  30.  For the most part the view has been taken that it is only sensible to attempt to promote the Act with the public once the Right to Know has been implemented. Even so far as publication schemes are concerned, it has been difficult to formulate a clear message in the context of phased implementation. However, we have now published a short information leaflet, Read All About It—A Guide to Information Available from Public Authorities. The leaflet has been distributed through libraries and Citizens Advice Bureaux.

  31.  Further leaflets dealing with individual rights and complaints to the Commissioner will be issued towards the end of the year. Our marketing department is also discussing the promotion of the Act with its counterparts at the DCA and with colleagues at the Scottish Information Commissioner's Office. A detailed FOI Communications Strategy is currently under consideration and will be published as soon as possible after its adoption.

STRATEGIC RELATIONSHIPS

  32.  Our project plan envisages the development of strategic relationships with a range of other organisations. The process of building relationships with public authorities and with bodies representing both public authorities and the public is one which has been begun through the policy development work described above and through the promotional, awareness raising activity we have been involved in.

  33.  In addition there are bodies who are either given specific roles by the Act itself or with whom it is important to have particular close working relationships. These include:

—  The DCA: we continue to have a close relationship with the DCA both as our sponsoring department and as the lead department for FOI in central government. The Commissioner continues to co-chair (with the relevant Minister, currently Lord Filkin) the Lord Chancellor's Advisory Group on the Implementation of FOI, set up in 2001 when the implementation timetable was announced. The group comprises representatives from across the public sector, DCA and ICO representatives, and independent members, including an academic, a journalist and others with specific FOI interests. We have contributed to all but one of the DCA working groups on the exemptions, the public interest test and other matters such as the fees regulations.

—  The National Archives/Public Records Office of Northern Ireland: There have been regular meetings between the Commissioner and the Keeper of the Public Record and more regular meetings at official level. Work on the development of formal Memoranda of Understanding is well underway. This particularly relates to our responsibilities with regard to the Code of Practice on Records Management under section 46 FOIA.

—  The Parliamentary Commissioner for Administration: the relationship between the Ombudsman and Commissioner is particularly important as requests for information under the Open Government Code give way to requests under the Act. The Ombudsman and her staff have proved to be sources of valuable advice and experience and are likely also to be so in the future, particularly for our complaints handling staff. A formal MOU is expected to be agreed shortly.

—  The Scottish Information Commissioner: there is a separate FOI Act and Commissioner for Scotland. Meanwhile the (UK) Commissioner continues to enforce the Data Protection Act throughout the UK. There are clearly advantages to both offices in good working relationships both so far as the interface between the DPA and FOI is concerned and insofar as each may learn from the experience and approach of the other. The development of this relationship will be facilitated by the quadripartite meetings involving the DCA, ICO, Scottish Executive and Scottish Information Commissioner. The appointment of an Assistant Information Commissioner for Scotland will also assist. Again a formal MOU is also under development.

ENFORCEMENT AND ASSESSMENTS

  34.  It remains the intention to publish basic position papers setting out an enforcement strategy and a policy regarding good practice assessments under s 47(3) of the Act in Autumn 2004.

STAFFING

  35.  Additional staff to implement the project plan were recruited in May/June 2003. A review of staffing needs in the period leading up to January 2005 was conducted in the autumn of 2003 leading to the recruitment of additional staff, principally at Cluster 5 (HEO) and Cluster 6 (SEO) level to deal both with preparations for implementation of FOI and also the Environmental Information Regulations (see under OTHER below). An organisational chart for the FOI Department from 1 May 2004 is attached.

  36.  In November 2003, we commissioned the Constitution Unit to carry out research into the likely volumes, complexity and sensitivity of casework under FOI from January 2005. This work was carried out with reference to the experience of Australia, Canada, New Zealand, the Republic of Ireland and the United States, most of which have legislation similar to that in the UK. The final results of this research, comprising both a general report and detailed findings on each jurisdiction, were delivered at the beginning of April. Together with our own analysis of the casework processes and discussions with officials at the Parliamentary Ombudsman's office, who have experience of complaints under the Open Government Code, this research will inform decisions which we must make over the course of the next few weeks as to the staffing requirement of our complaints team from January of next year. However there can be no certainty about the volumes or complexity of the complaints we will receive, so the situation will have to be kept under constant review once we are well into full implementation.

