House of COMMONS
MINUTES OF EVIDENCE
CONSTITUTIONAL AFFAIRS COMMITTEE
Tuesday 11 May 2004
RICHARD THOMAS, GRAHAM SMITH and ANNE HINDE
USE OF THE TRANSCRIPT
Taken before the Constitutional Affairs Committee
on Tuesday 11 May 2004
Mr A.J. Beith, in the Chair
Mrs Ann Cryer
Mr Jim Cunningham
Mr Clive Soley
Dr Alan Whitehead
Witnesses: Richard Thomas, Information Commissioner, Graham Smith, Deputy Commissioner, and Anne Hinde, Assistant Commissioner, examined.
Q1 Chairman: Good morning, Mr Thomas, Ms Hinde and Mr Smith. We are very glad to see you. Normally, we would begin by declaring interests but I do not think we have any except as Members of Parliament, which may emerge at one point in the questions. Perhaps you would like to introduce your colleagues and we are very grateful to the three of you for coming to assist us today.
Mr Thomas: Thank you very much, Chairman; we very much welcome the invitation to be with you this morning. I think this is an important aspect of my accountability as Commissioner. I hope this will become a regular event. I have been the Commissioner now for just under 18 months. If I may introduce my two colleagues. Graham Smith on my left is one of my two Deputy Commissioners and Graham leads on freedom of information responsibilities with some residual data protection functions. Anne Hinde on my right is one of my Assistant Commissioners and Anne is responsible for one of two teams in the data protection area dealing with the private sector but focusing in particular on financial services. We have provided the Committee with two written submissions in response to your request. I have also sent to the Committee members the corporate plan which we published about a month ago which sets out our direction over the next three or four years as I thought it would be helpful for you to see that in advance of this morning's hearing. We are very happy to take any questions on any subject relating to our work.
Q2 Chairman: The material was very helpful. Perhaps I could just begin by asking if, in general terms, you think you have sufficient powers to enforce both sides of your responsibility, data protection and freedom of information.
Mr Thomas: If you look at our corporate plan, at the back of it in annex four is the statement of the Commissioner's functions and these are divided into the duties and the powers under both the Data Protection Act and the Freedom of Information Act and altogether there are over 30 separate functions buried away in the statutes and indeed one or two other regulations such as the Privacy and Electronic Communications Regulations. So, we have a large number of powers and this document was an attempt to bring order to those powers and to articulate precisely what our functions are. In broad terms, under both data protection and freedom of information, we are educator and promoter of the legislation, we are a remedy provider and we are an enforcer and those three separate headings are articulated at greater length in this plan and I think that, for the most part - and one could always quibble with some of the detail - there is a reasonably clear pattern of responsibilities set out in the legislation and I think it is clear that the functions I have vis-à-vis both data protection and freedom of information are going to be strong enough to achieve that which Parliament intended. It is not for me to say what the power should be, but I am reasonably competent that we can make a good fist. We have been doing data protection for 18 years as an organisation. Freedom of information will start properly in January 2005 when the requests for information go live but we are already doing the so-called publication scheme regime under freedom of information and, as I said earlier, I think that we do have broadly sufficient powers.
Q3 Chairman: One of the things you cannot do is award compensation. So, let us take the hypothetical case of somebody whom you discover from investigating the matter was wrongly denied information which, had he had it at the time, would have made a material difference perhaps to his attempts to oppose a decision detrimental to him or maybe to achieve some medical treatment which, had the information been available, he would have been able to secure and the window has closed, the time has past, in which that wrong can be righted. You cannot award compensation. Can that go anywhere else for compensation? Can it go to the Ombudsman as a proven case of mal-administration or is that route blocked as well?
Mr Thomas: You are quite right that we cannot award compensation as such in data protection cases. Our powers are broadly limited to what are called an assessment as to whether or not there has been compliance with data protection requirements. Where we believe that people may have some sort of claim to compensation, we do direct them to the courts because the courts do have the power to award compensation but I have to accept that it is very rare indeed for individuals to go through all the palaver of going through the regular court system in order to obtain compensation. Perhaps if your name is Naomi Campbell or Catherine Zeta-Jones, you might go all the way to obtain compensation under data protection or related law but, for the ordinary individual, I think that going to court is extremely difficult. We have started trying, wherever possible, to send people to the various alternative dispute resolution schemes such as the Financial Ombudsman Service. You mentioned the Parliamentary Ombudsman. I do not think there are many cases we send to her but there are various schemes where we could in principle refer people to seek compensation. Any ruling that we make would not be binding on such an organisation but I think it would be quite influential. The question as to whether we should have the power to award compensation, which was your initial point, I think is a difficult one. We have no settled view on that. As a broad principle, I think to confuse the role of regulator and redress provider, it can be a difficult way forward. I think that, by and large, an independent body such as mine either has to be a regulator or it has to be a provider of redress. It is unusual to combine both functions inside the same organisation but I do not rule that out. One option which we are giving thought to but have not yet reached any sort of settled position on is that either we might have some sort of power to award compensation on an alternative dispute resolution basis or the power to set up at arm's length some organisation which could have that power, but I think we are a long way short of forming any settled policy at the moment.
Q4 Chairman: So, you are actively exploring the issue?
Mr Thomas: We are giving some thought to it, yes.
Q5 Mrs Cryer: I understand that you have said, "It is ridiculous that organisations should hide behind data protection as a smokescreen for practices which no reasonable person would find acceptable" and what springs to my mind is the case of those two elderly people who died from hypothermia because their power had been removed and Social Services had not been informed and nothing was done to help them. Therefore, is the legislation about data protection sufficiently clear?
Mr Thomas: You have raised many questions there and I would like to begin by putting my own quotation in context. That actually was what I said on 14 January of this year when I put out a press release under the heading of helping organisations get it right, get data protection right. This followed a very stormy period for my office which started with the Soham murders and the guilty verdict there - and I would like to say a little more about that in a moment - and, about a week later, an official at British Gas told an inquest into the death of these two elderly pensioners that it was "data protection" which prevented British Gas from passing information about their circumstances to Social Services. What was not picked up was that two days later on Christmas Eve, British Gas put out a press release retracting that position and making it clear that in fact they could, if they had known of the obvious vulnerability of people in those circumstances, have passed the information to Social Services. I think the truth is that they did not realise that these people were vulnerable; they were disconnected back in the summer and, at that time, there was no indication at all that they were vulnerable, so it was an entirely hypothetical situation. This was followed by, at this time, a great deal of what I would call negative press coverage of data protection and I felt that I really had to come out with a counterblast and I wanted to make it absolutely clear that people, in my view, were inappropriately using data protection as a cover for their own operational failures. I do not think I should say too much about the Soham murders because that is the subject matter of the Bichard Inquiry which is sitting at the moment. Sir Michael Bichard's report will be coming out later this summer. I have put in written submissions to that inquiry. I was asked to give oral evidence during March. With your permission, I would like to just read out one extract from the transcript of that inquiry. This was put to me by James Eadie QC, who was counsel to the inquiry, Sir Michael's counsel, and he said to me during the course of that inquiry, "I am not going to ask you any questions about the deletion of the information concerning Ian Huntley by Humberside. I know that is the subject to which you have devoted a considerable amount of effort and energy in your statement but I am not going to do that for the obvious reason that Humberside Police and the Chief Constable in particular have accepted now that deletion really had nothing whatever to do with data protection legislation or any advice from your office." That was a point put to me by the counsel to the inquiry. Obviously, we await Sir Michael's formal report in due course. To respond to your general question, yes, I am concerned that organisations, not just in those two cases but in other situations, have sometimes used data protection to hide behind. It is too easy an excuse to hide and I have made it my business to go out and challenge that when that is happening, but I am determined to get across the message that the data protection principles are very much matters of commonsense, they are values which are very important to individuals in society and I want people to focus on those principles and to make sure that they do not use some of the bureaucracy of data protection as an excuse.
