|
UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE To
be published as HC 467-i
House of COMMONS
MINUTES OF EVIDENCE
TAKEN BEFORE
HOME AFFAIRS COMMITTEE
THE WORK OF THE INFORMATION
COMMISSIONER'S OFFICE
Tuesday 23 March 2010
MR CHRISTOPHER GRAHAM and MR
JONATHAN BAMFORD
Evidence heard in Public Questions 1 - 41
USE OF THE TRANSCRIPT
|
1.
|
This is an
uncorrected transcript of evidence taken in public and reported to the House.
The transcript has been placed on the internet on the authority of the
Committee, and copies have been made available by the Vote Office for the use
of Members and others.
|
|
2.
|
Any public use
of, or reference to, the contents should make clear that neither witnesses
nor Members have had the opportunity to correct the record. The transcript is
not yet an approved formal record of these proceedings.
|
|
3.
|
Members who receive this
for the purpose of correcting questions addressed by them to witnesses are
asked to send corrections to the Committee Assistant.
|
|
4.
|
Prospective witnesses
may receive this in preparation for any written or oral evidence they may in
due course give to the Committee.
|
|
5.
|
Transcribed by the Official Shorthand Writers to the
Houses of Parliament:
W B Gurney & Sons LLP, Hope House, 45 Great Peter Street, London, SW1P 3LT
Telephone
Number: 020 7233 1935
|
Oral Evidence
Taken before the Home Affairs Committee
on Tuesday 9 March 2010
Members present
David T C Davies
Mrs Janet Dean
Bob Russell
Martin Salter
Mr David Winnick
In
the absence of the Chair Mr Winnick was called to the Chair
________________
Witnesses:
Mr Christopher Graham,
Information Commissioner, and Mr
Jonathan Bamford, Head of Strategic Liaison, Information Commissioner's
Office, gave evidence.
Q1 Mr
Winnick: Mr Graham, Mr Bamford, good morning. Thank you for coming along to give evidence
to us. The Chair of the Committee is
otherwise engaged and sends his apologies accordingly. Mr Graham, could you introduce your
colleague? We know what you do. What is Mr Bamford's position?
Mr Graham: Jonathan Bamford is an
Assistant Commissioner. He is working on
the policy and strategy side of the business and is very expert in data
protection matters that concern the Committee.
Q2 Mr
Winnick: In essence your deputy?
Mr Graham: He is one of my assistants
but he is not a deputy commissioner.
Q3 Mr
Winnick: Are there any points you want to make to us
before the Committee ask you questions?
Mr Graham: Very briefly, Chairman, just
to say that we very much welcome the opportunity of giving evidence to this
Committee as a follow-up to your report and to keep you in touch with the work
we are doing at the Information Commissioner's Office to make sure that the
issues you highlighted are followed through.
Q4 Mr
Winnick: Thank you very much indeed. In January of this year The Times noted that your office has limited resources, no powers
to speed up the freedom of information process and that the Office is limited
by not having the final say in freedom of information appeals. Do you recognise these constraints? Do you think they are unfair, or do you think
the comments were unfair?
Mr Graham: I do not believe all I read
in the newspapers. I would comment that
all public authorities have limited resources.
We are unusual in that there is some buoyancy in our resources, at least
on the data protection side, because of the introduction of a tiered
notification fee. The largest concerns
now pay £500 instead of £35 and that is giving us more money to spend on the
data protection side of the business. On
the freedom of information side of the business we have had a spectacularly
productive year. We are closing
outstanding cases, getting through the backlog, and this is despite the fact
that there is a great public appetite for using the Freedom of Information Act
- good. It does mean that applications
to the ICO are up by more than 20%, but case closures are up by more than
40%. This is not an organisation that is
suffering from restraint. On powers,
next month we see greatly strengthened powers on the data protection side - the
introduction of civil monetary penalties, the ability to audit government
departments without consent. There is an
awful lot going on at the ICO. It is
true we do not have the last word.
Q5 Mr
Winnick: You do not have the final word?
Mr Graham: We do not have the last
word. Parliament drafted the Freedom of
Information Act to give the Information Tribunal a role and there is also the
ministerial veto, which has now been exercised on two occasions under the
Freedom of Information Act. Again, it is
part of the legislation. There is a
debate to be had about whether, when it is used, it is used in the exceptional
circumstances for which it was designed.