  37.  An issue which causes me considerable concern as we move forward is that, although I employ my own staff, the Information Acts require their remuneration to be approved by the Secretary of State. Although it is widely recognised that most pay scales for my office have over recent years fallen substantially behind market rates, I have not yet been able to secure approval for increases which will put right this very serious problem. I have anxieties about the implications for the whole of my office, but these are especially acute in relation to the recruitment and retention of good quality staff for the new FOI responsibilities. Discussions are continuing with the DCA, but this is such an important issue that I may wish to come back to the Committee to draw attention to the scale and detail of the problem.

OTHER

Environmental Information Regulations

  38.  Revised Environmental Information Regulations, giving force to a recent EU Directive (4/2003) and replacing 1992 Regulations, are due to be introduced at the same time as rights under the FOIA. It has been agreed between the DCA, which is responsible for FOIA, and DEFRA, which is responsible for the EIRs, that as far as possible the two should be brought together into a single access regime to be enforced by the Information Commissioner. Nevertheless, some significant differences remain: for instance, requests under the EIRs need not be made in writing and, unlike the FOIA, the EIRs have no cost ceiling for requests.

  39.  Over the course of the year we have given DEFRA comments upon the EIRs as they have been developed and upon associated guidance. Given the uncertainty as to the implementation timetable and enforcement role of the ICO, it has been difficult to resource this work on an ongoing basis. However, now that there is greater certainty, we have appointed new staff with a brief to document the differences between the FOIA and the EIRs and to begin the task of building strategic relationships with those holding and those likely to request environmental information.

Survey of public authorities

  40.  Over the summer of 2003, we carried out a survey of the preparedness of public authorities in waves 1-3 for the full implementation of the Act. Questionnaires were sent to some 200 authorities. The analysis of the responses by central government, Northern Ireland departments and principal local authorities has been published on our web site. The summary conclusions are attached. In brief, the survey suggested a good level of preparedness by central government and Northern Ireland Departments—the response from police forces suggested similarly high levels of preparedness. There appeared to be a greater appreciation of the opportunities presented by FOI among the Northern Ireland responses. So far as local government was concerned, the picture was by no means a hopeless one, although it was clear that preparations were not as advanced as in the other sectors surveyed. Local authorities were also more likely to complain about the lack of additional resources for compliance.

  41.  The survey also asked authorities about other assistance which they hoped to received from the ICO. In the main there were appeals for detailed advice, much of which already featured in our project plans. There was also a clearly expressed demand for more sector specific guidance. As we have indicated, this is something that we hope to be able to develop as the year progresses.

INTERNATIONAL

  42.  Our work in relation to the Act and the EIRs is likely to have an important international dimension. As a new regulator, we have a good deal to learn, particularly from regulators in other common law jurisdictions. Behind the EIRs stand both the EU Directive and the Aarhus Convention. As casework builds up, we are likely to be able to better judge where disclosure might prejudice international relations or defence interests if we had a clearer idea of the sorts of information which might be available under other FOI regimes.

  43.  We have therefore set some priority upon the development of international relationships. An international conference of FOI Commissioners (or their equivalents, eg Ombudsmen) has been established. This initiative was supported by ourselves on behalf of the UK. Two international conferences have now taken place and it is expected that this will become an annual event, supplemented by a sharing of knowledge and experience through email and the internet.

  44.  In the last months we have actively participated in the 2nd International Conference of Information Commissioners in South Africa and also a British Council sponsored event in Peru for South American and Caribbean countries. We have also had meetings with our counterparts in Australia and the Republic of Ireland.

