The British Bankers' Association (BBA) is pleased to provide evidence to the Constitutional Affairs Committee in advance of the hearing on May 14 with Richard Thomas, the Information Commissioner. With over 240 member banks from over 60 countries, the BBA is the authoritative voice of the banking industry in the UK, representing members' interests in both wholesale and retail markets. BBA members have a particular interest in data protection and management of credit references, with two active advisory panels. Our representations take on board comments that we have received from the London Investment Banking Association.

APPROACH OF THE COMMISSIONER

  Our members believe the approach of the Information Commissioner to enforcement of the legislation is proportionate. Clear leadership is shown and this is very helpful to data controllers who are striving to make sensible judgements as to how to apply the Data Protection Act principles, in a particular set of circumstances. We understand that when the Commissioner does insist on action, he has good grounds and is being reasonable. Such action is effective in ensuring compliance.

RESPONSE TO ENQUIRIES FROM DATA CONTROLLERS AND INDIVIDUAL MEMBERS OF THE PUBLIC

  The quality of section 42 assessments (ie responses to individuals' requests about whether data has been processed in accordance with the legislation) is somewhat variable. We feel that the compliance officers at the Information Commissioner's Office (ICO) have, perhaps, too little knowledge or experience at times to understand fully or challenge what the individual tells them. The result can be that they do not always show the Commissioner's sense of proportion when dealing with cases.

  The quality of guidance often lacks the detail required to be of great use to data controllers. Several of our members have suggested that ICO compliance officers give conflicting advice on occasions and this is probably an indication that increased training is necessary. It is more of a problem for smaller companies that do not have in-house lawyers and cannot afford the cost of independent legal advice.

  Several of our members have commented that there are long delays when requests are made to the ICO for advice and guidance. The process tends to be very slow and the quality of the guidance often lacks the detail that is needed by data controllers. In turn, this can mean that data controllers make decisions in good faith which could result in an assessment of non-compliance at a later stage. Advice is sought at an early stage through a desire to be compliant, particularly where a high investment in technology and systems is required.

  These difficulties are probably exacerbated by a high a turnover in the more experienced compliance officer staff. We would support any ICO proposals to re-evaluate compliance officers' jobs and create a career structure which would inspire staff. It ought to be possible to attract candidates from the ranks of data protection compliance practitioners but at the moment the flow of staff seems to be one way (out of the ICO). Salary differentials are clearly a contributory factor.

QUALITY OF CODES OF PRACTICE

  We welcome new Codes of Practice, for example in the area of telecommunications and employment practices. Unfortunately the complex nature of the subject matter tends towards wordy documents that are not always easy to assimilate. Our members believe that a number of the earlier codes have remained unchanged since the 1984 Data Protection Act and need updating. We would particularly mention the Guidance on Credit Referencing (November 1995) and the Guidance Notes—Defaults (January 1998) where updates are urgently required. The amended legal guidance and the amended CCTV guidance following the landmark Durant v FSA judgement in the Court of Appeal was very clear. The rapid response, accepting the court's decision, was appreciated by our members; we believe that the Information Commissioner should be commended.

THIRD PARTY DATA

  We would refer to the ICO's recent press release, setting a deadline on changes relating to use of third party data in lending decisions involving individuals. The BBA and other parts of the credit industry have been working closely with the credit reference agencies and the Commissioner. We fully expect that our members will meet the deadline for compliance (30 October 2004).

IMPLEMENTATION OF THE EUROPEAN DIRECTIVE

  Information about customers—and potential customers—and employees will be "personal data" as defined in the 1998 Data Protection Act. Clearly, such information should not be abused but its appropriate use is fundamental to successful business. There is a balance that has to be recognised, between a business's legitimate use of the personal data that it holds and individuals' right to privacy. The underlying EU Directive recognises this: it states that Member States can modify the various requirements that it specifies if this is necessary to safeguard "the rights and freedoms of others". Reflecting the Directive, the 1998 Act sets out the obligations of data controllers in general terms, and the ICO is adopting an approach to implementation which focuses on areas where there is a serious risk of personal data being abused. This risk-based approach is welcomed by firms, but there is a concern that some of the structures introduced by the Directive may undermine the pragmatic approach which the ICO wishes to adopt.

  Our key concern is about an EC Working Party "on the protection of individuals with regard to the processing of personal data" which has been established under Article 29 of the Directive. This working party has an "advisory status", but in practice the conclusions it reaches seem to be regarded as authoritative by the EU's data protection authorities. Decisions of this working party are taken by a "simple majority of the representatives of the supervisory authorities"[6] so the more commercially sensitive regulators can find that they are outvoted. This is serious in itself, but the problem is significantly exacerbated by the working party's failure—albeit subject to some limited exceptions—to consult openly upon the work which it has in hand. The Information Commissioner's views on the working party would be of interest.

  We believe that the degree to which the ICO should feel that it is able to choose not to adhere to the Article 29 Working Party's views on particular issues is potentially fundamental to whether or not the UK is able to maintain a pragmatic data protection regime.

  We would also comment on the diverse way in which the EU Data Protection directive has been implemented in different countries, making it extremely difficult for multi-nationals to introduce group policy that ensures compliance in all EU jurisdictions. Currently companies are obliged to ensure that the DP implications are checked locally in every country to ensure that the different regimes are being adhered to. This can be extremely costly and time consuming from a legal and compliance perspective. We would recommend that the government should back the IC at EU level in his attempt to get agreement from the various jurisdictions in a way that avoids superfluous, overlapping burdens on UK companies.

LOOKING FORWARD

  Regular dialogue between the ICO and industry groups representing data controllers is vital if there is to be consistent and practical application of legislation. Apart from specific subject meetings, the Commissioner has given clear messages at industry seminars and supported industry guidance notes. We welcome the contact between the Commissioner and the BBA and hope that this will be sustained.

British Bankers Association

29 April 2004