Q6 Mr
Winnick: Do you feel there is a case for any change in
the legislation where you would have more of a say towards the end of the
process?
Mr Graham: It depends which Act of
Parliament we are talking about. Most of
the surveillance issues which are of interest to this Committee are matters for
the Data Protection Act. With regard to
the Freedom of Information Act, which is the other aspect of the work of the
ICO, we had an interesting discussion with the Justice Committee about this a
few months back. I think legislation is
always kept under review. There is one
particular outstanding matter under the Data Protection Act which I would like
to draw the Committee's attention to because I think it is very relevant when
we are talking about data security, and that is a piece of unfinished business
that I hope the new Parliament will tackle.
Section 55 of the Data Protection Act deals with serious reckless
breaches. There is, under what I think
was the Criminal Justice and Immigration Act, a suspended power for a custodial
sentence for serious breaches of the Act by individuals. We have got the civil monetary penalties
where we are dealing with organisations coming in on 6 April. I wish that we had also had the custodial
penalty, which is there in suspension in the Act, going live at the same time
because the human factor is the weakest link in all this. You can have all the most wonderful systems
in the world but if someone decides to go rogue, data is under threat, and I
think that £5,000 maximum if prosecuted in a magistrates court just does not
deter anybody. People need to believe
that they might go to prison.
Q7 Mr
Winnick: Mr Bamford, obviously, your boss is answering
most of the questions. If you want to
come in at any stage, please do so.
There is a discrepancy between the time needed to process freedom of
information complaints and the length of time needed for data protection
complaints, since you have mentioned data protection. Is there any reason for that?
Mr Graham: Do you mean the time that it
is taking us or the time under the Act that -----
Q8 Mr
Winnick: Taking your Office.
Mr Graham: I am going to ask Jonathan to
comment on the data protection side in a minute, but the great challenge when I
took on the role of Information Commissioner at the end of June last year was
to tackle the backlog in freedom of information cases, and this we are doing. This is a week of tremendous activity because
we are determined to clear some of the old cases before the end of our
performance year and I am confident that in our annual report we will be able
to tell a very good story of the speeding up.
Freedom of information cases, if they come to us, which is on appeal,
are almost certainly going to be difficult and intractable, but what we have
succeeded in doing over the past few months is to send a message to public
authorities that we are on their case, and so there is no question of just
refusing information because you think it will take the ICO a long time to get
round to it. If we were in a vicious
circle, we are now in a positive cycle where the public authorities realise
that the ICO is very alert and they had better get on with it and that is
having a very beneficial effect. Our
role on the data protection side is rather different. Very often we are giving an opinion rather
than ordering any particular outcome and I think we are taking longer than we
would like on some of the formal cases, but I do not know whether Jonathan has
a view about that.
Mr Bamford: I think you are right. As the Commissioner has said, it is a
slightly different approach in terms of the determination the Commissioner has
to make. With freedom of information it
is issuing formal decision notices. With
the Data Protection Act it is handling a request for assessments and whether
the process is likely or unlikely to contravene data protection
principles. It is often the case, when
you start to deal with those, that the parties come to something which is a
proper solution without the need for formal action at the end of the process,
and so it is possible to use that regime in a slightly lighter touch way to
ensure that there is greater expediency in the handling of the cases, and that
is something where we have developed some expertise over the years to try and
make sure we speed up that process. It
is not perfect but lots of progress made there.
Q9 Mr
Winnick: Mr Graham, Parliament makes its own rules and
the electorate will decide, as always, accordingly, but if Parliament had gone
ahead and exempted itself from the freedom of information legislation, which at
one stage was a possibility - there was a Private Members' Bill - what do you
think the effect would have been generally in the media and on the public?
Mr Graham: That is a very hypothetical
question.
Q10 Mr
Winnick: It is bound to be, is it not?
Mr Graham: The controversy was before my
time. If we are going to re-run history,
I suppose the great might-have-been is what would have happened if Parliament
had been inclined to go with my predecessor's steer and had published the
expenses under more general headings.