PART TWO: THE CREDIT INDUSTRY'S PROCESSING OF THIRD PARTY DATA IN THE LENDING PROCESS

THE ROLE OF THE INFORMATION COMMISSIONER

  1.  The Information Commissioner promotes and enforces the Data Protection Act 1998 ("the Act").

  2.  During the consumer lending process the credit industry[1] processes personal information within the scope of the Data Protection Act 1998 and so within the oversight of the Information Commissioner. The processing of that personal information must therefore be undertaken in compliance with the eight data protection principles. (Annex A—the eight data protection principles.) The lenders, the credit reference agencies[2] and those whose business activities have a bearing on the lending process, such as CIFAS and Registry Trust Ltd, must ensure their processing whether undertaken independently or in association with others always complies with the requirements of the Act.

  3.  The subject access provisions of the Act have been amended where individuals apply for information to credit reference agencies. So where an individual makes a request to a credit reference agency for access to his information, he is taken to have limited his request to the personal information relevant to his financial standing (referred to here as "his credit file"), unless he specifically states otherwise. Different fees and maximum response times also apply to these requests to credit reference agencies.

  4.  If an entry on a credit file is incorrect or an individual believes he is likely to suffer because the information is wrong, then under the Consumer Credit Act 1974 the individual is entitled to have that entry corrected, removed or to have a note put on his file ("a notice of correction") which explains why he thinks the information is wrong. A credit reference agency can reject an individual's notice of correction on certain grounds. If the credit reference agency does not wish to add an individual's notice of correction to his file on one of these grounds, and the agency and the individual cannot agree a notice, then the individual's notice is referred to the Information Commissioner for a ruling.

  5.  Whether he is making a credit application on paper, by telephone or over the internet, an individual applying for credit will be asked to provide information about himself and his financial commitments as required by the particular lender. As part of the decision making process the lender will usually conduct a search with a credit reference agency. The extent of that search could vary from checking the individual's identity through to checking his credit history, if the lender is a member of a closed user group. (Members of credit reference agencies' closed user groups contribute information to and extract information from the credit reference agency on the basis of reciprocity.)

  6.  The individual, when making his credit application, should be told that this search will take place and that the search will then be recorded by the credit reference agency as part of his credit file. He should also be told:

—  whether the lender will pass to the credit reference agency details of the credit agreement and also details of his repayment history in relation to the agreement; and

—  how this information when held by the credit reference agency will be used by others who will have access to it through their use of the credit reference agency's services.

  7.  The lender should also explain to the individual how he, the lender, will process the individual's personal information provided in the application and also that generated during the course of the agreement.

  8.  These explanations (known as "fair processing notifications") are required to comply with one element of the fair processing requirement of the first data protection principle. In general terms this requires that the individual whose personal information is being processed should be provided with certain information about the purposes of the processing and the person undertaking that processing, as well as any other information necessary to make the processing in that particular circumstance fair. Fair processing notifications within the credit industry are for the most part lengthy and often very complex. There is anecdotal evidence to suggest that these notices are often not read by the credit applicant at the time of the application.

  9.  The extent to which individuals understand the nature and extent of the processing of personal information that underpins the consumer lending processing will vary across the adult population. Our experience is that relatively few of those raising concerns with us about this area of processing really understand what is involved before experiencing a problem with credit, despite the very full fair processing notifications provided to them on credit application forms. We produce a leaflet entitled No Credit which explains how credit references agencies operate, how they report information about individuals and what individuals can do when mistakes occur.

  10.  Complaints to the Information Commissioner about the credit industry include complaints about the processing of third party data. In the context of this paper "third party data" refers to information about anyone other than the individual applicant for credit. Individuals are sometimes shocked or horrified, and are frequently also very angry, to discover that information provided to them in their credit file contains information about others living in their home as part of their family household. They ask how this can be fair. They comment about intrusions on their privacy. They ask how this practice can be consistent with data protection legislation.

THE CURRENT SITUATION

  11.  From 1 August 1993 credit reference agencies' processing of personal information in the credit process, including the processing of third party data, has reflected the provisions set out in a ruling from the Data Protection Tribunal.

  12.  Broadly this ruling permits the extraction of information from credit reference agency records not only about the credit applicant but also about those living at the same address at the same time with the same surname or in the same household as the applicant. There are some qualifications. For example, the address must be the current or the previous address and those whose surnames are different from the individual applicant must either be the applicant himself or a person who is known, from information already with the credit reference agency, to be living as a member of the applicant's household.