Q6 Mrs Cryer: You are quite satisfied that the legislation about data protection is sufficiently clear as it stands?
Mr Thomas: No, I am not saying that. If I had a free hand, I think one may want to see legislation drafted more clearly, but there is a European Directive and the 1998 Act to a large extent follows the pattern and the content of that directive and I do not think it is a realistic option to come to Parliament and say, "Please do the same thing all over again in more clear language." That is why I would like to see it clearer but it is not a realistic option, but I do accept that the consequence of what I am saying is that I have to put a great deal more emphasis on putting out guidance in plain language spelling out as clearly as possible what are the responsibilities of data controllers under data protection law and what are the benefits for individuals.
Q7 Chairman: You have become a little like in Europe, have you not? If somebody wants to blame someone for something, it comes readily to mind and data protection has been thrown out just as readily. Do you think there is some way in which you can give special emphasis to the circumstances in which the invoking of data protection is really inimical to protecting the public, protecting vulnerable people and any number of things where the sort of dangerous situations we have seen have arisen? It seems to me that there are some areas where it is particularly dangerous, that people either take refuge after the event in data protection in arguing the data protection law or have their practice wrongly influenced by mistaken assumptions about what the law requires of them.
Mr Thomas: I would very much agree with you. I think that we have to take data protection responsibly. One of the themes of my term of office so far has been to try and get across to organisations, private and public sector, that data protection is, as much as anything else, a matter of enlightened self-interest. Which organisation wants to have information that is out of date on their customers, their suppliers or their employees? More seriously, where mistakes are made about individuals, where there is a mistaken identity. We have cases of people being wrongly arrested, being held against their will in particular circumstances, and perhaps the most obvious case took place outside this country recently where a man was held in South Africa for two weeks in prison because the FBI thought they had got their man and it was a case of mistaken identity. That is totally outrageous. At the same time, I recognise and I push this theme of the detriment of individuals. Some detriments are more serious than others. I can give you examples of a couple of more serious ones. Let us take another example in the middle of the range, if you like: intrusive telephone calls which people do not want to receive with marketing messages. That is a middle of the range. At the lower end of the range: getting a mail shot which you should not have got where it can go straight into the bin is perhaps at the more minor end of the scale. So, I have to try and make sure that my resources and my efforts are focused in areas of greatest detriment and, as you quite rightly say, Chairman, there are a number of areas where, if people get it wrong with data protection, very serious consequences can happen, sometimes threatening liberty and on other occasions threatening people's careers or causing financial loss.
Q8 Ross Cranston: To what extent can you try to overcome this apprehension by codes or guidance? I think every MP would have a story where data protection has been invoked. My recent story is that of two constituents with elderly parents. They are trying to sort out their pension credit problem and they are told, "We cannot talk to you about your parents. We have to talk to the parents." Of course, one is profoundly deaf and the other one is not in full control of their faculties. It means that the data protection has a bad image, as it were.
Mr Thomas: I fully accept what you are saying in that sense. Yes, one can have difficult situations such as you have described and we have many brought to our attention. I think it has to be recognised straightaway that data protection is not easy. One may have a situation where you would say that, with elderly parents, of course people should be told all about their financial details and their health details, but how do you draw the line between the elderly people who cannot look after themselves and those of us in this room who would be perhaps outraged if the same organisations were to share our health details or our financial details with anybody without absolutely clear authority? So, what we say in a situation such as you have postulated is that, if there is a clear authority for the children of the elderly parents or someone with authority and that can be arranged, there is no problem. I think what you are doing is highlighting the difficulty of drawing the line under data protection.
Q9 Ross Cranston: To what extent can you issue guidance to agencies?
Mr Thomas: That is a more general point. We have 80 pieces of guidance out at the moment on data protection but I do recognise that we need to do a great deal more. The corporate plan which I put forward which follows a very comprehensive strategic view of the organisation has concluded that we are doing rather too much on dealing with case work where we cannot do a huge amount because we are not in the business of providing compensation or redress, but we are perhaps not doing enough to put out crystal-clear guidance as to what can be done in particular situations. You mentioned codes of practice. I would like to refer, if I may, to the code of practice on employment. The impact on data protection in the employment field is very significant. Ten years ago, people thought, personnel work and human resources - data protection has no connection. Now universally, personnel departments/human resource departments recognise how much the data protection legislation impacts upon the workplace. We produced four parts of a code of practice. I think it is fair to say that, with the third part dealing with surveillance in the workplace, which is looking at the e-mails of staff or looking at internet usage and so on, our draft guidance was quite controversial; it was rather wordy and it was rather convoluted. I think you are aware of my commitment to plain language and the like and I took a grip on that and said that we had to rewrite that in a much shorter form. What I decided to do there was actually to target the code, no longer saying "one size fits all" dealing with the largest employers the National Health Service, the Government and the massive private sector organisation, right down to the one or two-man small business. So, I wanted to target that code in three parts: a core code reduced to just 22 pages; a more lengthy elaboration for larger, more sophisticated organisations; and then a very, very short five or six-page guide for the small business community. I am pleased that that was well received. The press were appreciative of that with some positive editorials and I think we got rid of some of the negative guidance that we had received.
Q10 Ross Cranston: That may be something for the pension agency but, Richard, I will have to hit you over the head a little more because we had a submission from Experian, the credit reference agency, and I do not know whether you saw it.
Mr Thomas: I did see it last week.
Q11 Ross Cranston: They refer to the legal guidance and say that there is scope within the legislation for this approach, in other words an approach which is more practical, and that this requires a change of approach from the Commission staff who, in their experience, do not yet accept this interpretive remit. I should say, in fairness to you, that the BBA, the British Bank Association, was much more satisfied with your approach in the submission that we received, but there is criticism from important institutions out there who are saying that you are taking a literal approach to the legislation rather than the practical approach which you are saying you tried to impose on the agency.
Mr Thomas: I saw the Experian paper. I think that perhaps they have their own commercial agency and I recognise that. If I came along here and said how cosy and close I was to the agencies, I am sure you would be equally critical of me for being too close. You have to keep your distance as a regulator. They made a number of points and one or two points have some validity but other points I do not accept. I think that they have not actually provided a chapter and verse of what precisely they had in mind with the suggestion that we were not as helpful as we could be. Being major organisations, they have their own legal advice and they have their own data protection staff. We have a regular relationship with them. They have not put these points directly to me, ie I think they have a particular issue about the use of default information which I will come on to perhaps in a moment, but ---
Q12 Ross Cranston: What about this point that you are not taking account for the public interest but you are simply adopting a literal approach? Would you reject that?