This, of course, was before we knew about flipping of second homes, so
the regime might not have lasted very long, but it was Parliament's
determination to challenge the ruling of the Information Commissioner and to
challenge the ruling of the Information Tribunal and take it to the highest
court in the land, and the highest court in the land, as you know, turned round
and said, "Publish the lot", which was more than the Information Commissioner
had requested. If you say, therefore,
"How would it have gone?", I think you would have drawn the wrath of the public
upon yourself if you had exempted yourselves.
I think it would have been better if, in not exempting yourselves, you
had realised that this was real and the law that applied to everybody else also
applied to Parliament, but it is easy to be wise after the event.
Q11 Martin
Salter: I would like to explore a slightly off-piste
tangent to this. As someone who is
standing down I have spent an inordinate amount of time shredding something
like 22,000 case files. I am happy to
comply with the Data Protection Act. It
seems to me slightly strange that, under instructions from the House of Commons
authorities to comply with the Data Protection Act, I have to write to a huge
proportion of people whose cases I have dealt with and ask them whether I can
have their permission to hand on their file to my successor, return it to them
or shred it. I have no problem doing it
and I have done that, but it occurs to me that a file of my constituent which is
held in the office of social services or the police or any other public agency,
if the director changes, is immediately passed on to the person that assumes
that responsibility. Is there any logic
in not applying that criterion to Members of Parliament? Surely a Member of Parliament is a Member of
Parliament; it is a post that carries on.
It is almost irrelevant who holds it.
I would just be interested in your view, since I am in the middle of
this.
Mr Bamford: Yes, I can understand that
confusion. It is to do with the
essential entity that is there at the point in time. Even though a chief officer of police might
change, if it is Greater Manchester Police or the Metropolitan Police Service,
it carries on. It does not matter who
the chief officer is at any point. With
a Member of Parliament it might be a different Member of Parliament for that
constituency. If the public are quite
happy for their information to be passed on to the successor, there is not any
particular problem. The difficulty is
that, as some members of the public would expect, it is a personal relationship
with that particular Member of Parliament, maybe based on the fact that they
come from a political party that they support, something like that, which
influences the decision, so I think it is that which really informs their
judgment.
Q12 Martin
Salter: Thank you very much. Just for your information, Mr Bamford, I
think 99% of the people who have responded to the form that I was obliged to
send out are very happy for it to pass on to the next person. I suppose the question I am asking you is,
where is it in the legislation that says an MP's office is different from the
director of social services or a chief constable or whatever?
Mr Bamford: There is nothing in the
legislation. It is merely the fact that
it is a different sort of entity.
Q13 Mr
Winnick: The basic point is the confidentiality, is it
not, between the constituent and the Member of Parliament?
Mr Graham: Yes.
Q14 Mr
Winnick: I would imagine in most cases, where there is
a successor MP, even from another party, and bearing in mind what constituents
tend to write about - mundane --- well, not mundane to them but, as you
understand, matters which are not controversial, requests for help in so many ways, as Mr Salter's office
would have been dealing with, like the rest of us - they would have no
objections, but the principle is important, is it not?
Mr Graham: I think it is important that
they are asked. In fact, I do not think
there is any suggestion that Reading
is about to fall to the BNP, but let us just take that as a hypothetical
situation. You might think twice about
pursuing a particular case which you had raised with the previous Member of
Parliament if you did not have any confidence in the MP's successor. You might not want, one is told, what are
very often very sensitive cases being considered by somebody else.
Q15 Mrs
Dean: According to the annual report, 25% of people
are unaware of their freedom of information rights to request information from
public bodies, and I understand that that has not changed since 2005. I believe earlier you said that cases were
up. Therefore, are we not in danger of
having a group of people who are not aware of their rights and what are you
doing to try and increase awareness amongst that 25%?
Mr Graham: We are doing a lot to
increase awareness generally and the latest figures we have in our 2009 annual
track of awareness, and it is an annual track, is that the figure of people who
are aware of freedom of information rights to see information held by public
authorities is up from 73% in 2005 to 85% now.
This is high for an Act which has been five years in the doing. That is prompted awareness, but even so it is
pretty satisfactory. On data protection,
91% are aware of the data protection right to see information held about them
and that is up from 74% in 2004. I think
awareness-raising activities are very important. We try to have a reasonable profile in the
media. We work hard on our publications
and we have also got some very innovative ideas for keeping in touch with some
of the younger and more carefree sections of the community who do not always
think very deeply about privacy or information security. We have had a student ambassador campaign on
campus. We have developed a range of
characters designed to appeal to really quite young children who are very
active on Facebook, as we know, so I think the education side of the ICO's
office is very important at all levels.