  13.  Processing, in the context of a credit application, information about others who may not have or who do not have a financial link with the credit applicant raises real issues about the fairness of the processing. This is the data protection point at the heart of the debate about the credit industry's use of third party data; the first data protection principle requires personal data to be processed fairly (as well as lawfully). How can the processing be fair, and so compliant with the first data protection principle, if there is no financial connection between the applicant and the others whose details appear on their credit file?

  14.  There is a real practical concern that also arises from the processing of third party information. To what extent might adverse information about others without financial connections with the applicant, and which the applicant might be unaware of, influence the decision about the applicant's credit application?

  15.  The current use of third party data in the lending process also raises privacy concerns. An individual who requests a copy of his credit file is entitled to all the information relevant to his financial standing. In practice this means he should see anything on his credit file which any lender could see when deciding whether to provide credit. So he will see information relating to others at his address, including details of their credit history, if that is what a lender could see. Conversely if those others were to make an application for their credit file they will see his information.

  16.  By way of example consider a family of two parents and two adult children living at home, both of whom are financially independent. If the mother applied for her credit file she would see not only the credit history information held about her but also about her husband and, even though there was no financial connection between her and her two children, her children. If her son in his turn applied for his credit file he would see his credit history information and, even though he had no financial connection with them, his mother's, his father's and his sister's credit history information.

  17.  These concerns can be addressed practically by an individual "disassociating" himself from those at his address with whom he does not have a financial link but the onus to do this rests with the individual, who may not be aware of this provision.

DISASSOCIATION: BREAKING THE LINK WHERE THERE IS NO FINANCIAL CONNECTION

  18.  If there is no financial connection between those living together at the same address whose information appears on a credit file together, a disassociation can be requested. If the agency is satisfied that no financial connection exists, it will take action to separate ("disassociate") information about these individuals. This means that when credit is applied for the information about other individuals from whom the applicant has been disassociated should not be disclosed to a lender. What follows from this is that individuals would not then see the records of those from whom they have been disassociated when requesting their credit file.

  19.  In the example provided above of the family of four with an adult daughter and an adult son who had no financial connections with their parents (or each other) the son and daughter could disassociate themselves from their parents and their sibling. This would mean when the son applied for his credit file he would only see his own credit history and not that of his mother, father and sister. When the mother applied for her credit file she would only see her own credit history and that of her husband, not those of her adult children.

THE DATA PROTECTION TRIBUNAL NOTICES: THE BASIS FOR THE CURRENT SITUATION

How did the Data Protection Tribunal ruling on which the current processing of third party data is based come about?

  20.  The third party data processing issue has a history as long as this office's.

  21.  In August 1990 the (then) Data Protection Registrar, Eric Howe, took enforcement action against the four main consumer credit reference agencies then operating. This action was set in the context of the use of third party data within the closed user groups.

  22.  At that time extraction of information from the credit reference agencies' databases was on the basis of address, including previous addresses. This meant that the information available to the lender was potentially wider than under the present system. The information then available could include information about those who had moved into a former home of the credit applicant. In some cases the processing could also include information relating to those with similar names or similar addresses. So in particular cases the processing involved in the consumer lending process could include the processing of total strangers' personal information.

  23.  At that time the Data Protection Act 1984 ("the 1984 Act") was in force. Although the data protection regime then differed from the one now in place the 1984 Act's first data protection principle also required personal data to be "processed fairly and lawfully". There were therefore similar concerns expressed in the late 1980s about the fairness of the processing and the privacy implications of that third party data processing as have been described above about the present system.

  24.  The Data Protection Registrar's enforcement action was preceded by lengthy and detailed discussions about the supply and use of credit reference agency information within the credit industry in the years leading up to 1990. During these discussions the credit industry did propose making some changes to their practices, which the Registrar recognised were valuable but which he did not consider went far enough. Although further discussions took place, these failed to resolve the issue and so enforcement action was taken. The Registrar's enforcement notices required the credit reference agencies to ensure that from 31 July 1991 only personal data relating to the financial status of the individual applying for credit should be extracted by the credit reference agencies.

