The work of the Information Commissioner: appointment of a new Commissioner - Justice Committee Contents


3  The pre-appointment hearing and outcome

Introduction

23. Our consideration of Mr Graham's appointment was steered by guidance given by the Liaison Committee[14] and our own view of the demands of the role and of the short and long term priorities involved in the fields of data protection and freedom of information. We have referred to such demands in previous reports.[15] We were also assisted by the valedictory evidence given by the current Information Commissioner on 13 January 2009.[16]

The hearing

24. Mr Graham's background clearly provides him with a range of experience indicative of his suitability to be a candidate for the role of Information Commissioner, including familiarity with the regulatory landscape, the development of codes of practice, the potential for judicial review, customer service, assessing compliance, running a large organisation and managing change.[17] In view of the overall challenge facing a new Information Commissioner—an increase of an order of magnitude on what Mr Graham has previously dealt with—we welcomed the opportunity to question him on his view of the priorities and potential approach.

25. We took note of Mr Graham's agreement with the incumbent, Mr Thomas, that there could only be "one Information Commissioner at a time"[18] and that the transfer of the post was set for June 2009.

The candidate's approach

CONSTITUTION

26. As mentioned above, in paragraph 6, the Information Commissioner is a "corporation sole" which means that the powers and responsibilities of the role are vested in the office-holder as an individual. Clearly, however, the Information Commissioner is supported by an organisation, currently known as the 'Information Commissioner's Office' (ICO), and we perceive at least the potential for confusion in the status of statements coming from the organisation and those issued explicitly by the Commissioner. Mr Thomas, the current Information Commissioner, stressed the importance of effective teamwork but told us: "the Commissioner…is ultimately responsible for everything done in his or her name".[19]

27. We note the recommendation of the report of the Data Sharing Review—part-authored by Mr Thomas in a personal capacity—that the Information Commissioner's role should be undertaken by a multi-member "Information Commission" to:

  • strengthen the influence and authority of the ICO;
  • de-personalise relations between regulator and key stakeholders;
  • reduce risks of inappropriate pressure from such stakeholders and strengthen regulatory independence;
  • reduce the risk of a maverick appointment; and
  • draw in a diversity of backgrounds and skills.[20]

28. Mr Graham agreed with the Information Commissioner on the importance of teamwork and described the proposal for a multi-member commission as "a perfectly logical position to adopt".[21] He pointed, however, to the current freedom of information case relating to Cabinet minutes on the decision to invade Iraq in 2003 and the process by which the Commissioner was tasked, personally, with reading the controversial material as part of his decision-making process. He told us "it seemed to me that that is work only one man can do".[22] With regard to the issue of communicating decisions and expressing opinions from the "ICO", he drew a distinction between the Information Commissioner per se and the overall regulatory "machine", suggesting that "possibly it is a question of getting the branding right".[23] We are not persuaded by the case for changing from a commissioner to a commission. We welcome Mr Graham's recognition that it is important that the branding of communications from the ICO leaves no room for confusion about the personal responsibility of the Commissioner. We view the personal responsibility of the Information Commissioner for the regulation of data protection and freedom of information as the main value of the way in which the role is constituted.

29. In our previous form as the Constitutional Affairs Committee we recommended that the Information Commissioner should be directly responsible to, and funded by, Parliament.[24] The Government's position has been that, in its view, the status quo provided for independent decision-making by the Commissioner while permitting the proper scrutiny of public resources.[25]

30. Mr Thomas, the current Commissioner, told us that direct funding from Parliament was "in principle … the right approach" citing the position of the Scottish Commissioner who is funded by, and accountable to, the Scottish Parliament.[26] Mr Thomas emphasised the constructive relationship between his office and the Ministry of Justice (MoJ) but pointed to the potential for "perception issues" arising from the fact that his funding came from the MoJ's Information Directorate, which also housed the team of officials providing advice to all government departments on freedom of information cases and issues. He described this as "a slightly uncomfortable situation".[27] Mr Graham was cautious. While recognising that this Committee had made "the running" with this recommendation, he confined himself, at this early stage, to saying that the proposition seemed "logical" and that he "would not resist it".[28]

RESOURCES

31. In addition to the issue of responsibility for the Information Commissioner's resources, we have also been concerned about the level of available funding. Freedom of information and data protection are funded differently and there can be no cross-subsidy, or virement, between the two functions.

