The work of the Information Commissioner: appointment of a new Commissioner - Justice Committee Contents


Memorandum submitted by the Information Commissioner

THE WORK OF THE INFORMATION COMMISSIONER

1.  INTRODUCTION

  I understand that the Justice Select Committee would like to me to share my views on developments and changes to the role of Information Commissioner during my tenure and to discuss key issues facing my successor.

  I have been the Information Commissioner since November 2002 and will be standing down at the end my second term of office on my 60th birthday in June 2009. The last six years have seen substantial change—both external and internal. Technological developments have been a major driver of an information revolution with benefits in terms of greater openness and risks in terms of excessive intrusion. Since 2002, few individuals are beyond the reach of Google and other search engines, the internet has made a reality of globalisation, the costs of computing and storing data have tumbled, intelligence-led policing has become the norm and government has embarked on an ambitious programme of IT-driven transformation of public services.

  In 2002, the Information Commissioner's Office (ICO) had a single email-enabled PC, an extremely basic website, paper files for all casework and an intranet was not even on the agenda. The governance and business planning arrangements were no longer adequate for an enlarged role and policies, procedures, structure and training all needed attention.

  Since 2002, a Management Board has been introduced with four highly-valued non-executive members to steer strategic direction. The size of the office has nearly doubled and is set to expand further. Regional offices have been established in Belfast, Cardiff, Edinburgh and London and the standing and profile of the ICO have changed beyond recognition. Our Annual Reports have documented progress—the latest can be found here[1].

  I hope that it can be said above all that the ICO has been effective, and has made a difference. The staff of the ICO are committed, well-motivated and hard-working. There is plenty of work in progress and plenty of unfinished business, but I am proud of what has been achieved. Three headlines are highlighted in this Evidence:

    —  A modernised and confident ICO punching above its weight.

    —  Freedom of Information established as part of the fabric of public life.

    —  Data Protection taken seriously at last.

2.  A MODERNISED AND CONFIDENT ICO

  The role of Information Commissioner—an individual who is a "corporation sole"—is unusual. Effectively acting as both Chairman and Chief Executive, I have sought to provide leadership to the ICO, treating our independence, integrity and reputation as fundamental. We take seriously, and value, our accountability to Parliament. We enjoy a constructive, but arm's-length, relationship with the Ministry of Justice. The ICO must be, and must be seen to be, independent of government and the wider public sector and of data controllers. This has not been threatened, even where our activities have caused discomfort. The challenge is formidable but we believe that we have earned respect as an authoritative, but accessible, regulator of over 115,000 public bodies and 315,000 data controllers. The diversity of subject-matter affected by information rights is astonishing—covering virtually all governmental and commercial activity and ranging from nuclear power safety to credit reference agencies, from abortion statistics to the role of ministerial special advisers.

2.1  A Strategic Regulator

  Successive Corporate Plans have set out our approach. The latest, covering the three years 2008-11 can be found here[2]. These Plans have spelt out our direction in fulfilling our fundamental mission of "Promoting public access to official information and protecting your personal information". We have taken a strategic approach—"selective to be effective"—to be quite clear what we are seeking to achieve, and how and when. This has involved significant re-structuring projects, with policy and procedural changes to differentiate and sharpen focus on the three main types of statutory function which span both data protection and freedom of information:

    —  Educating and influencing, especially to promote good practice.

    —  Ruling on complaints and resolving problems.

    —  Taking appropriate enforcement action when the law is broken.

  For each of these areas of the Corporate Plan, we have identified our priorities to establish a "golden thread" of business plans and personal objectives. We are clear about the importance of setting measurable targets wherever possible to secure short and medium term results and build the long term vision. We have developed powerful Communications and Human Resource Strategies. Our stance has been to be influential, responsible, robust and practical. We have set long-term goals in terms of changed cultures where "open government" is widely seen as normal and natural and where organisations use personal information properly and securely, routinely recognising and addressing privacy concerns and avoiding the dangers of excessive surveillance.

