Memorandum submitted by the Information
THE WORK OF THE INFORMATION COMMISSIONER
I understand that the Justice Select Committee
would like to me to share my views on developments and changes
to the role of Information Commissioner during my tenure and to
discuss key issues facing my successor.
I have been the Information Commissioner since
November 2002 and will be standing down at the end my second term
of office on my 60th birthday in June 2009. The last six years
have seen substantial changeboth external and internal.
Technological developments have been a major driver of an information
revolution with benefits in terms of greater openness and risks
in terms of excessive intrusion. Since 2002, few individuals are
beyond the reach of Google and other search engines, the internet
has made a reality of globalisation, the costs of computing and
storing data have tumbled, intelligence-led policing has become
the norm and government has embarked on an ambitious programme
of IT-driven transformation of public services.
In 2002, the Information Commissioner's Office
(ICO) had a single email-enabled PC, an extremely basic website,
paper files for all casework and an intranet was not even on the
agenda. The governance and business planning arrangements were
no longer adequate for an enlarged role and policies, procedures,
structure and training all needed attention.
Since 2002, a Management Board has been introduced
with four highly-valued non-executive members to steer strategic
direction. The size of the office has nearly doubled and is set
to expand further. Regional offices have been established in Belfast,
Cardiff, Edinburgh and London and the standing and profile of
the ICO have changed beyond recognition. Our Annual Reports have
documented progressthe latest can be found here.
I hope that it can be said above all that the
ICO has been effective, and has made a difference. The staff of
the ICO are committed, well-motivated and hard-working. There
is plenty of work in progress and plenty of unfinished business,
but I am proud of what has been achieved. Three headlines are
highlighted in this Evidence:
A modernised and confident ICO punching
above its weight.
Freedom of Information established
as part of the fabric of public life.
Data Protection taken seriously at
2. A MODERNISED
The role of Information Commissioneran
individual who is a "corporation sole"is unusual.
Effectively acting as both Chairman and Chief Executive, I have
sought to provide leadership to the ICO, treating our independence,
integrity and reputation as fundamental. We take seriously, and
value, our accountability to Parliament. We enjoy a constructive,
but arm's-length, relationship with the Ministry of Justice. The
ICO must be, and must be seen to be, independent of government
and the wider public sector and of data controllers. This has
not been threatened, even where our activities have caused discomfort.
The challenge is formidable but we believe that we have earned
respect as an authoritative, but accessible, regulator of over
115,000 public bodies and 315,000 data controllers. The diversity
of subject-matter affected by information rights is astonishingcovering
virtually all governmental and commercial activity and ranging
from nuclear power safety to credit reference agencies, from abortion
statistics to the role of ministerial special advisers.
2.1 A Strategic Regulator
Successive Corporate Plans have set out our
approach. The latest, covering the three years 2008-11 can be
These Plans have spelt out our direction in fulfilling our fundamental
mission of "Promoting public access to official information
and protecting your personal information". We have taken
a strategic approach"selective to be effective"to
be quite clear what we are seeking to achieve, and how and when.
This has involved significant re-structuring projects, with policy
and procedural changes to differentiate and sharpen focus on the
three main types of statutory function which span both data protection
and freedom of information:
Educating and influencing, especially
to promote good practice.
Ruling on complaints and resolving
Taking appropriate enforcement action
when the law is broken.
For each of these areas of the Corporate Plan,
we have identified our priorities to establish a "golden
thread" of business plans and personal objectives. We are
clear about the importance of setting measurable targets wherever
possible to secure short and medium term results and build the
long term vision. We have developed powerful Communications and
Human Resource Strategies. Our stance has been to be influential,
responsible, robust and practical. We have set long-term goals
in terms of changed cultures where "open government"
is widely seen as normal and natural and where organisations use
personal information properly and securely, routinely recognising
and addressing privacy concerns and avoiding the dangers of excessive
2.2 Internal change
The ICO has undergone a thorough and rigorous
internal improvement programme to help us meet our challenges.