Data protection

32. The implementation of the Information Commissioner's data protection responsibilities is funded by notification fees paid by data controllers. At present, the fee is £35 whether the organisation is a small business or a huge Government department. We drew attention to the anomaly of a flat-rate fee for all sizes of organisation in January 2008 and recommended that a graduated scheme be introduced; this was echoed in the report of the Data Sharing Review in July 2008. The MoJ told us that work is still underway on the details of the scheme but said that the overall intention was to fund the estimated costs of the Information Commissioner's revised data protection responsibilities—£16 million per year (assuming passage of the Coroners and Justice Bill)—through the new fee structure.

33. We welcomed Mr Graham's recognition of the Information Commissioner's "considerable responsibility" for assessments of applications for authority to share personal data and the potential constraints of the 21-day period allowed on the face of the Coroners and Justice Bill for each such assessment to take place. We agree with his indication that departments contemplating such an application should be in "early dialogue" with the ICO.

Freedom of information (FOI)

34. Mr Thomas told us that "freedom of information is done on quite a shoestring" and drew a compelling comparison between his 53 caseworkers, who had responsibility for often unfamiliar territory across the whole public sector, and the 28 staff employed by the Ministry of Justice just to deal with incoming FOI requests for that department and its associated public bodies.[29] Mr Graham was also of the opinion that this side of the business was "pretty tightly resourced" and made clear that tackling the "backlog" of outstanding cases would be his priority.[30] He pointed to his track record at the ASA, in equivalent circumstances, and we concur with his view that "unless you can demonstrate that you are an efficient organisation handling the business promptly, people will not take you seriously on anything else." He described the efficiency and effectiveness of the ICO as its "licence to practice".[31]

35. Mr Thomas wrote that "the ICO currently receives £5.5 million as grant-in-aid for FoI. We do not yet know our grant for 2009-10. Despite a 15% increase in complaints received, we have been told that an increase cannot be contemplated and that a cut is possible. This would be very serious."[32] In light of this, we asked Mr Graham whether he had opened negotiations with the MoJ on the availability of adequate resources to the Information Commissioner's Office in advance of a final commitment to taking on the role. Mr Graham was again cautious. Not having learned "the ways of the civil service" he said he was reluctant to "make it up" on the hoof in front of a select committee. However, when pressed he said: "If I form the conclusion that I have not got the resources to do the job, then there would not be any point in proceeding, but I have not had the discussion".[33]

36. We recommend that the Ministry of Justice take the appropriate steps to ensure that there are sufficient resources available to the Information Commissioner to enable the backlog of freedom of information cases to be resolved within a reasonable timescale.

PRIORITIES

37. We were interested in Mr Graham's overall view of the priorities and challenges of the Information Commissioner's role. He identified the following:

Conclusion

38. We endorse Mr Christopher Graham's suitability for appointment as Information Commissioner and his preliminary view of the priorities of the role and its supporting organisation. We look forward to a continuing dialogue on progress both in protecting people's personal information effectively and sensitively, and in securing implementation of the letter, and the spirit, of the Freedom of Information Act. The Information Commissioner needs to be an independent and fearless champion of both data protection and freedom of information, backed by a well-led and well-managed organisation. We wish Mr Graham success in this role.


14   Liaison Committee, First Report of Session 2007-08, Pre-appointment hearings by select committees HC 384 Back

15   Constitutional Affairs Committee, Seventh Report of Session 2005-06, Freedom of Information-one year on, HC 991 (Government reply, Cm 6937) and Fourth Report of Session 2006-07, Freedom of Information: Government's proposals for reform, HC 415 (Government reply, Cm 7187); and Justice Committee, First Report of Session 2007-08, Protection of Private Data, HC 154 (Government reply, HC 406 of Session 2007-08) and Second Report of Session 2008-09, Coroners and Justice Bill, HC 185 Back

16   Qq 1-22 and Ev 8-15 Back

17   Q23 Back

18   Q31 Back

19   Q 3 Back

20   Op. cit., paragraph 8.74 Back

21   Q 35 Back

22   Q 35 Back

23   Q 35 Back

24   Justice Committee, Second Report of Session 2008-09, Coroners and Justice Bill, HC 185, para 27 Back

25   Cm 6937, October 2006 Back

26   Q 9 and see www.scottish.parliament.uk/s3/committees/rssb for details of a review of the support for the Scottish Information Commissioner by the Scottish Parliament. Back

27   Q 9  Back

28   Q 30 Back

29   Q 7 and Q 9 Back

30   Q 27 Back

31   Q 24 Back

32   Ev 10 Back

33   Q 34 Back

34   Q 24 Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2009
Prepared 9 February 2009