2.2  Internal change

  The ICO has undergone a thorough and rigorous internal improvement programme to help us meet our challenges. A sharper ICO culture has developed, with well-defined mission, values, competencies and behaviours. With a new corporate governance structure, we have clearer decision making and recording processes.

  A complete overhaul of the human resource function has yielded many benefits. There has been extensive leadership and senior management training. The staff headcount has increased from 170 in 2002 to 302 in January 2009—a full time equivalent of 283. We have invested heavily in new training initiatives. With new programmes, the average number of sick days has reduced from 12.75 in 2005 to 7.2 in 2008—well below central government and public service averages. A Diversity and Equality Strategy has been implemented. Internal communications have improved and a staff engagement programme devised.

  We have re-procured our IT service provision and an extensive modernisation programme is underway in line with our IT strategy. We produce and use substantially more management information. We have overhauled our Operations activity thoroughly to meet rising workloads and now place high emphasis on taking a much more customer-focused approach.

2.3  Communicating

  Some specific results for freedom of information and data protection are set out below. Across the ICO as whole, our profile, status and influence have all increased substantially. We have given written and oral evidence to Select Committees of both Houses frequently. We are now regularly mentioned in debates and in PQs. We are now routinely invited to meet ministers, permanent secretaries, chief executives and other senior personnel. We have a heavy speaking programme, encouraging staff at many levels to deliver our messages, and we organise several events of our own each year.

  In 2002, the ICO did not have a press office. Now our work features in the national media on a daily basis—often front-page. There have been several favourable editorials and TV programmes inspired by our work. In 2007-08, we generated 52% more media cuttings than in the previous year, and more than doubled our audience reach. In the second quarter of this year, media coverage was the most positive since reports began: 97.5% of items were positive towards the ICO (compared with just 75% in the same quarter two years ago). We distribute around 240,000 publications a year, we have 6,000 subscribers to our e-Newsletter and our re-vamped website now receives around 1.6 million visits a year. In our 2008 survey of stakeholder perceptions, 71% of respondents found the ICO's performance to be excellent or very good in terms of advice, dealings with us and overall relationship.

3.  FREEDOM OF INFORMATION ESTABLISHED AS PART OF THE FABRIC OF PUBLIC LIFE

  Freedom of Information came fully into force in January 2005. There had been polarised predictions. Some had forecast that, despite a presumption of disclosure, a law with numerous exemptions was bound to be a complete damp squib. Others were confident that the government would shred all significant records. Others claimed in effect that secrecy was so important that good government would be imperilled. In fact, all such predictions were wrong. The truth has turned out somewhere in between.

  Four years on, the national media reports disclosures made under the Freedom of Information Act (or the companion Environmental Information Regulations) almost every day. Much more is disclosed at local level. Details of EU farm subsidies, heart surgery survival rates and schools performance are now routinely available. The surprise is no longer the nature and extent of disclosure. What is astonishing is how much was previously treated as secret. Freedom of Information is thus fast becoming part of the fabric of public life. It has been difficult; there has been a steep learning curve for all concerned; it has been a very challenging and difficult law. There has been a great deal of testing of boundaries on all sides. But my assessment is that—with some pockets of recalcitrance or reluctance—public authorities have responded well. It has not always been comfortable for the government, but it has taken the law seriously. I pay tribute to the way that the British public administration has responded to this challenge.

3.1  Requests and complaints

  There has certainly been a strong public appetite with high volumes. No-one knows exactly how many requests have been made, but extrapolations from MoJ statistics indicate some 400,000 requests have been made in the first four years. MoJ figures state that about 80% of requests to central government are granted in full or in part. The vast majority of requests are not about high politics in Westminster and Whitehall. Most people want information about things which relate to their daily lives—their homes, their schools, their hospitals, their local environment.

  My office has received some 10,250 complaints as at 1st December 2008. That is quite a small number compared to the total number of requests. We have so far closed 8,920 cases. Of these just under 1,100 have resulted in a formal Decision Notice. Of the remaining cases, well over half have been closed informally following a careful consideration of the issues which often involves extensive investigation. Many of these have involved a negotiated outcome, acceptable both to the requester and to the public body concerned. The final third of cases have been ineligible, incomplete or have been so obvious that we have been able to deal with them easily and quickly.