A sharper ICO culture has developed, with well-defined mission,
values, competencies and behaviours. With a new corporate governance
structure, we have clearer decision making and recording processes.
A complete overhaul of the human resource function
has yielded many benefits. There has been extensive leadership
and senior management training. The staff headcount has increased
from 170 in 2002 to 302 in January 2009a full time equivalent
of 283. We have invested heavily in new training initiatives.
With new programmes, the average number of sick days has reduced
from 12.75 in 2005 to 7.2 in 2008well below central government
and public service averages. A Diversity and Equality Strategy
has been implemented. Internal communications have improved and
a staff engagement programme devised.
We have re-procured our IT service provision
and an extensive modernisation programme is underway in line with
our IT strategy. We produce and use substantially more management
information. We have overhauled our Operations activity thoroughly
to meet rising workloads and now place high emphasis on taking
a much more customer-focused approach.
Some specific results for freedom of information
and data protection are set out below. Across the ICO as whole,
our profile, status and influence have all increased substantially.
We have given written and oral evidence to Select Committees of
both Houses frequently. We are now regularly mentioned in debates
and in PQs. We are now routinely invited to meet ministers, permanent
secretaries, chief executives and other senior personnel. We have
a heavy speaking programme, encouraging staff at many levels to
deliver our messages, and we organise several events of our own
In 2002, the ICO did not have a press office.
Now our work features in the national media on a daily basisoften
front-page. There have been several favourable editorials and
TV programmes inspired by our work. In 2007-08, we generated 52%
more media cuttings than in the previous year, and more than doubled
our audience reach. In the second quarter of this year, media
coverage was the most positive since reports began: 97.5% of items
were positive towards the ICO (compared with just 75% in the same
quarter two years ago). We distribute around 240,000 publications
a year, we have 6,000 subscribers to our e-Newsletter and our
re-vamped website now receives around 1.6 million visits a year.
In our 2008 survey of stakeholder perceptions, 71% of respondents
found the ICO's performance to be excellent or very good in terms
of advice, dealings with us and overall relationship.
3. FREEDOM OF
Freedom of Information came fully into force
in January 2005. There had been polarised predictions. Some had
forecast that, despite a presumption of disclosure, a law with
numerous exemptions was bound to be a complete damp squib. Others
were confident that the government would shred all significant
records. Others claimed in effect that secrecy was so important
that good government would be imperilled. In fact, all such predictions
were wrong. The truth has turned out somewhere in between.
Four years on, the national media reports disclosures
made under the Freedom of Information Act (or the companion Environmental
Information Regulations) almost every day. Much more is disclosed
at local level. Details of EU farm subsidies, heart surgery survival
rates and schools performance are now routinely available. The
surprise is no longer the nature and extent of disclosure. What
is astonishing is how much was previously treated as secret. Freedom
of Information is thus fast becoming part of the fabric of public
life. It has been difficult; there has been a steep learning curve
for all concerned; it has been a very challenging and difficult
law. There has been a great deal of testing of boundaries on all
sides. But my assessment is thatwith some pockets of recalcitrance
or reluctancepublic authorities have responded well. It
has not always been comfortable for the government, but it has
taken the law seriously. I pay tribute to the way that the British
public administration has responded to this challenge.
3.1 Requests and complaints
There has certainly been a strong public appetite
with high volumes. No-one knows exactly how many requests have
been made, but extrapolations from MoJ statistics indicate some
400,000 requests have been made in the first four years. MoJ figures
state that about 80% of requests to central government are granted
in full or in part. The vast majority of requests are not about
high politics in Westminster and Whitehall. Most people want information
about things which relate to their daily livestheir homes,
their schools, their hospitals, their local environment.
My office has received some 10,250 complaints
as at 1st December 2008. That is quite a small number compared
to the total number of requests. We have so far closed 8,920 cases.
Of these just under 1,100 have resulted in a formal Decision Notice.
Of the remaining cases, well over half have been closed informally
following a careful consideration of the issues which often involves
extensive investigation. Many of these have involved a negotiated
outcome, acceptable both to the requester and to the public body
concerned. The final third of cases have been ineligible, incomplete
or have been so obvious that we have been able to deal with them
easily and quickly.