Mr Thomas: I would reject that. We have to apply the law. I cannot put myself in the place of Parliament and think that I can do a better job than Parliament and that I can rewrite the law. Therefore, I and my staff have to make sure that they behave in accordance with the law. One perhaps may speculate that credit reference bureaux might like to have as much information on as many people as possible for as long as possible, but that is not what is acceptable under the data protection legislation; I think they have long since accepted that and they understand that there have to be constraints in what they can do. However, there will always be to-ing and fro-ing around the edges as to precisely what they can do and, on occasions, they may feel that we are being unduly pedantic or unduly literal, but this is not the subject matter of a regular exchange between us.
Q13 Ross Cranston: Maybe you could do a note if you want to refute any particular points in the memorandum that they gave us. I must move you on because other colleagues have questions. Can I ask you about a completely separate issue which is the movement of data processing offshore and the risks of that and the outsourcing. We all read about this every day and there have been issues raised about the security of data as a result of that. Can we have your views on this. Is there a leakage of data? Are there security concerns?
Mr Thomas: This is a matter where perhaps you may need an even fuller note from me because it is not a straightforward matter. Just for the benefit of the Committee, one of the principles of the European Directive and of our 1988 Act is that information should not be sent outside the European economic area unless certain requirements are met. It is important to make clear that the Act and the directive do not prohibit the export of personal data, they regulate it. I think that is an important distinction. For example, if there is consent on the part of the individual, then that is a gateway to sending information outside if there is adequacy in the country or the territory to which the personal information is being sent, adequacy in terms of broad equivalence to the European regime.
Q14 Ross Cranston: Could I just ask a supplementary question before you answer the main question: are the legislation powers sufficient in your view?
Mr Thomas: It depends on your objectives. We have to ensure that personal data which is sent out to outside the European Union meets the requirement of the directive. When we get the complaints coming in, we do not have any chapter and verse evidence that the rules are being broken. Any evidence brought to our attention, we would investigate, but I would not, frankly, want the sort of powers which some of my European counterparts have which require every export of personal data to be authorised in advance by the Regulator before it is sent outside the European Union area. Frankly, we are very sceptical whether that happens in practice. With the global age of internet where electronic transfers are taking place in very, very large volumes every moment, personal data and other information in constant flux around the world, I do not think prior authorisation is a route which makes any sense at all, but we are making progress to improve the approach. One approach which I am very keen on, alongside my Dutch, Scandinavian and German colleagues, is what is called binding corporate rules. In other words, an organisation which is involved in the business of sending information around the world on a global basis should have a global code of practice or a global set of rules guaranteeing equivalence within the organisation for any export of personal data.
Q15 Ross Cranston: How close are you to achieving that?
Mr Thomas: We have had some workshops and we have talked to quite a large number of large organisations; we are making progress but we are not there yet and we still have some work to do.
Q16 Chairman: Have you sent anybody to India to look at the arrangements in place? Would that be part of your job? Would you consult with other agencies to find out what they know about the way in which data is safeguarded?
Mr Thomas: The answer is, no, we have not sent anyone to India. We do have some information, not with me this morning I am afraid, about the regime in India. There are proposals for data protection laws but they have not been enacted yet, but no organisation is relying upon the legal framework inside India. They are saying that either they have the consent of the individual or they have contracts in place with their organisations in India ---
Q17 Chairman: The first argument cannot work because banks do not get the consent of all their customers.
Mr Thomas: In some cases, there may be concern. I am not saying every case for every bank. There are standard contract terms which can also cover the situation.
Chairman: There is some small print in the contract with your bank?
Ross Cranston: You probably signed it!
Q18 Chairman: Which says, "We can outsource everything"?
Mr Thomas: There usually will be a contract between the bank and the organisation elsewhere in the world guaranteeing, or the contract will guarantee, that the data will be held secure and processed in accordance with the UK Data Protection Regulations. I am not say that all is perfect in that garden. If we had evidence, we would investigate that.
Ms Hinde: If I could explain to you that adequacy is not general adequacy in terms of the country itself, it is in fact adequacy in terms of the particular transfer that is taking place. So, in fact it comes down to the particular circumstances of the case very often and companies can establish that adequacy sufficiently through their contracts and through the arrangements they have with the organisation they are working with overseas and sometimes contracts in the same group.
Q19 Chairman: So you are waiting until you get a complaint before you send somebody out there and hoping that you do not?
Mr Thomas: I would still be very sceptical about the need to send my staff all around the world to investigate. Being realistic, we will have to do our best from our base here.
Q20 Mr Cunningham: Moving on to third party information, what was the main trigger for the changes in third party data handling which you announced in April 2004? Why are you satisfied that "the end is now in sight for the use of unrelated third-party data in the consumer lending process"?
Mr Thomas: There is a very long history here and, in a moment, I may ask my colleague Anne Hinde to give you some of the history. I came on the scene 18 months ago where my predecessor had negotiated a deal with pretty well the whole of the consumer credit industry to get rid of some of the practices relating to third-party which she and indeed I find quite unacceptable. That deal was made in 2000 and it was recognised that it would take time for both the three main credit agencies and also the entire lending community behind them to update their computer systems and their other systems to accommodate these really very complex changes and they are very wide-ranging changes. After three or four months in the job, I decided that it would be appropriate to put some pressure upon the industry to move along because we said that they needed time but there is no time limit. So, I set a time limit and I said that they had to come forward with the date and that it had to be before the end of 2004. That led to further discussions; they came to see me before Christmas 2003 and I made it clear then that I was becoming a little impatient and they then fixed on a firm date of 31 October 2004. I found that acceptable. The press release, which was a joint press release which I discussed with them and put out in March, confirms that and I am now confident that, as from that time, the vast majority of the industry will be compliant with the new arrangements and I think that will be to the very strong benefit of individuals. I think people find it quite outrageous, for example, that their adult children's financial circumstances can be taken into account when their own creditworthiness is being investigated and, when they exercise their right to see their file at a credit reference agency, they see their children's files and vice-versa and we have had many, many cases of people being really quite shocked and outraged at that state of affairs and the industry, to its credit, has recognised that that is not acceptable and these new arrangements will be coming into force later this year. If you would like a little more history, Anne Hinde can take you back many years on this one.
Ms Hinde: This issue is almost as old as the Information Commissioner's Office itself and, back in 1990, the first data protection registrar, Eric Howell(?), took action against the credit reference agencies by serving an enforcement notice to require them to change their practices because, at that time, they were processing information largely on addresses or exclusively on addresses. So, individuals were seeing not only the information about other people living at their house but also individuals who were living at other houses or people with similar names and addresses. So, the tribunal to which the agencies appealed against the notices produced a slightly different notice which allowed essentially that the same name, the same address and the same household information could be processed so that they reduced the amount of information that credit reference agencies would produce in response to a request from a lender to provide information about a credit applicant. So, the current practice reflects the tribunal decision in 1992 which took effect from mid 1993 and, with the increased expectations of privacy that individuals have and the continuing complaints about third-party data, that is individuals other than the applicant for credit, with the Data Protection Act 1998 on the horizon and also the Human Rights Act, the industry were asked to look again or it was suggested that they might like to look again at this issue and they did that and came forward to the Commissioner with various proposals and there were discussions between us and the industry and this led to what is called the business requirement specifications on which the new proposals are based. These are the industry's proposals which they made to the Commissioner in 2000 and they have involved enormous system changes and first of all the agencies themselves had to change their systems, then all the lenders had to change their systems in order to link into this. It has been very expensive and very costly in terms of manpower as well and so on, and that accounts for the length of time it has taken.