  There appears to a wide respect for our formal decisions where we conclude whether or not to order disclosure. Many of these are controversial, require complex analysis and/or call for careful judgement. There is a wide range of subject matter. In one day recently, I personally signed four diverse Decision Notices—covering reform of the House of Lords, British support for an oil pipeline in Uzbekistan, the South West Trains rail franchise and access to Employment Tribunal records. A few other cases further illustrate the range:

    —  local authority pension investments in hedge funds;

    —  the contract between Ryanair and Derry airport;

    —  housing and travelling expenses of Members of Parliament;

    —  a Gateway review of identity cards;

    —  details of the 1911 census;

    —  alleged crimes by foreign diplomats;

    —  reports on the impact of crop spraying;

    —  the draft dossier on Iraq's alleged weapons of mass destruction; and

    —  salaries of top BBC presenters.

  All our Decision Notices are on a searchable database on the ICO's website. In about 30% of cases we upheld the requester's complaint in full. In about 25% we rejected the complaint. And in about 45%, we partly upheld the request—usually ruling that the complainant is entitled to some information, but not all. Either side can appeal against our Decision Notice, without cost, to the Information Tribunal. I regard it as a welcome performance indicator that fewer than 30% of "losers" actually appeal, meaning that over 70% accept our ruling. Of those that do appeal, the Tribunal is now broadly upholding the line we have taken in more than 80% of the cases. There is a growing and important jurisprudence from the Tribunal and a few cases are now going to the higher courts. So far, they are interpreting the Act in a way which is largely consistent with our approach over the first four years.

  After four years, it is possible to highlight the exemptions which are the most challenging for public authorities and for the ICO. These include:

    —  Section 35 ("Formulation of government policy etc")—where most cases turn on the weighing the competing public interest considerations. The imminent Tribunal decision on the appeal relating to the Cabinet discussions on Iraq will shed further light on the approach to be taken here.

    —  Section 36 ("Prejudice to effective conduct of public affairs")—where cases need the "reasonable opinion" of the "qualified person" as well as the application of the public interest test.

    —  Section 40 ("Personal information")—where the complex dovetailing of FOIA with the data protection legislation calls for many difficult judgements in practice.

3.2  Delay and funding

  It is widely accepted that delays have been the most serious problem with Freedom of Information—within public authorities, within the ICO and at the Tribunal stage. We are now closing over 50% of straightforward cases within 30 days, but most of the remaining cases now have to wait six months before we can start on them. We are however meeting the current target that 70% of all cases closed should be less than one year old. We are now able, each year, to close slightly more cases than we receive. We have new triage arrangements to speed up early closures and fast-track a few cases of particular significance. But the delays for most cases which require full investigation remain frustrating and disappointing.

  Problems of delay are largely attributable to lack of resources. Frontier Economics, engaged by the Ministry of Justice, calculated in 2006-07 that the total cost of FoI, across the whole of the public sector, was about £35 million p.a. Of the total, the ICO currently receives £5.5 million as grant-in-aid for FoI. We do not yet know our grant for 2009-10. Despite a 15% increase in complaints received, we have been told that an increase cannot be contemplated and that a cut is possible. This would be very serious. For the current year, the MoJ has helped us recruit seven secondees from central government departments. Secondees are welcome, but are not cost-free and it would be perverse to have to train new secondees in place of experienced staff. In fact we have an establishment of only 52 staff devoted to some 2,500 FOI cases a year involving the entirety of the public sector.

3.3  Good practice and enforcement

  We have been able to publish a great deal of guidance to public bodies which has to be constantly updated in the light of ICO, tribunal and court decisions. Our new training DVD "Tick Tock" is about to be distributed. We have served six Practice Recommendations, covering both poor request-handling and poor records management. In January 2009, the upgraded programme of Publications Schemes went live. Under section 19 of the Act, each public authority must adopt a Scheme for proactive disclosure of information (i.e. without requests), but we have used the model scheme provisions to achieve this with minimum burden and maximum public benefit. A programme of spot checks will start in April.