There appears to a wide respect for our formal
decisions where we conclude whether or not to order disclosure.
Many of these are controversial, require complex analysis and/or
call for careful judgement. There is a wide range of subject matter.
In one day recently, I personally signed four diverse Decision
Noticescovering reform of the House of Lords, British support
for an oil pipeline in Uzbekistan, the South West Trains rail
franchise and access to Employment Tribunal records. A few other
cases further illustrate the range:
local authority pension investments
in hedge funds;
the contract between Ryanair and
housing and travelling expenses of
Members of Parliament;
a Gateway review of identity cards;
details of the 1911 census;
alleged crimes by foreign diplomats;
reports on the impact of crop spraying;
the draft dossier on Iraq's alleged
weapons of mass destruction; and
salaries of top BBC presenters.
All our Decision Notices are on a searchable
database on the ICO's website. In about 30% of cases we upheld
the requester's complaint in full. In about 25% we rejected the
complaint. And in about 45%, we partly upheld the requestusually
ruling that the complainant is entitled to some information, but
not all. Either side can appeal against our Decision Notice, without
cost, to the Information Tribunal. I regard it as a welcome performance
indicator that fewer than 30% of "losers" actually appeal,
meaning that over 70% accept our ruling. Of those that do appeal,
the Tribunal is now broadly upholding the line we have taken in
more than 80% of the cases. There is a growing and important jurisprudence
from the Tribunal and a few cases are now going to the higher
courts. So far, they are interpreting the Act in a way which is
largely consistent with our approach over the first four years.
After four years, it is possible to highlight
the exemptions which are the most challenging for public authorities
and for the ICO. These include:
Section 35 ("Formulation of
government policy etc")where most cases turn on the
weighing the competing public interest considerations. The imminent
Tribunal decision on the appeal relating to the Cabinet discussions
on Iraq will shed further light on the approach to be taken here.
Section 36 ("Prejudice to effective
conduct of public affairs")where cases need the "reasonable
opinion" of the "qualified person" as well as the
application of the public interest test.
Section 40 ("Personal information")where
the complex dovetailing of FOIA with the data protection legislation
calls for many difficult judgements in practice.
3.2 Delay and funding
It is widely accepted that delays have been
the most serious problem with Freedom of Informationwithin
public authorities, within the ICO and at the Tribunal stage.
We are now closing over 50% of straightforward cases within 30
days, but most of the remaining cases now have to wait six months
before we can start on them. We are however meeting the current
target that 70% of all cases closed should be less than one year
old. We are now able, each year, to close slightly more cases
than we receive. We have new triage arrangements to speed up early
closures and fast-track a few cases of particular significance.
But the delays for most cases which require full investigation
remain frustrating and disappointing.
Problems of delay are largely attributable to
lack of resources. Frontier Economics, engaged by the Ministry
of Justice, calculated in 2006-07 that the total cost of FoI,
across the whole of the public sector, was about £35 million
p.a. Of the total, the ICO currently receives £5.5 million
as grant-in-aid for FoI. We do not yet know our grant for 2009-10.
Despite a 15% increase in complaints received, we have been told
that an increase cannot be contemplated and that a cut is possible.
This would be very serious. For the current year, the MoJ has
helped us recruit seven secondees from central government departments.
Secondees are welcome, but are not cost-free and it would be perverse
to have to train new secondees in place of experienced staff.
In fact we have an establishment of only 52 staff devoted to some
2,500 FOI cases a year involving the entirety of the public sector.
3.3 Good practice and enforcement
We have been able to publish a great deal of
guidance to public bodies which has to be constantly updated in
the light of ICO, tribunal and court decisions. Our new training
DVD "Tick Tock" is about to be distributed. We
have served six Practice Recommendations, covering both poor request-handling
and poor records management. In January 2009, the upgraded programme
of Publications Schemes went live. Under section 19 of the Act,
each public authority must adopt a Scheme for proactive disclosure
of information (i.e. without requests), but we have used the model
scheme provisions to achieve this with minimum burden and maximum
public benefit. A programme of spot checks will start in April.