Q21 Mr Cunningham: Are you certain that these new restrictions on these agencies will not lead to abuse by fraudsters on the one hand or enable families to amass debts which they can ill afford?
Mr Thomas: I do not think you will ever eliminate fraud in the lending environment, but I think that in many ways these measures will help the individual have better information about what is known about each individual and I think that will be a step in the right direction. It will bring, if you like, the boundary closer to the individual. There will be some linkage to a financial partner. If a husband and wife have a joint account of some sort, then they will be treated as financial partners and I think that probably is broadly acceptable. We can have a long debate about the value of credit reference information and credit scoring. I am very much alive to the debates about responsible lending and responsible borrowing. I do accept that a responsible lender has to have a reasonable degree of valid information about an applicant for credit but that has to be in accordance with the data protection requirements.
Ms Hinde: The industry and the Commission produced a press release in 2000 which made it clear that the industry was satisfied that the arrangements struck a proper balance between privacy and their need to look at the information on others. They said this struck the right balance.
Q22 Chairman: Moving on to the freedom of information side, are the public bodies such as Government level ready for January 2005?
Mr Thomas: There are over 100,000 public bodies within the scope of the Freedom of Information Act because, by the time you take into account not just every Government department, local authority, police authority, National Health Service body, schools, universities and then you go into every doctor, every optician and so on, the total is well over 100,000, and I think I would be foolish to say that they are all ready. Of course they are not. We have done some work. We have done a survey which I think we shared with the Committee of the state of readiness of Central Government departments, a sample of local authorities and Northern Ireland departments and we shared our findings in our written submission to you. I fully accept that this what they have told us - and it may not necessarily be the true story - that, by and large, Central Government departments seem to be well aware and getting on the right track, particularly when there is a high level champion. Where there is a minister or a board member at official level who is taking it seriously, Central Government departments do seem to be, as the date of 2005 gets closer and closer, getting more and more ready. I think that a rather more mixed picture is emerging with local authorities.
Q23 Chairman: We are going to go on and look at those separately, so perhaps you can leave them to one side and stay with Central Government.
Mr Thomas: The picture is reasonably encouraging and of course that is just one survey. My colleagues and I have been out and about a great deal talking bilaterally to departments. There is a Freedom of Information Implementation Advisory Committee with I co-chair with Lord Filkin, there is an FOI practitioners' group around Whitehall and there is a growing number of physical and electronic networks to help departments get themselves ready. I think the proof of the pudding will not be there until January 2005 when they start getting the requests but I think that most now are switched on to the significance of what is going to hit them and I have made it very clear in press statements and conference speeches and I make it clear again this morning that, given the long run-in time, I cannot accept from any organisation, "We are not yet ready." They have had nearly four years to get ready and, if they get a request in January or February next year and they have to respond within 20 working days and they say, "Oh, we weren't ready for this, we're not expecting it", I cannot be tolerant and I have made it clear that now is the time to get things ready. As the date gets closer, I think minds are concentrating more and more.
Mr Smith: I think that one of the challenges which large Government departments face is the fact that because a request for information to which the Freedom of Information Act will apply will not come neatly packaged and labelled as such because it applies to any written request for information, they have an enormous job to do to roll out the awareness of freedom of information and what the requirements mean throughout their staff and to all their frontline services and wherever any request for information might come in. That applies to any large complex organisation but particularly so, I think, for a Government department like the Department of Work and Pensions which exists primarily to serve the needs of individuals and has an awful lot of routine requests for information as part of their day-to-day business. It is important that whilst we are not looking for them to change any of the good practice which already exists, that they do understand that there is a legal framework now which sets down minimum standards within which those sorts of requests for information have to be raised. What we have found with Central Government is that whilst the people who have been tasked with implementing freedom of information are well aware of their responsibilities and are making very great strides towards implementation, sometimes they are having difficulty with engaging their very senior colleagues and then, at the other end of the organisation if you like, they have the major challenge of rolling it out throughout all of the frontline service providers.
Q24 Chairman: Did the Department for Constitutional Affairs issue enough guidance early enough?
Mr Thomas: They have been very active, particularly in getting Central Government departments up to speed. They have detailed project plans and they have been delivering on those. I think it is too soon for any of us to say that enough is enough. I think that one of the great unknowns for all of us is the volumes. None of us know how many numbers of requests are going to be received first of all by the public authorities and are then going to be, if you lime, going through the internal appeal process inside the public authority and then going to come to my organisation. In predicting volumes, we have commissioned work looking at what has happened in other countries with freedom of information legislation and we have had a close dialogue with the Parliamentary Commissioner, but none of us know for sure how big this is going to be. We know that it is going to be complicated, we know there are going to be sensitive cases and we know that there are going to be difficult cases, but none of us yet know what the volumes are going to be.
Q25 Chairman: You said that there was a certain amount of confusion in the minds of public authorities about your role and the role of the department. The department is the lead department and you are the independent regulator. Is that still there or has it been clarified?
Mr Thomas: We have been made aware that there has been some confusion on the part of bodies. We have done our best to redress that. We have made it clear what our function as the independent regulator is. We have statutory responsibilities. The department as the sort of policy custodian of the legislation and taking the lead within Whitehall has its responsibilities, but one thing we have agreed quite recently is to restate the nature of our relationship. We are quite clear about it but it may be that some bodies are not as clear as they might be and we are going to be restating that in the next couple of weeks.
Q26 Mr Soley: I would like to follow on a little from that line of questioning and ask you if you see a problem, either with yourselves or for the Information Commissioner, on the growing inter-relationship between the public and the private sector.
Mr Thomas: It will not be an easy area. The Act itself has provisions dealing with private organisations which are carrying out public functions and I believe I am right in saying, Graham, that the regulations have not yet been laid in that area.
Mr Smith: There have not been any regulations actually designating purely private bodies as public authorities for these purposes. That is a matter which is with the Department for Constitutional Affairs to look at.
Mr Thomas: The more general point is that first of all the private sector, judging from experience elsewhere, will be quite significant users of the legislation; they will be making requests and, to that extent, it will be seen as an opportunity by them. They will also quite often see it as a threat because public bodies themselves will hold information supplied by private bodies or about private bodies and one can anticipate, looking at experience from other countries, that there are going to be some quite controversial situations where somebody is making a request to a Government department or to a local authority or information relating to the activities of a commercial organisation. One of the exemptions in the Act deals with prejudice to commercial interests, but of course people have not sufficiently woken up to the fact that that is not the end of the story because, like so many of the exemptions in the Act, it is subject to the public interest override. So, even if there is prejudice to commercial interest, if the public interest in discloser outweighs the pubic interest in withholding the information, it still has to be disclosed and I think that it is the territory where a great many of the debates and discussions and the rulings are going to have to be made.