3.4  Conclusions and challenges for Freedom of Information

  Freedom of Information necessarily involves controversial issues. There will be many competing public interests. It is a law which challenges unnecessary official secrecy and embraces social and democratic values. It calls for culture change. Cultures do not change overnight, but laws can accelerate culture change. We repeatedly stress to public bodies the benefits of being more open and the disadvantages of secrecy. Public bodies often claim to be open: this is tested once the law comes into force. When governments hide behind unnecessary secrecy the media, and the general public, assume: "They must have something to hide". That can be very unhealthy.

  It is not easy (and anyway too soon) to measure achievements by reference to rationales of trust, confidence, accountability, improved decision-making, reduced impropriety etc. But it can be said that the impact on the general public appears to have been substantial. In ICO's annual research survey over the last four years we have asked the same question about the benefits of being able to access information held by public authorities. The longitudinal results show very marked increases from 2004 to 2008, clearly attributable to the impact of Freedom of Information law, with a very significant shift in public attitudes over a very short period of time. For example, the percentage of those agreeing that freedom of information "Increases knowledge of what public authorities do" has risen from 54% in 2004 to 84% in 2008, and those agreeing that it "Increases confidence in public authorities" has gone from 51% to 75%. These figures are matched by attitudes within public authorities themselves—91% now say the Act is needed and 81% say it improves trust.

  My overall conclusion is positive. But there are challenges ahead. The most important is to secure adequate and longer-term funding so that the ICO can recruit, train and retain experienced staff and reduce delays in resolving cases. At the same time, more (and faster) cases confirming where the boundary lines are to be drawn should reduce the burden on public authorities and allay any remaining worries about the "chilling effect" of FOI on good government. Looking further ahead, I foresee a gradual shift of emphasis away from individualised requests and complaints in the direction of much more routine proactive disclosure with only the genuine "Crown Jewels" staying secret.

  In October 2007 the Prime Minister devoted a significant part of his speech on Liberty to the benefits of Freedom of Information. This sent important signals, not least the abandonment of changes to the Fees Regulations which the Justice Committee and others had opposed. He observed that:

    "Although FOI can be inconvenient, at times frustrating and indeed embarrassing for governments, freedom of information is the right course, because government belongs to the people, not the politicians. Wherever possible, that should be the guiding principle behind the implementation of our Freedom of Information Act".

  Open government and the right to know have been established. It is increasingly being recognised within public bodies that open government is good government.

4.  DATA PROTECTION TAKEN SERIOUSLY AT LAST

4.1  Attitudes and profile

  In 2002 Data Protection was suffering a poor reputation. The original Act had been passed in 1984. The Data Protection Act of 1998—implementing the 1995 EU Directive—had largely come into force. It did not introduce fundamental changes, but added a further layer of complexity in a climate of considerable Euro-scepticism. The original Act had been introduced by a Conservative administration and the 1998 Act by the new Labour government. But both measures suffered begrudging governmental support and had been justified as much in terms of free trade flows and international obligations, as in protecting the interests of citizens or consumers or of society at large.

  Although much had been done to tick the boxes to ensure technical compliance, data protection was generally given low commercial priority. Worse, there was considerable media scepticism or even hostility as well as public ignorance, indifference or irritation. Data protection was widely seen as remote, unnecessarily complicated and uncertain. The law, the more detailed rules and the available guidance were seen as overly legalistic—almost theological. Data protection was marginalised—as was the Information Commissioner's Office (ICO) which was not helped by having to promote its third brand name in less than 20 years.

  Worse still, Data Protection was wrongly blamed for stopping people doing things and used to justify mistakes or unacceptable activities. The prime example came shortly after I took office when the Chief Constable of Humberside very publicly blamed data protection for the failure to apprehend Ian Huntley, the Soham murderer, any sooner. There was less media attention when he subsequently retracted that claim and data protection was exonerated in the official enquiry conducted by Sir Michael Bichard.