  25.  The credit reference agencies appealed against those notices to the (then) Data Protection Tribunal. The appeal hearings took place in 1991. The credit reference agencies' case included the predictive value of third party information. In general terms the Tribunal's decisions endorsed the Registrar's views on the approach to the law and found that it was unfair to process personal data as the agencies did. However the Tribunal considered that a distinction should be made between different types of third party information, in particular information which might be about a member of an applicant's family as compared with information which appeared to be about an unconnected stranger. The final Notices which followed from the Tribunal set out what, if any, third party information could be provided by the credit reference agencies with effect from 1 August 1993. Although the (then) Data Protection Registrar was unhappy with the ruling, an appeal would only have been possible on a point of law and there were no points of law on which to base an appeal at that time.

  26.  So it is that the 1992 Tribunal notices established, and continue to provide, the basis for the present processing of third party data by credit reference agencies.

FROM THE TRIBUNAL NOTICES TO THE PRESENT

  27.  That was 1992; this is 2004. Times, circumstances and expectations change.

  28.  Concerns about the processing of third party data continued to be expressed and complaints continued to be made to this office. In her 1996 Annual Report the (then) Data Protection Registrar, Elizabeth France, referred to the continuing concerns about the nature of the credit industry's processing, despite the fact that this was based on the Tribunal's decision. She then suggested that the credit industry might usefully consider rethinking its position.

  29.  By this time it was clear that new data protection legislation would be required to implement the EU Data Protection Directive 95/46/EC ("the Directive") and that this would involve some changes in the processing of personal data. Moreover, the first objective of the Directive addressed the privacy of the individual's personal data. Article 1(1) of the Directive states:

"In accordance with this Directive, Member States shall protect the fundamental rights

and freedoms of natural persons, and in particular their right to privacy with respect to

the processing of personal data."

  30.  So what in particular prompted the credit industry to consider changing its use of third party data? The industry practices would require reviewing in the light of the forthcoming data protection regime and in particular the first data protection principle's amended fair obtaining and fair processing requirements. The Registrar made it known that in her opinion these practices did not reflect those of the rest of Europe. Nor did these practices reflect the public's expectations of privacy.

  31.  Initial discussions were held between the credit industry and the (then) Data Protection Registrar in the summer of 1999. A working party was established by the credit industry consisting of representatives of: the British Bankers Association; the Consumer Credit Trade Association; the Council of Mortgage Lenders; the Finance and Leasing Association; and the Mail Order Traders Association. The credit reference agencies Equifax and Experian were also represented. The credit industry researched the use of third party data within the industry and then made put forward to the (now) Data Protection Commissioner proposals for their use of third party data in the future.

  32.  In November 2000 the Data Protection Commissioner publicly welcomed the credit industry proposals in a joint press release with the industry saying "Key to the proposals is the respect for individual privacy. I am very pleased at the Working Party's constructive approach to the matter and I am grateful that they have kept my office appraised in the development of these proposals". At the same time, the Chairman of the Working Party George Wilkinson explained that "The Working Party had wanted to provide the Commissioner with a solution to her concerns that also enabled the industry to extend credit without undue risk to the consumer or the lender." In addition the Working Party had "wanted to ensure that there was not a risk of some sectors of the consumer marketplace being excluded altogether from access to credit." He explained that the proposals therefore looked at where third party information would assist an individual to be able to obtain credit.[3]

THE INDUSTRY'S PROPOSALS FOR THE FUTURE

  33.  The proposals for processing third party data put forward by the industry in late 2000 included the following elements.

  There would no longer be an assumption that there was a financial connection between individuals simply on the basis of a shared surname and address. There would no longer be an automatic assumption that parents and children were financially connected.

When customers requested a copy of their credit file, the process would be amended so that an individual would only see their own credit data and not that of any financially connected third party. However the identity of those who had been shown to be financially connected would be evident.

Individuals would be able to opt out of the automatic use of their financial partner's data enabling them, on occasion, to be assessed in their own right. An "Alert" process using household data would be created, providing lenders with the ability to detect possible fraud and over-commitment within a financially connected unit.