Q27 Mr Soley: Would you accept that some of those difficult areas might be in terms of the private management of a school or hospital within the state sector?
Mr Thomas: I think I would entirely agree that that is one example of where some of these problems are going to come to the surface. Already there is advice - I think it was put out by the Office of Government Commerce - that departments should be much, much more sparing in confidentiality clauses in contracts. Where there is a contract, for example, between an education authority and a company running a school, then they should be aware of the implications of the Freedom of Information Act. It may well override a confidentiality clause and they should not use such clauses thinking that is the end of the story.
Q28 Mr Soley: So you would like the regulations to be looked at very carefully before they are published presumably, or after they are published or both?
Mr Smith: The issue in relation to regulations I think is purely one about the designation of private bodies providing public services, perhaps in terms of the set-up you are arranging, and it very much depends on the legal status of the joint venture organisation which is established to deliver the service. If it is purely private sector, they have to be specifically designated by the regulations. The guidance in relation to contracts, yes, the Office of Government Commerce has been involved but there is specific guidance in the code of practice which is made by the Secretary of State for Constitutional Affairs, section 45 of the Freedom of Information Act. This was issued back in 2002 because again it was anticipated that this was an area that public authorities really ought to be talking to their contractors about and making themselves aware and their contractors aware and people who might do business with them aware that what previously might have been assumed to be confidential because it was contained in the contract and indeed it might have "commercial in confidence" slapped all over it, that this was not actually a protection, if you like, from the Freedom of Information Act. A public authority still has the responsibility to consider every request for that information within the terms of the Freedom of Information Act and, as the Commissioner has pointed out, even if commercial interests might be prejudiced by the disclosure of that information, then there may well be good grounds for saying that the public interest in disclosing the information overrides the prejudice that would be caused to those commercial interests. So, I think that, in terms of the regulation, what we are looking for is that we need to reinforce the guidance that has already been given and perhaps give more guidance not only to the public authorities but perhaps also directly to the public sector themselves because we are getting some information back to us, albeit some sort of apocryphal that the private sector has not yet woken up to the fact that freedom of information will have a significant impact on them and perhaps there has been a misunderstanding that, because freedom of information only applies to public authorities, it will not touch them.
Q29 Mr Soley: Do you think enough has been done to raise public awareness of their rights as from 1 January?
Mr Thomas: We have not really started yet. I think it would be quite inappropriate to raise public expectations nine months before the rights go live, but we are putting together very detailed communication strategy for getting across appropriate messages to appropriate parts of the general public and, towards the end of this calendar year and into the next calendar year, we will be going into a very high-profile mode in terms of alerting the general public to their rights. You made one point that I would just like to emphasise. Sometimes, I think that freedom of information is seen as a matter for the chattering classes, it is all about what is happening at the higher levels of a Whitehall department. I see it very much as being focused on what is happening in people's backyards, what is happening in their schools, their hospitals, and getting this information into the public domain in order that people can have much greater trust in all levels of the pubic sector and I really want to get that message across in this communication strategy.
Q30 Mr Soley: I agree with that, so I endorse that message. Can I turn now to the rather strange position of the media in relation to data protection. You will know that there is a bit of an opt-out clause thanks to the explanations from Lord Wakeham. Naomi Campbell used the Data Protection Act to get her settlement. Is it not right that in fact citizens less well financed than her ought to be able to achieve the same?
Mr Thomas: I touched earlier upon the difficulties of people claiming compensation through the courts and I think there may well be a case of some sort of alternative dispute resolution, but the more general question is about the media. As you say, there are specific provisions in the Act protecting some of the processing of some personal information held by the media, but I think it is quite wrong to give the impression that the media are somehow outside the provisions of the law altogether. If I can give you one example. Section 55 of the Act is the main part of the Act creating a criminal offence of obtaining personal confidential information improperly, and "blagging" is the word that is used in this area. My investigators come across cases where people have either used bribery and corruption to get information or have impersonated individuals to get information. There are private detectives out there who are doing this sort of activity. I have condemned this very forcefully and there are a number of cases in the pipeline.
Q31 Chairman: This would include working your way into Buckingham Palace to find out what the Queen ate for breakfast?
Mr Thomas: We were asked to give evidence to the inquiry into the journalist who got into Buckingham Palace as to the sort of checks which would be appropriate and carrying out checks into individuals is part of that and we gave evidence to that inquiry.
Q32 Mr Soley: Is not one of the oddities for this that we gave that, as you rightly say, qualified dispensation to the media because of the important investigatory role they have in an open and free society, but we do not give the same to Members of Parliament who have the same investigatory role?
Mr Thomas: I think that is an interesting point you have made and I would like to ponder on that one. Obviously, Members of Parliament have other protections and privileges but you may say that is not as extensive as the media in a particular case.
Q33 Mr Soley: There are two aspects to it. I do not have that much in common with Naomi Campbell but one of the things we do have in common is that we cannot ask to see what the media have on us although Rupert Murdoch could ask to see what I have on him which is quite interesting and he can always pop round and see it whenever he wishes, but should it not be a two-way street?
Mr Thomas: I take the point but I think you are dragging me into a more sort of political controversy than I, as the Commissioner, ought to be dragged into. I am fully aware of the debate that happened in this place and in the House of Lords as the legislation was going through. I have to enforce the legislation as I find it, but I take the point you are making. One point I would like to add is that I have had discussions with the Press Complaints Commission over the last three or four months, particularly about blagging problems, and one of the outcomes of that is that there will shortly be new guidance issued by the Press Complaints Commission to journalists about the implications of the Data Protection Act and we have seen that in draft and we are making some further suggestions on that and that will be coming out quite soon.
Q34 Mr Soley: I was going to ask you about that and I would be grateful if you would keep a close eye on it.
Mr Thomas: Indeed, we are keeping a very close eye on it.
Q35 Mr Soley: It is not the world's most effective regulatory body! My final point is, what about this problem when somebody is writing to an Member of Parliament because it is a fairly common practice for the Member of Parliament to write to the authority, private or public, that they are raising with it, saying, "This is what my constituent tells me, what do you say?" I have always taken the view that because they have asked me to look into it, they have actually given me permission to use that information as I think fit within reasonable boundaries, but there is some anxiety as to whether we are not stepping outside the Data Protection Act.
Mr Thomas: I am aware of the issue, Mr Soley. We have given guidance which we agreed in conjunction with the House authority here which is available to all MPs and it is a wider issue, there are counsellors and others representing individuals. We have tried to be as helpful as possible; we have tried to indicate where you are on firm ground and where some of the danger areas are. Unfortunately, I do not have that with me. One of my other Assistant Commissioners, my expert on what MPs can do and cannot do, will know and, if you would like a note on that, we can send that to you.
Chairman: We would.
Q36 Mr Soley: It is a difficult area because I take a fairly bold approach on it in that, if they are writing asking me to look into it, that is what I am going to do and I am going to use the information in a constructive way, but it is true that, within letters at times, there might be references to particular aspects of their lives that they might not want passed on.
Mr Thomas: Indeed and I think you will appreciate, going back to Ross Cranston's questions earlier, there are some very delicate balances to be drawn in the area of data protection and it is very difficult, much as I would like to be, to be black and white in some of these cases.