3.4 Conclusions and challenges for Freedom
Freedom of Information necessarily involves
controversial issues. There will be many competing public interests.
It is a law which challenges unnecessary official secrecy and
embraces social and democratic values. It calls for culture change.
Cultures do not change overnight, but laws can accelerate culture
change. We repeatedly stress to public bodies the benefits of
being more open and the disadvantages of secrecy. Public bodies
often claim to be open: this is tested once the law comes into
force. When governments hide behind unnecessary secrecy the media,
and the general public, assume: "They must have something
to hide". That can be very unhealthy.
It is not easy (and anyway too soon) to measure
achievements by reference to rationales of trust, confidence,
accountability, improved decision-making, reduced impropriety
etc. But it can be said that the impact on the general public
appears to have been substantial. In ICO's annual research survey
over the last four years we have asked the same question about
the benefits of being able to access information held by public
authorities. The longitudinal results show very marked increases
from 2004 to 2008, clearly attributable to the impact of Freedom
of Information law, with a very significant shift in public attitudes
over a very short period of time. For example, the percentage
of those agreeing that freedom of information "Increases
knowledge of what public authorities do" has risen from 54%
in 2004 to 84% in 2008, and those agreeing that it "Increases
confidence in public authorities" has gone from 51% to 75%.
These figures are matched by attitudes within public authorities
themselves91% now say the Act is needed and 81% say it
My overall conclusion is positive. But there
are challenges ahead. The most important is to secure adequate
and longer-term funding so that the ICO can recruit, train and
retain experienced staff and reduce delays in resolving cases.
At the same time, more (and faster) cases confirming where the
boundary lines are to be drawn should reduce the burden on public
authorities and allay any remaining worries about the "chilling
effect" of FOI on good government. Looking further ahead,
I foresee a gradual shift of emphasis away from individualised
requests and complaints in the direction of much more routine
proactive disclosure with only the genuine "Crown Jewels"
In October 2007 the Prime Minister devoted a
significant part of his speech on Liberty to the benefits of Freedom
of Information. This sent important signals, not least the abandonment
of changes to the Fees Regulations which the Justice Committee
and others had opposed. He observed that:
"Although FOI can be inconvenient, at times
frustrating and indeed embarrassing for governments, freedom of
information is the right course, because government belongs to
the people, not the politicians. Wherever possible, that should
be the guiding principle behind the implementation of our Freedom
of Information Act".
Open government and the right to know have been
established. It is increasingly being recognised within public
bodies that open government is good government.
4. DATA PROTECTION
4.1 Attitudes and profile
In 2002 Data Protection was suffering a poor
reputation. The original Act had been passed in 1984. The Data
Protection Act of 1998implementing the 1995 EU Directivehad
largely come into force. It did not introduce fundamental changes,
but added a further layer of complexity in a climate of considerable
Euro-scepticism. The original Act had been introduced by a Conservative
administration and the 1998 Act by the new Labour government.
But both measures suffered begrudging governmental support and
had been justified as much in terms of free trade flows and international
obligations, as in protecting the interests of citizens or consumers
or of society at large.
Although much had been done to tick the boxes
to ensure technical compliance, data protection was generally
given low commercial priority. Worse, there was considerable media
scepticism or even hostility as well as public ignorance, indifference
or irritation. Data protection was widely seen as remote, unnecessarily
complicated and uncertain. The law, the more detailed rules and
the available guidance were seen as overly legalisticalmost
theological. Data protection was marginalisedas was the
Information Commissioner's Office (ICO) which was not helped by
having to promote its third brand name in less than 20 years.
Worse still, Data Protection was wrongly blamed
for stopping people doing things and used to justify mistakes
or unacceptable activities. The prime example came shortly after
I took office when the Chief Constable of Humberside very publicly
blamed data protection for the failure to apprehend Ian Huntley,
the Soham murderer, any sooner. There was less media attention
when he subsequently retracted that claim and data protection
was exonerated in the official enquiry conducted by Sir Michael
By 2009 the situation has become very different.