  By 2009 the situation has become very different. Data protection has risen sharply up the political, media and public agendas. For the last couple of years, it has been setting the news agenda on a regular basis. Concerns about abuse or loss of personal data, excessive surveillance, privacy intrusions and identity theft now feature regularly in political debate. The ICO's annual tracking survey also shows that:

    —  Public awareness of data protection access rights has grown from 74% in 2004 to 86% in 2008.

    —  People are very concerned about their personal information. Our survey says that 94% of people list "Protecting personal information" as their top concern (equal with concerns about crime) when ranking a list of 10 issues of social concern.

    —  95% of organisations say that the Data Protection Act "is needed" (up from 89% in 2006) and 87% say it improves customers' trust (up from 78% in 2004).

  The reasons for this changed situation go wider and deeper than the 277 data security breaches which (as we announced at the end of October) had been reported to us since the HMRC incident. There have in fact been many drivers for change. I have already mentioned some examples of the technological revolution which really gathered pace at the start of the 21st century. The power and benefits of database technology, coupled with instantaneous and comprehensive global communications, have been widely appreciated by businesses, by government and by individuals. Dramatic reductions in the cost of collecting, processing and storing data have fuelled the growth in their use. It is often said that it is now cheaper to store data than delete it. Public service reforms—"Transforming Public Services" and many other programmes—have harnessed the power of technology, but not always in well thought-through ways. Politicians have been quick to recognise and advocate the benefits of hi-tech projects—ranging from ID cards to electronic health records—without always fully addressing the risks and downsides. The law enforcement community—which understandably always welcomes more information and more intelligence—has embraced IT proposals with enthusiasm. Parliament has not always scrutinised new initiatives requiring legislative approval as fully as it might have done. In short, it is only relatively recently that the risks of massive data collection and use have started to be widely appreciated.

  There is now much greater recognition that there are inevitable tensions between legitimate "liberty" and "security" objectives, just as there are between improved and more efficient services and the privacy and integrity of personal information. Inevitably data protection involves difficult balances between competing considerations, usually resolved in terms of necessity, proportionality, transparency and data minimisation.

4.2  Role of the ICO

  The ICO can claim some credit for getting data protection to be taken more seriously. We have made many changes to the ways in which we discharge our statutory responsibilities. Our Corporate Plans and Annual Reports have documented structural and other changes which have allowed us to separate out our responsibilities and set priorities and targets. This has meant increased focus on educational, influencing and enforcement activity in preference to reviewing complaints from individuals where our powers are weak and our impact limited.

  Our overall approach is captured in our Data Protection Strategy. In line with Better Regulation principles, the Strategy is risk-based. It sets out how we approach our task of minimising data protection risk. It makes clear that we will place most attention on situations where there is a real likelihood of serious harm arising from improper use of personal information and also where our intervention is most likely to make a difference.

  The Strategy emphasises the need to build on enlightened self-interest and states one of our key priorities as:

    "Strengthening public confidence in data protection by taking a practical, down to earth approach—simplifying and making it easier for the majority of organisations who seek to handle personal information well, and tougher for the minority who do not."

  This explicit "carrots and sticks" approach to minimising risk means being clear about harm. For individuals tangible and reputational harm can arise because personal information about them is:

    —  inaccurate, insufficient or out of date;

    —  excessive or irrelevant;

    —  kept for too long;

    —  disclosed to those who ought not to have it;

    —  used in unacceptable or unexpected ways beyond their control; or

    —  not kept securely.

  But there are also societal harms, such as:

    —  excessive intrusion into private life which is widely seen as unacceptable;

    —  loss of personal autonomy or dignity;

    —  arbitrary decision-making about individuals, or their stigmatisation;

    —  or exclusion;

    —  the growth of excessive organisational power; or

    —  a climate of fear, suspicion or lack of trust.

  The full Strategy sets out how we determine priorities within this framework, how we decide whether and how to intervene, how we work with other organisations and how we fulfil our international functions in an age where information flows show no respect for international borders. It concludes with current priorities under six main headings:

    —  The unlawful trade in confidential personal information.

    —  The emergence of a surveillance society.

    —  Security of personal information.