Q37 Mr Cunningham: Just to follow on from what Mr Soley said, very often you are dealing with a complex case, public organisations in particular and other organisations will very often write to the constituent and you will be left in limbo using the Data Protection Act and that is not a satisfactory situation for Members of Parliament in particular because they do not know what is happening in their constituents' cases.
Mr Thomas: I agree entirely with you that where someone simply uses data protection as an excuse, that is unacceptable. Where they give chapter and verse as to why a particular provision means that they cannot do something - and there will be constraints on what people can do because of data protection - they need to articulate it, but I am not prepared to tolerate this blanket referral to data protection as an excuse for not revealing information in the circumstances which you mentioned.
Q38 Mr Cunningham: It is totally ignorant to ignore where a constituent puts it in writing to you or where a constituent has signed a piece of paper authorising you, that is totally unsatisfactory on my side because it does not help the constituent one iota and it does not help us.
Mr Thomas: We will send the Clerk the guidance on that.
Chairman: We appreciate that and, as you know, it has been raised in the House in other ways as well as in this Committee and we very much welcome the note you are going to send to us.
Q39 Dr Whitehead: Turning to local government for a moment, your comments on local government in your report remind me of the first line of the Polish National Anthem which translates roughly as, "All is not yet lost." I would suggest that, as far as local government is concerned, the picture was by no means a hopeless one in terms of preparations by local government for the implementation of freedom of information. That seems a pretty much damning and faint praise, I would suggest.
Mr Thomas: We have to report what our rather limited survey revealed and it was not a compulsory survey and it was not a universal survey as we made quite clear. Probably, the better prepared ones are the ones who responded and gave us their story and even some of them were making it clear that they had anxieties and felt ill-prepared for the implementation of freedom of information, so we felt that we had to report it as we found it. I would not want to rely upon the Polish National Anthem, but what I would say is that I think there is a very mixed picture out there. Of course, local authorities are very mixed: we have very large local authorities and very small ones. In theory, every parish council is caught within the legislation and there has been some controversy about that. Dealing with the regular local authorities, the country councils, the district councils, the metropolitans and so on, there is a mixed picture. Graham, I am sure, will say more because he comes from a local authority background and he has very good links in that area. The larger ones I think are well prepared but some of the smaller ones clearly are struggling.
Mr Smith: I think that is broadly true but there is a much more mixed picture than that in that we have not found that there is any consistency amongst other type authority, geographical location of authority or size of authority which is an indicator as to whether or not the local authority is well prepared or not. One of the key features that I think all of those of us who have dealt with local authorities know is that they very much take pride in doing things very often in their own way and, whilst there is some very good work going on in parts of the country where local authorities are working together and trying to have a more uniform approach and develop best practice amongst themselves, there seem to be other areas where there seems to be very little going on in the way of preparation and certainly there are issues of, shall we say, culture, which may be political culture, not necessarily party political culture, in authorities to whether or not they do live and operate in a more open and transparent way, whether they have encouraged public participation in their democratic and decision-making processes and those who have not who very much tend to keep things to themselves. Obviously, local government legislation itself has provided encouragement and requirements for greater openness in the decision-making process of local government and I think it is fair to say that compliance with those and adherence with those is where the major efforts of local authorities have gone in the last few years. We are in a bit of a position in relation to the proof of the pudding because, whilst we have this information about the state of preparation in local authorities with the caveats that the Commissioner has referred to, we will really only know and they will only be tested when they get requests for information and they deal with them and I am sure that we will very quickly see examples of very good practice and I fear also some examples of not so good practice and we will have no hesitation then in giving the appropriate amount of publicity to those with a view to driving up good practice and demonstrating that poor practice simply will not be tolerated.
Q40 Dr Whitehead: Do you think in terms of information about a process coming your way from local authorities that there is no correlation between, as it were, the application of resources and the degree of preparedness?
Mr Smith: I note that you use the phrase "application of resources" and I think that could be right because there is not necessarily a correlation and our inquiries have not drilled down that deeply, but I think it is true to say that when local authorities, like any large organisation, are allocating their resources against their competing priorities, some will give more priority to freedom of information than others and we fully understand the pressures that local authorities are under and the difficult decisions that they have to make with regard to putting resources into improving administration and improving what are traditionally referred to as frontline personal services. What we have tried to encourage them to do is to see that there is actually a link between the two and that openness, transparency and ensuring of free-flow of information to their customers, their constituents and those that they exist to provide services for is actually an integral part of that service provision. We have tried to give them that message and some are more responsive to it than others, but hopefully, through education and experience, we will see gradually an improvement of good practice and certainly we will not know whether or not all is lost until we start to get the complaints over our counter from February/March next year onwards.
Mr Thomas: It is very interesting how many local authorities talk the language of openness and transparency. If you look at their websites, "We are a transparent open organisation focused on customer service." FOI is going to be a major test of that. In terms of preparing all public bodies, I have had to adopt a strategy of both scaring people about the implications in the law but also inspiring people because I think sometimes the benefits of FOI for the public bodies are lost. If you are serious about building trust between the public sector and citizens, FOI is part of that. If people really want to deliver genuine customer service, what are they trying to hide? So, the more openness we can bring out the better and seeing it as in their own self-interest to get it right. Frankly, I would be disappointed if FOI turns into a sort of jousting arena for lawyers on both sides to try and make the best out of the detailed small print of the legislation. It is all about culture change and that is the message we have been very, very keen to get across not just to local authorities but to the whole of the public sector.
Q41 Dr Whitehead: The evidence we received from a consultant to the Society of IT Managers suggested that in fact many local authorities just do not know where to start addressing the legislation and he suggested that there is a relative amount of panic out there, though I am not sure of the concept of a relative amount of panic and that it entirely bears scrutiny. Firstly, would you accept that does bear any resemblance to your view of the situation? Secondly, we have actually received a note from the Local Government Association which states that the level of preparedness on freedom of information among local authorities varies enormously. It also says that additional advice and information from the office of the Information Commissioner is vital if the benefits of FOI are to be exploited. So, their suggestion seems to be that, as it were, the panic, if there is panic, is perhaps engendered by not having access themselves to information which would allow them to act in a way they would like to.
Mr Smith: In terms of the first point there, I think that is the view that has been expressed by the Society of IT Managers. I would think it is an extreme view and I would certainly hope it is not typical. I am not sure that any evidence has said that that is a typical view, but I think it is quite an interesting ---
Q42 Dr Whitehead: I have to say that was evidence from a consultant to the Association and not the official view of the Association.