Data protection has risen sharply up the political, media and
public agendas. For the last couple of years, it has been setting
the news agenda on a regular basis. Concerns about abuse or loss
of personal data, excessive surveillance, privacy intrusions and
identity theft now feature regularly in political debate. The
ICO's annual tracking survey also shows that:
Public awareness of data protection
access rights has grown from 74% in 2004 to 86% in 2008.
People are very concerned about their
personal information. Our survey says that 94% of people list
"Protecting personal information" as their top concern
(equal with concerns about crime) when ranking a list of 10 issues
of social concern.
95% of organisations say that the
Data Protection Act "is needed" (up from 89% in 2006)
and 87% say it improves customers' trust (up from 78% in 2004).
The reasons for this changed situation go wider
and deeper than the 277 data security breaches which (as we announced
at the end of October) had been reported to us since the HMRC
incident. There have in fact been many drivers for change. I have
already mentioned some examples of the technological revolution
which really gathered pace at the start of the 21st century. The
power and benefits of database technology, coupled with instantaneous
and comprehensive global communications, have been widely appreciated
by businesses, by government and by individuals. Dramatic reductions
in the cost of collecting, processing and storing data have fuelled
the growth in their use. It is often said that it is now cheaper
to store data than delete it. Public service reforms"Transforming
Public Services" and many other programmeshave harnessed
the power of technology, but not always in well thought-through
ways. Politicians have been quick to recognise and advocate the
benefits of hi-tech projectsranging from ID cards to electronic
health recordswithout always fully addressing the risks
and downsides. The law enforcement communitywhich understandably
always welcomes more information and more intelligencehas
embraced IT proposals with enthusiasm. Parliament has not always
scrutinised new initiatives requiring legislative approval as
fully as it might have done. In short, it is only relatively recently
that the risks of massive data collection and use have started
to be widely appreciated.
There is now much greater recognition that there
are inevitable tensions between legitimate "liberty"
and "security" objectives, just as there are between
improved and more efficient services and the privacy and integrity
of personal information. Inevitably data protection involves difficult
balances between competing considerations, usually resolved in
terms of necessity, proportionality, transparency and data minimisation.
4.2 Role of the ICO
The ICO can claim some credit for getting data
protection to be taken more seriously. We have made many changes
to the ways in which we discharge our statutory responsibilities.
Our Corporate Plans and Annual Reports have documented structural
and other changes which have allowed us to separate out our responsibilities
and set priorities and targets. This has meant increased focus
on educational, influencing and enforcement activity in preference
to reviewing complaints from individuals where our powers are
weak and our impact limited.
Our overall approach is captured in our Data
Protection Strategy. In line with Better Regulation principles,
the Strategy is risk-based. It sets out how we approach our task
of minimising data protection risk. It makes clear that we will
place most attention on situations where there is a real likelihood
of serious harm arising from improper use of personal information
and also where our intervention is most likely to make a difference.
The Strategy emphasises the need to build on
enlightened self-interest and states one of our key priorities
"Strengthening public confidence in data
protection by taking a practical, down to earth approachsimplifying
and making it easier for the majority of organisations who seek
to handle personal information well, and tougher for the minority
who do not."
This explicit "carrots and sticks"
approach to minimising risk means being clear about harm. For
individuals tangible and reputational harm can arise because personal
information about them is:
inaccurate, insufficient or out of
excessive or irrelevant;
disclosed to those who ought not
to have it;
used in unacceptable or unexpected
ways beyond their control; or
But there are also societal harms, such as:
excessive intrusion into private
life which is widely seen as unacceptable;
loss of personal autonomy or dignity;
arbitrary decision-making about individuals,
or their stigmatisation;
the growth of excessive organisational
a climate of fear, suspicion or lack
The full Strategy sets out how we determine
priorities within this framework, how we decide whether and how
to intervene, how we work with other organisations and how we
fulfil our international functions in an age where information
flows show no respect for international borders. It concludes
with current priorities under six main headings:
The unlawful trade in confidential
The emergence of a surveillance society.