    Increased information sharing.

    —  Law enforcement activity.

    —  Effective data protection supervision.

4.3  Achievements

  A summary of highlighted ICO activity in fulfilment of this Strategy illustrates the range of our work:
Guidance programme Transformed our approach with a comprehensive suite of Good Practice Notes and other Plain English guidance.
Codes of Practice on Employment Practices, CCTV and Information Sharing Comprehensive, targeted Codes setting out clear "Do's and Don'ts".
ICO enforcement activityFormal regulation though better- targeted and often high-profiles Prosecutions, Enforcement Notices and Undertakings.
Inspection and auditAn expanded audit unit about to conclude the first government spot check. More audits this year than ever before.
Penalties for Section 55 offences (unlawfully obtaining personal information) Published What Price Privacy? which led to statutory custodial penalties in 2008 Act.
Data retention by police forcesEnforcement action to prevent excessive retention of minor convictions upheld by Tribunal. Now going to Court of Appeal.
Surveillance SocietyLaunched report, conference and debate about excessive surveillance which (amongst other things) has led to two simultaneous Select Committee enquiries.
Privacy Impact Assessment and Privacy by Design. Two major initiatives to reduce surveillance risks and build in safeguards for personal information from the outset.
ID cards and National Identity Register Questioned rationale; warned of function creep; secured statutory objectives; now engaging with IPS to minimise DP risks.
Connecting for Health (electronic health records) Extensive discussions on general and specific issues.
ContactPoint (children's database)Questioned need for comprehensive database; now discussing with DCSF how to minimise security and other risks.
Social networkingLaunched micro web-site and issued well-publicised guidance
Communications DatabaseRaised initial concerns about implications of database of telecoms traffic data. There will now be full consultation and debate before any legislation reaches Parliament.
EU Article 29 Working PartySubstantial involvement eg with Opinions on personal data and search engines
International transfers and Binding Corporate Rules Leading role in making it easier to export data in compliant ways.
London InitiativeLed international programme to improve effectiveness of Commissioners


  Our data protection achievements also go well beyond educating, influencing and regulating. The ICO now handles over 200,000 phone calls and 25,000 complaints each year with clear service standards. We resolve almost all of these informally, often in ways which change business practices. The processing of 315,000 notifications from data controllers, provides both transparency and the funding for our data protection work.

  At the personal level, I was honoured to receive the "International Privacy Leader of the Year" Award from the International Association of Privacy Professionals in Washington in March 2008. More recently, I was voted 3rd (out of 50) in Silicon.com's Poll of "IT Agenda Setters". I was pleased to be invited by the Prime Minister and the Justice Secretary to co-chair the Data Sharing Review with Sir Mark Walport and our Report was published in July.

4.3  New Legislation

  The Data Sharing Review led directly to the proposals which are expected very shortly in the Justice and Coroners Bill. I understand that the Justice Committee will be scrutinising the Bill more closely on a separate occasion. Very briefly, however, the new powers will increase the ICO's inspection and information-gathering powers, especially in relation to public sector bodies. These will sit alongside the new regime of civil penalties for serious breaches of data protection requirements which are yet to be brought to into force. We are also delighted that the government has now announced the intention to increase our data protection resources substantially by adopting a tiered approach to notification fees, so that larger data controllers will pay more than the standard £35 each year.

  Mention should finally be made of the Review of the EU Directive which ICO launched in July. RAND Europe has been commissioned to report on the strengths and weaknesses of the Directive and to identify promising avenues for reform. Their report is due in April. I hope that this will pave the way for a more effective, but less burdensome, framework for data protection in the future.

4.4  Conclusions and challenges for data protection

  Data protection is no longer a topic for experts. It affects every one of us as individuals and virtually every organisation. Getting the right balance for privacy, and safeguarding the integrity of personal information, bring to life the language of human rights. Regulation must always be a mix of principle, common-sense and pragmatism. But the issues will get even more demanding as information technology becomes ever more ubiquitous and central to our lives.