Mr Smith: I think it is interesting in terms of the source, that it is from the IT world, if you like. One of the things we have found with freedom of information is that the nature of the response that we have had, typically from local authorities, is often dependent on whether that first letter which brought the issue to the attention of the Chief Executive got the requisite from the in tray. Very often IT managers have been involved in data protection because the first Data Protection Act was very much about computerised information, and this is something that has been grafted on to their data protection responsibilities, so it has gone to the IT manager whose focus is very technical and is not necessarily about the flow of information to customers in the way that I was referring to it earlier. Another route is for it to have gone to the lawyer and then we tend to get very strictly into this legal, "How can we use the exemptions? Do we really have to do this? How can we be compliant with the law?" Another option is that it has gone to public relations and then they have seen that there is a real opportunity here to engage the public and to make something of it. It may have gone equally to a policy officer. So, we do see some sort of patterns like that. In terms of the advice that we have given, I think it is true to say that, fairly uniformly, there has been a clamour for more advice and for help as to what people can do with it in term of compliance with the Act. It has been worrying that most of the clamour for advice has come from the legal side and they want to know how they can use the exemptions and we have found ourselves in some difficulty in trying to deal with requests like that as promoters of openness and awareness because, whilst we need to explain the law and help them to understand it, to actually be seen to encourage them to use the exemptions is not exactly how we see our role, but we have given advice to them and we have done a lot of work with local government. We have engaged specifically with pilot local authorities in terms of the publication schemes; we have attended a number of conferences and delivered seminars and worked directly with groups of local authorities with networks and with individual local authorities to try and encourage them. Perhaps we clearly have not reached everybody but, coming back to the issue of cultural awareness, while we can tell them how we see the act operating in terms of the exemptions for the legal framework and so on, what we feel that authorities are often effectively asking us to do is tell them how to do openness and transparency and we cannot really do that because it has to come from within the authorities themselves. It is this issue of culture; it is how they approach their role as a democratically elected body within their area and how they respond to their citizens. So, whilst I would not want to minimise the concerns that have been expressed, we are in regular dialogue with the Local Government Association as well and we work constructively with them and we are addressing and we have set out in our project plan how we will continue to address the needs of local government which is a significant part of the public sector to be affected by this Act. We will also continue to give out the message to say that they do have to look for themselves and have to decide how they are going to approach freedom of information themselves as a corporate government issue and it is not simply down to legal compliance with another piece of legislation which has come along.
Q43 Ross Cranston: Can I ask you a question out of ignorance, really. You spoke about the relationship of the DCA but there are the separate access to information provisions on environment which I think are the responsibility of Defra. Is there a problem there when you have first of all two sets of boards and then two departments, as it were? If so, could anything be done?
Mr Thomas: Perhaps I could give you a general answer and perhaps then Graham could give a little more detail on some of it. The Environmental Information Regulations have not yet been made; they are about to be made by, as you say, Defra. They implement the European Directive on access to environmental information and, behind that, the A(?) Convention. The effect in this country, the policy intention, is to align the new regulations as closely as possible with the Freedom of Information Act and I will be, if the regulations are made as intended, the regulator in the same way as I am for freedom of information. There are some differences. For example, a request for environmental information does not have to be in writing. There is also no cost ceiling whereas there is a cost ceiling under the Freedom of Information Act. Under the Environmental Information Act, there is no cost ceiling. There are some differences but the intention is as far as possible to roll this out as a single package in order that the citizen does not have to worry too much about precisely which legislation is being used. It is either a request for general information or environmental information and the two instruments are intended to dovetail together. In terms of responsibility, as you quite rightly say, the Department for Constitutional Affairs has the policy lead on FOI and Defra has the policy lead on the Environmental Information Regulations. There has, I gather and I have been involved in some of this, been very close cooperation and collaboration between the two Government departments and we have been brought into many of those deliberations. I think there is still outstanding an issue of resources. I think that the department feels - and I have quite considerable sympathy with this ---
Q44 Ross Cranston: Is this Defra?
Mr Thomas: No, the department, the DCA feels that Defra should pay its fair share of the cost of implementing the Environmental Information Regulations and I think that is an issue which is still ongoing as I understand it, but I am really a spectator on that particular issue.
Q45 Ross Cranston: I think the answer to the first part of the question was reassuring, that the two systems will be in parallel.
Mr Thomas: Have I painted too rosy a picture?
Q46 Ross Cranston: It may be that the second part of the question ...
Mr Thomas: I think what you have identified is that it is primarily a government issue in terms that Defra will take responsibility, as I understand it, up to the point when the regulations have finally been made in compliance with the European Directive and Defra and the DCA are working together almost, if you like, as a jointly badged freedom of information project because one of the things they have expressed they are concerned about and certainly we are concerned about is that the differences between the two regimes should impact on the public as users of the access to information regime as little as possible. Yes, it is going to be important for the public authorities to understand the differences and sort them out and we will have to understand the difference and we will have to support public authorities in understanding the difference, but what is important here is that the public are not disadvantaged in exercising their rights simply because different regimes will apply because they have arisen through different constitutional routes. Certainly the focus is to work together and, subject to the issue of resources which I gather is still subject to discussion, we do not really see any great difficulty in having a combined effort.
Mr Thomas: Going back to Mr Soley's questions earlier, there will be integrated publicity for the general public, it will not be one set of publicity for the FOI and another set for the Environmental Protection Regulations. It will be fully integrated.
Q47 Ross Cranston: I think that is reassuring. Can I ask a couple of specific questions about the issue of standards. Bodies have to turn around a request for 20 days but there are certain exceptions. Have we got standards evolving yet on the exception of the 20 day turnaround period?
Mr Smith: There is a provision in the statute that where the public authority is considering the issue of the public interest override and whether that should apply in a particular case, the Act gives the public authority the right to use additional reasonable time as is required. We have not yet given out any guidance on that. We obviously would want them to do it as quickly as possible and we will see what the experience is in terms of how that is used or certainly if it is abused, and we will ensure that it is not over-used.
Q48 Ross Cranston: What sort of factors would be taken into account there?
Mr Smith: I think one has to take a proportionate response to the level of difficulty of the issue. If we were to get the impression that actually this were just being used as a device by a public authority to buy more time and give themselves more time because their administrative processes were not up to it, then we would not be very tolerant. We have the powers through our good practice recommendation and then ultimately an enforcement notice if we felt there was persistent abuse of process to require a public authority to change its ways. If we thought this was simply being used as administrative convenience, we would look at that, but in some of the cases there are going to be very significant difficult public interest issues to weigh up. What we are advising public authorities to do is to keep the dialogue going with the person who is requesting the information, because if they keep them informed as to what they are doing and why and why it has taken so much more time, then the individual would hopefully understand that if it is a genuine reason. They always have the ability to come to us and we can investigate it if they want us to do that. The other aspect of this is that there is power for the Secretary of State to make regulations so that in certain categories of cases that 20 working days can be extended. I understand there is a consultation going on within Whitehall to seek some representations as to whether departments would like that power to be used and in what circumstances, but that is a matter for the Department. It is not something I am a party to but I understand that is currently happening.
Mr Thomas: Could I add two points because I am very keen to get these two points across to this Committee and more generally. The first is, whenever a public authority wishes to use public interest arguments against disclosure, I will expect them to articulate what they mean by that and provide chapter and verse. I will not accept someone simply asserting it is in the public interest that this information should not be disclosed. I want them all to understand that if they want to use that argument, they are going to have to explain to me why and how it is that the public interest in non-disclosure outweighs the public interest in disclosure. The second point I want to make is this: there has been comment about the legislation in terms of the ministerial veto. There is a provision in the Act which says that a Cabinet Minister can serve a certificate on me effectively undoing the effect of an enforcement or a decision notice, sometimes known as the ministerial override or the veto. I have to make clear that it was intended, and it was clear when the legislation was going through, that this was seen as highly exceptional. It was a long-stop for very exceptional circumstances. I want to keep it that way and I am making it clear that if and when any such certificate is served, not only is there a statutory duty on the Minister to lay that certificate before Parliament, that is in the Act, but I myself would like to make a special report to Parliament on each and every case about the circumstances of such cases. Perhaps this Committee would be one of the recipients of such reports. I have the power to lay a special report before Parliament and I think I have to do that on each and every occasion where the veto is used against either my decision or indeed it can be used to overrule decisions on the Tribunal which sits above me.