Security of personal information.
Increased information sharing.
Law enforcement activity.
Effective data protection supervision.
A summary of highlighted ICO activity in fulfilment
of this Strategy illustrates the range of our work:
||Transformed our approach with a comprehensive suite of Good Practice Notes and other Plain English guidance.
|Codes of Practice on Employment Practices, CCTV and Information Sharing
||Comprehensive, targeted Codes setting out clear "Do's and Don'ts".
|ICO enforcement activity||Formal regulation though better- targeted and often high-profiles Prosecutions, Enforcement Notices and Undertakings.
|Inspection and audit||An expanded audit unit about to conclude the first government spot check. More audits this year than ever before.
|Penalties for Section 55 offences (unlawfully obtaining personal information)
||Published What Price Privacy? which led to statutory custodial penalties in 2008 Act.
|Data retention by police forces||Enforcement action to prevent excessive retention of minor convictions upheld by Tribunal. Now going to Court of Appeal.
|Surveillance Society||Launched report, conference and debate about excessive surveillance which (amongst other things) has led to two simultaneous Select Committee enquiries.
|Privacy Impact Assessment and Privacy by Design.
||Two major initiatives to reduce surveillance risks and build in safeguards for personal information from the outset.
|ID cards and National Identity Register
||Questioned rationale; warned of function creep; secured statutory objectives; now engaging with IPS to minimise DP risks.
|Connecting for Health (electronic health records)
||Extensive discussions on general and specific issues.
|ContactPoint (children's database)||Questioned need for comprehensive database; now discussing with DCSF how to minimise security and other risks.
|Social networking||Launched micro web-site and issued well-publicised guidance
|Communications Database||Raised initial concerns about implications of database of telecoms traffic data. There will now be full consultation and debate before any legislation reaches Parliament.
|EU Article 29 Working Party||Substantial involvement eg with Opinions on personal data and search engines
|International transfers and Binding Corporate Rules
||Leading role in making it easier to export data in compliant ways.
|London Initiative||Led international programme to improve effectiveness of Commissioners
Our data protection achievements also go well beyond educating,
influencing and regulating. The ICO now handles over 200,000 phone
calls and 25,000 complaints each year with clear service standards.
We resolve almost all of these informally, often in ways which
change business practices. The processing of 315,000 notifications
from data controllers, provides both transparency and the funding
for our data protection work.
At the personal level, I was honoured to receive the "International
Privacy Leader of the Year" Award from the International
Association of Privacy Professionals in Washington in March 2008.
More recently, I was voted 3rd (out of 50) in Silicon.com's Poll
of "IT Agenda Setters". I was pleased to be invited
by the Prime Minister and the Justice Secretary to co-chair the
Data Sharing Review with Sir Mark Walport and our Report
was published in July.
4.3 New Legislation
The Data Sharing Review led directly to the proposals which
are expected very shortly in the Justice and Coroners Bill. I
understand that the Justice Committee will be scrutinising the
Bill more closely on a separate occasion. Very briefly, however,
the new powers will increase the ICO's inspection and information-gathering
powers, especially in relation to public sector bodies. These
will sit alongside the new regime of civil penalties for serious
breaches of data protection requirements which are yet to be brought
to into force. We are also delighted that the government has now
announced the intention to increase our data protection resources
substantially by adopting a tiered approach to notification fees,
so that larger data controllers will pay more than the standard
£35 each year.
Mention should finally be made of the Review of the EU Directive
which ICO launched in July. RAND Europe has been commissioned
to report on the strengths and weaknesses of the Directive and
to identify promising avenues for reform. Their report is due
in April. I hope that this will pave the way for a more effective,
but less burdensome, framework for data protection in the future.
4.4 Conclusions and challenges for data protection
Data protection is no longer a topic for experts. It affects
every one of us as individuals and virtually every organisation.
Getting the right balance for privacy, and safeguarding the integrity
of personal information, bring to life the language of human rights.
Regulation must always be a mix of principle, common-sense and
pragmatism. But the issues will get even more demanding as information
technology becomes ever more ubiquitous and central to our lives.