  34.  Alongside these proposals there were proposals for improving data quality across the credit industry. The new arrangements relating to data quality were to be brought into effect across the credit industry by 24 October 2001. This was the date on which the first transitional period for implementation of the Data Protection Act 1998 came to an end, in effect extending the new directive-based data protection regime to include existing processing of personal data that had been subject to the 1984 Act.

SETTING A DATE FOR IMPLEMENTATION: 31 OCTOBER 2004

  35.  From the outset it was clear that turning the credit industry's proposals for processing third party data into detailed and practical working systems would require extensive changes to existing computer systems and associated systems across the credit industry.

  36.  Although the Information Commissioner wished to see the early introduction of these proposals she recognised it would be unrealistic to expect this given the extent of the system changes required and the numbers of organisations involved. Allowing a realistic time scale to make the changes was consistent with the Data Protection Tribunal's approach when it had allowed the credit industry a period of time to introduce the new systems required to implement its decision. So a firm date for implementation was not set as the industry started to convert the proposals into practical working systems. However it was made clear that by 24 October 2001 those affected by the forthcoming changes were expected to have concrete plans for implementing the proposals in place. The Information Commissioner also made clear that in the period to implementation, she would consider taking action in appropriate cases if it was clear that the company was failing to take the necessary steps to implement the industry's proposals.

  37.  Since then the Information Commissioner has monitored the industry's progress towards implementation, concentrating first on the credit reference agencies' preparations and then, once the agencies had their amended systems in place, on the lenders' preparations.

  38.  In April 2003 with implementation of the proposals still to be realised, the Information Commissioner, Richard Thomas, asked the industry to provide him with a realistic but firm date by which the third party data proposals would be in place across the industry. The Commissioner also made clear that he expected that date to be before the end of 2004.[4]

  39.  A round of consultations followed with those trade associations and credit reference agencies represented on the Working Party which drew up the third party proposals. In December 2003 the Information Commissioner met a newly formed Working Party whose membership reflected that of the original Working Party. The announcement that the credit industry had confirmed to the Information Commissioner that the vast majority of lenders would have implemented the proposals by the end of October 2004 was made in April 2004.[5] The Information Commissioner has made clear that he will have "little sympathy for any stragglers".

  40.  The Information Commissioner believes that the end is now in sight for the use of unrelated third party data in the consumer lending process.

MONITORING, REVIEWING AND ASSESSING IMPLEMENTATION

  41.  For the six months remaining to the industry's own deadline for implementation the Information Commissioner will continue to monitor progress. He will also continue discussions with the credit industry Working Party but these discussions will now focus on the need to agree arrangements for monitoring and reviewing the way the new systems are working, once they are in place.

REFINING THE FOCUS: FROM THE STRANGER TO THE APPLICANT

  42.  When data protection legislation was first introduced in the mid-1980s the boundary around those third parties whose data could be processed in the credit lending process was widely drawn. When the Data Protection Registrar took enforcement action against the credit reference agencies for their use of such third party data in 1990 the solution he sought to impose was that only information relating to the applicant for credit should be processed in the credit lending process.

  43.  The Tribunal decision re-drew the boundary around third party data drawing it closer to the individual. The Tribunal's decision moved the processing of third party data some way in the direction of the preferred position identified by the Registrar.

  44.  The proposals now being implemented should bring the boundary around third party data even closer to the individual, so going even further in the direction of the Registrar's preferred position.

  45.  Whether increased expectations of privacy in the coming years will lead to pressure for the boundary finally to encircle the individual alone will depend in part on the way the new proposals are implemented and judged.

Richard Thomas

Information Commissioner

23 April 2004

THE PRINCIPLES

  1.  Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a)  at least one of the conditions in Schedule 2 is met; and

(b)  in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  2.  Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  3.  Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  4.  Personal data shall be accurate and, where necessary, kept up to date.

  5.  Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  6.  Personal data shall be processed in accordance with the fights of data subjects under this Act.

  7.  Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  8.  Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

2   The three main consumer credit reference agencies currently operating are: Callcredit, Equifax, and Experian Back

3   Press release 28 April 2003 Back

4   Press release 28 April 2003 Back

5   Press release 19 April 2004 Back