Q49 Ross Cranston: So if public interest is an unruly horse, you actually want the horse drawn out like a Stubbsian portrait?
Mr Thomas: I could not think of a better metaphor.
Q50 Ross Cranston: Can I ask about section 46 and records? The DCA has issued guidance somewhere, are you going to be issuing further guidance on what individual public bodies have to do in relation to the retaining and disposal of records?
Mr Smith: We are not intending to issue guidance on that. Section 46 creates, if you like, a statutory partnership in this area between the Commissioner and the Keeper of Public Records, and we work very closely with Sarah Tyacke who is in that office at the moment and her colleagues at the National Archives to develop that partnership arrangement. We recognise very much that they are the experts in terms of records management and they have done a lot of very good work in terms of not only developing the code of practice but also developing model action plans for different parts of the public sector and generally giving a lot of very good advice, they do a lot of travelling about, going out into public authorities, delivering seminars and giving practical advice on issues like retention and disposal of records. We are not looking to duplicate what they are doing but what we will be doing, because the Act gives us the statutory powers effectively rather than the Keeper of Public Records to make enforcement where records management lies at the heart of a failure to deliver good practice in freedom of information, is giving examples as cases come in to us. If we find the main reason why the information has not been disclosed in a proper or timely manner is because of poor record-keeping and poor record management within the public sector, then working within that partnership that is where we will be giving guidance in our own right to encourage good practice. In terms of making something like a formal order, a good practice recommendation, the Act quite properly requires us to do so in consultation with the Keeper of Public Records because that is where the expertise lies.
Q51 Mrs Cryer: Your evidence suggests that it does appear you have concerns regarding the recruitment and retention of good quality staff for the new Freedom of Information responsibilities. Have these been resolved by the DCA? If not, what impact is this likely to have on your own ability to enforce compliance in 2005?
Mr Thomas: Thank you, Mrs Cryer, you are right to say I did allude to this in my written submission to the Committee. As I explained there, I employ my staff - we have over 200 staff and we are building up towards 300 staff in a year or so - but the remuneration and the terms and conditions have to be approved by the Secretary of State. I have inherited a situation where the salaries of my staff are significantly, significantly, behind market rates for the area in which we are based - Wilmslow just outside Manchester. I am talking about differences up to 15% or more compared to other public bodies in the same area. I find that totally unacceptable, I think it is fair to say that the Department recognises the nature of the problem, it is having increasing implications in terms of recruitment and retention of staff, and we all recognise that the issue has to be resolved. I am afraid at the moment, although we have made some progress, the issue has not yet been resolved, there are on-going discussions, and I have no alternative but to come back to this Committee if I cannot resolve these matters and tell you the full circumstances. I would rather not do that now because there are constructive discussions going on at the moment. I appreciate your interest in this because it is an extremely important issue. I would say it is the largest single challenge facing me in delivering my responsibilities at the moment.
Q52 Mrs Cryer: According to the evidence we had from the British Bankers Association regarding high turnover, they have suggested that they would support any ICO proposals to re-evaluate compliance officers' jobs and create a career structure which would inspire staff.
Mr Thomas: It is always helpful to have support from the bankers when it comes to money!
Q53 Mrs Cryer: That is what I thought!
Mr Thomas: That was an unprompted comment of theirs and I appreciate their support, but you will appreciate I am working within the framework of public sector employment and it is not a problem which the banks can easily solve, as it were. It has implications vis-à-vis the Treasury and the Department. As I say, discussions are on-going. We have well-motivated staff, a fantastic team right across Data Protection and Freedom of Information, people want to do a good job, but when they are paid in some cases very low salaries indeed and, for example, tempted away to do data protection in a private sector environment, and maybe we will see the same with freedom of information, it is a cause of very serious concern to me.
Q54 Chairman: Decisions taken before your time have left you in one of the most expensive places outside London.
Mr Thomas: Yes. Wilmslow has a reputation as being an expensive area, although the greater number of my staff do not live in Wilmslow, they commute in from the surrounding area, but it is quite an expensive part of the country and that makes the problem that much worse.
Q55 Chairman: Have you thought about moving or relocating part of your operation?
Mr Thomas: I do not think that is a practical option. We have over the last 12 months, since I took over, opened offices in Edinburgh, in Belfast, in Cardiff, we will have a small pied-a-terre unstaffed in London but I do not think it is realistic, given we have such a high cadre of experienced people with all the expertise. Moving that out of Wilmslow would not be an option. So we are in Wilmslow for the duration and indeed are in the process of negotiating for a second office block in Wilmslow at the moment.
Q56 Chairman: Turning to the overall costs and costs for the departments, the DCA has admitted that no recent estimate has been made of the collective costs which will be incurred through the implementation of the Freedom of Information Act. Have you made any estimate of what departments and non-departmental public bodies will have to spend overall by the time the Act comes into force?
Mr Thomas: No, I have not, Chairman, I do not think it would be within my responsibilities to do that. I am aware that many local authorities are unhappy they have not been given additional resources. The philosophy of the Government has been throughout that this should be done largely within existing resources. My preoccupation is whether I have the resources to do the job properly. You will see we have £4.5 million in the current financial year, that will go up to £5.0 million in the next financial year. We are going through a process right now of considering just how many staff we are going to need in detail, at what level we are going to need the staff and whether that resource will be enough. We have an on-going dialogue with the Department about resources and we have made it clear that one thing we have to do is to respond to the volume of complaints coming to us, and at this stage it is extremely difficult to predict, but we are going to have to move quite fast once we see what is the reality.
Q57 Chairman: As far as you are concerned, you will not accept from public bodies that lack of resources from the centre is any excuse for not complying with the legislation?
Mr Thomas: I cannot accept that, Chairman, because there is nothing in the statute which refers to that as a reason for not disclosing. The Act, if you like, creates a presumption of disclosure, it creates certain exemptions but none of those are set forward in terms of resources.
Q58 Chairman: Thank you very much. This has been a very helpful session for us. It is the beginning I think of a relationship, because we expect to see you back on other occasions. We will probably do an inquiry into part of your work and responsibilities. It is a process which would have begun sooner had this Committee been set up sooner and not been landed with a number of quite key issues at an early stage. As you yourself have indicated, there are a number of matters with which you expect to be endowed in the future, and we will follow your work with very great interest.
Mr Thomas: Thank you very much for your interest and the whole Committee's interest in our work, which we very much appreciate. We have only touched on some of the issues we are dealing with. One of the surprises to me as a Commissioner coming in was just how wide our responsibilities are. Both Data Protection and FOI touch virtually every part of economic life, social life, political life; very broad, very horizontal responsibilities. There are many issues we have not touched on this morning but we may want to come back and talk to you about some of those in more detail on a future occasion. Thank you very much.
Chairman: Thank you very much.