  I am confident that data protection is now taken a great deal more seriously. But plenty of challenges remain. These include:

  Governance and Accountability—No organisation can afford to leave data protection as the responsibility of a single silo—whether its legal department, its IT team or its compliance department. There must be leadership at Board, Chief Executive and Permanent Secretary level to ensure that the right policies and procedures, the right technology and the right awareness and training arrangements are in place across the entire organisation. The ICO will be launching the Personal Information Promise on European Data Protection Day on 28 January. But much remains to be done to ensure—as we put it in the Thomas/Walport Data Sharing Review—that people at the top take the subject as seriously as is now the case for health and safety.

  Information as a Toxic Liability—It has become fashionable to talk of information as an asset. But it is also a liability. There has been much recent attention on the importance of ensuring the physical security of personal information. Few can now be unaware of the financial, reputational and social risks of getting it wrong. But good practice extends well beyond adequate security. The same sort of problems can occur if other aspects are neglected. Data minimisation and data cleansing are vital to make sure that information is accurate, relevant, not excessive and not retained for too long. False matches must be avoided. People should not be stigmatised, or discriminated against, as a result of poor data handing. Data protection must be seen as an integral part of risk management arrangements.

  New Powers, Sanctions and Resources for the ICO—I am delighted that my successor can look forward to imminent strengthening of the ICO's role. The evidence to the Data Sharing Review expressed the consistent and strongly held view that ICO's powers and resources are not adequate. The power to impose civil penalties for serious breaches has been introduced by the Criminal Justice and Immigration Act 2008, though not yet brought into force. This will provide powerful incentives and deterrents. The imminent new legislation to strengthen inspection powers is equally welcome, though close scrutiny of the small print will be needed and we would have preferred the powers to cover all data controllers, not just those in the public sector. The proposed increase in notification fees—which we hope will take effect no later than October 2009—will generate much needed extra funding for ICO's new and existing data protection work.

  ICO has sound plans for getting to grips with its new responsibilities, but their adjustment in the light of final proposals, and their implementation, will need high priority. The expansion of the office—new staff, additional accommodation and increased expectations—is welcome, but will require careful handling.

  Thinning the fog—Although ICO has done much to give guidance to organisations and individuals, a major educational agenda remains. In the Thomas/Walport Report, we described a continuing "fog of uncertainty" about data protection. Electronic communications provide new opportunities to get messages across—but they must be the right messages, targeted on the right people at the right time.

  Earlier involvement—The ICO has often learned about governmental initiatives involving personal information very late in the day. We can then be called upon to respond authoritatively, but at short notice. There has been some improvement recently, and our initiatives with Privacy Impact Assessments and the Privacy by Design to get departments to identify and address the issues at the outset are already bearing fruit. More needs to be done, however, at earlier stages. And we endorse the words of the European Court of Human Rights in the recent Marper DNA case:

    "|..any State claiming a pioneer role in the development of new technologies bears special responsibility for striking the right balance [as to what are the permissible limits in interference with private life]."

  The Global Agenda—Ways need to be found to secure a global approach to the regulation of personal information. Valuable work has been done by a mix of international and domestic organisations in public and private spheres. But substantial gulfs remain—particularly with the USA. The work which ICO has commissioned from RAND Europe will bring new thinking to the EU debate. The UK government needs to participate actively and constructively in these debates and assume a leadership role in ensuring that the European Commission brings forward acceptable proposals as soon as possible after 2010.

5.  ENDNOTE

  The ICO has come a long way in the last six years. We can claim good progress with our aim to be recognised as a world leader on both freedom of information and data protection. I have been immensely privileged to serve as Commissioner and to lead a great team. The ICO cannot stand still. The world is continually changing. I am confident that the ICO is well-placed to rise to the challenges it will continue to face. It will welcome fresh leadership and fresh thinking. But it will be business as usual for the next five months.

Richard Thomas

Information Commissioner

January 2009







1   http://www.ico.gov.uk/upload/documents/library/corporate/detailed_specialist_guides/annual_report_2007_08.pdf Back

2   http://www.ico.gov.uk/upload/documents/corporate_plan_html/corpplan/index.html Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2009
Prepared 9 February 2009