I am confident that data protection is now taken a great
deal more seriously. But plenty of challenges remain. These include:
Governance and AccountabilityNo organisation can afford
to leave data protection as the responsibility of a single silowhether
its legal department, its IT team or its compliance department.
There must be leadership at Board, Chief Executive and Permanent
Secretary level to ensure that the right policies and procedures,
the right technology and the right awareness and training arrangements
are in place across the entire organisation. The ICO will be launching
the Personal Information Promise on European Data Protection Day
on 28 January. But much remains to be done to ensureas
we put it in the Thomas/Walport Data Sharing Reviewthat
people at the top take the subject as seriously as is now the
case for health and safety.
Information as a Toxic LiabilityIt has become fashionable
to talk of information as an asset. But it is also a liability.
There has been much recent attention on the importance of ensuring
the physical security of personal information. Few can now be
unaware of the financial, reputational and social risks of getting
it wrong. But good practice extends well beyond adequate security.
The same sort of problems can occur if other aspects are neglected.
Data minimisation and data cleansing are vital to make sure that
information is accurate, relevant, not excessive and not retained
for too long. False matches must be avoided. People should not
be stigmatised, or discriminated against, as a result of poor
data handing. Data protection must be seen as an integral part
of risk management arrangements.
New Powers, Sanctions and Resources for the ICOI am
delighted that my successor can look forward to imminent strengthening
of the ICO's role. The evidence to the Data Sharing Review expressed
the consistent and strongly held view that ICO's powers and resources
are not adequate. The power to impose civil penalties for serious
breaches has been introduced by the Criminal Justice and Immigration
Act 2008, though not yet brought into force. This will provide
powerful incentives and deterrents. The imminent new legislation
to strengthen inspection powers is equally welcome, though close
scrutiny of the small print will be needed and we would have preferred
the powers to cover all data controllers, not just those in the
public sector. The proposed increase in notification feeswhich
we hope will take effect no later than October 2009will
generate much needed extra funding for ICO's new and existing
data protection work.
ICO has sound plans for getting to grips with its new responsibilities,
but their adjustment in the light of final proposals, and their
implementation, will need high priority. The expansion of the
officenew staff, additional accommodation and increased
expectationsis welcome, but will require careful handling.
Thinning the fogAlthough ICO has done much to give
guidance to organisations and individuals, a major educational
agenda remains. In the Thomas/Walport Report, we described a continuing
"fog of uncertainty" about data protection. Electronic
communications provide new opportunities to get messages acrossbut
they must be the right messages, targeted on the right people
at the right time.
Earlier involvementThe ICO has often learned about
governmental initiatives involving personal information very late
in the day. We can then be called upon to respond authoritatively,
but at short notice. There has been some improvement recently,
and our initiatives with Privacy Impact Assessments and the Privacy
by Design to get departments to identify and address the issues
at the outset are already bearing fruit. More needs to be done,
however, at earlier stages. And we endorse the words of the European
Court of Human Rights in the recent Marper DNA case:
"|..any State claiming a pioneer role in the development
of new technologies bears special responsibility for striking
the right balance [as to what are the permissible limits in interference
with private life]."
The Global AgendaWays need to be found to secure a
global approach to the regulation of personal information. Valuable
work has been done by a mix of international and domestic organisations
in public and private spheres. But substantial gulfs remainparticularly
with the USA. The work which ICO has commissioned from RAND Europe
will bring new thinking to the EU debate. The UK government needs
to participate actively and constructively in these debates and
assume a leadership role in ensuring that the European Commission
brings forward acceptable proposals as soon as possible after
The ICO has come a long way in the last six years. We can
claim good progress with our aim to be recognised as a world leader
on both freedom of information and data protection. I have been
immensely privileged to serve as Commissioner and to lead a great
team. The ICO cannot stand still. The world is continually changing.
I am confident that the ICO is well-placed to rise to the challenges
it will continue to face. It will welcome fresh leadership and
fresh thinking. But it will be business as usual for the next