We are not satisfied with those figures; we have got to drive them up,
but I think we have got the policies in place to do that.
Q16 Mr
Winnick: Do you welcome Facebook and MySpace?
Mr Graham: I recognise them; they are
there. It is a phenomenon of our time and they can be a
force for good and they can be a cause for bad.
It is how they are used. I think
our role in the ICO is to make individuals aware of the need to be careful and
protect their identity, whether it is shredding old bank statements rather than
just putting out for the bin or whether it is about setting appropriate privacy
settings and not letting it all hang out on Facebook or MySpace. We have also got a very important role in
talking to the big online companies. I
am doing an event with Peter Fleischer of Google tonight and it is very
important that we stress to the online operators the need to think
privacy. This is not just about
individuals looking after themselves; it is also about companies helping them
to look after themselves. I think there
is an important point to be made to commercial organisations generally,
particularly in the advertising area, that as citizens, as we all become more
aware of how online works, we will expect companies and brands to be on our
side. We will expect them to make it easier
to set privacy settings, to make it easier to opt out of material that we do
not want and to allow us to opt in to new services. The companies that get that and offer that
will have a competitive advantage. The
companies that look after your data, the companies that do not lose your
identity, will be the quality brands in the 21st century that
consumers and citizens have trust in, and the ones who do not care, appear
tricky, will lose out, so the communication is both to individuals and to
organisations.
Q17 Mr
Winnick: One must say that, however desirable Facebook
and MySpace are, it seems quite at variance with the desire for information not
to be given out. It is almost as if the
public are saying, in effect, that first and foremost they are more interested
in that aspect of MySpace and Facebook than protecting their personal details.
Mr Graham: You can do both. You can tell the world about your holiday and
what you think of your colleagues at work and your new girlfriend, but that
does not mean that you do not care abut your bank details going missing, your
child benefit records going missing, your medical records landing up in a
skip. I think there is a lot of nonsense
talked by some of the big corporations in this field about how privacy does not
matter any more; privacy is "so last year".
This is just nonsense. Online is
an enabling universe in which you decide how much you wish to reveal. If you want to tell everyone everything,
fine, but you have to have the help and the controls to hold back.
Q18 Mr
Winnick: That is the essence - it is the individual who
decides?
Mr Bamford: I think we have seen as well
the operators there who, shall we say, are moving into the second generation
now of providing privacy controls. At
first perhaps there was an element of naivety in terms of what people wanted
but now consumers are demanding, such as with Facebook, much more precise
privacy controls and the ability to delete information which may have been
there in the past and to look after their own privacy. Research that we have done into privacy
issues to do with the surveillance society and the amount of information that
is collected about individuals shows that people still say they really care
about that and are worried in some ways that it can be misused, but they expect
there to be safeguards there to protect them if things go wrong. It is a bit like having the airbags and the
side impact protection beams in your car.
You might not always drive it in the best possible way but if things go
wrong you should be protected. I think
the public show that they think there should be safeguards in place to make
sure that people cannot exploit their information in a way which would be
unwarranted.
Q19 David
Davies: Since you mentioned that report, Mr Bamford,
one of the recommendations was that the Government move to curb the drive to
collect personal information and establish larger databases. Have you seen any evidence that the
Government is adopting a principle of data minimisation in their policies?
Mr Bamford: Subsequent to the data losses
that occurred and the various reviews, I think it is noticeable that there is a
change in the approach to the establishment of new databases, and indeed the
management of the existing databases, and I think the message is getting home
that the answer to all life's ills is not just to create another database. There needs to be a much more considered
approach to decide what we really need, who do we need to share the information
with and what safeguards should be in place.
We have detected a change there.
I still think there is a way to go in that area, but we are pleased with
the uptake of tools like privacy impact assessments which I know the Committee
recommended in its previous report on its inquiry. We developed a handbook and we are into our
second generation of that handbook.
Those are ways of factoring in privacy issues at the outset before we
start to develop the database and decide what the issues are and what the
safeguards should be, so I think we have seen a lot of progress.
Q20 Mr
Winnick: I do not think you heard that. That was an aside. If you want to place it on record perhaps you
would just repeat that somewhat more loudly.
Mr Bamford: I would like to make a point
on that if I could. I think it is an
interesting example, the National Identity Service, as it is now called,
because if you go back to the original ID cards legislation, the ID Cards Act,
it does give quite far-reaching powers, but in terms of what has come forward
it is somewhat less than that. It is
always about making sure that when powers are granted to established databases
they are the right powers for the job and do not go further than necessary, and
I think Parliament has an important controlling role to play in that.
Q21 Mr
Winnick: ID cards remain the subject of a good deal of
controversy.
Mr Graham: Fortunately, Chair, there is
another Commissioner for that. Sir
Joseph Pilling, the Identity Commissioner, looks after those issues, and while
we liaise with him it is not a matter for this office.
Q22 David
Davies: Moving on to another point, Mr Graham, we were
concerned in the past that perhaps you lacked the technical knowledge to deal
and liaise appropriately with the Government's Chief Information Officer. Do you feel that has changed now? Do you feel you have a good relationship with
the CIO?
Mr Graham: Me personally or the ICO?
Q23 David
Davies: The ICO.
Mr Graham: We took on board the point
that was made and we are undergoing a considerable reorganisation at the ICO at
the moment which will have many beneficial effects, and one of the things we
want to do is strengthen our technical expertise. At the moment our technical expertise is
largely in the forensic area and that has served us in very good stead in
dealing with things like Operation Motorman and the various illegal databases
that were operating in, for example, the construction industry; getting the
information together to take a successful case before the magistrates involves
considerable technical expertise. We
want it to be better and forward looking so that we can spot the next big thing
before it becomes a huge policy issue for us, so we can be ahead of the
game. In that respect we are hoping we
will be able to staff up the Policy and Strategy Division, of which Jonathan is
a part, with more technical expertise than has traditionally been the ICO
way. Because we have this increased income
coming from the tiered fee that is one of the projects we want to take forward
in the course of the year.
Q24 Mr
Winnick: When your predecessor came before us some
years ago, giving evidence on identity cards, he made reference to 1984 and the
fears that many people had that this would bring about a situation where 1984
would be an appropriate description of society.
As a result of the changes which have occurred over the identity cards,
would you say, Mr Graham, that 1984 is nowhere on the agenda?
Mr Graham: Looking at things more
generally, people talk about the surveillance society; I think that was the
subject of your report. It has become a
bit of a term of abuse. If you like
something then it is the information society.
If you dislike exactly the same application it is the surveillance
society, so I think one needs to keep a balanced view. There are good things and there are bad
things, in the same way as we have said there are good things about Facebook
and MySpace and there are bad things about Facebook and MySpace, and we need to
find the balance. My predecessor,
Richard Thomas, did a great public service by sounding the alarm and by talking
in rather colourful language about sleepwalking into the surveillance
society. He woke everybody up, so if
there was sleepwalking I think the sleepwalking has stopped. The work of this Committee, the work of the
House of Lords Constitutional Affairs Committee and a lot of debate about these
issues, mean that the authorities have to be much more careful when they are
bringing ideas forward, but I do not think we are going to see the issues of
data sharing and databases going away because the pressure in the public
service is to find ways of delivering joined-up services in the most effective
and efficient way possible, and I think we are going to get increasing push for
projects where more and more services are delivered online. If we can make that work that can be a good
thing because you can deliver public services at a much lower overhead
cost. That is the challenge for the ICO,
to be able to input into these debates to make sure that proper consideration
is being given to making sure that what is proposed is proportionate,
privacy-friendly, has been thought through and complies with the Data
Protection Act.
Q25 Mr
Winnick: And what the Government has done, as a result
no doubt of reflection and public pressure, which you have been mentioning, and
the comments of Mr Thomas, do you feel that is a satisfactory compromise over
identity cards and the data legislation?
Mr Graham: I do not comment on identity
cards. It is not the role of the Information Commissioner to give a running
commentary on decisions that Parliament has made. We are simply here to make sure that at the
policy stage the issues are properly thought through and that the Data
Protection Act and the Privacy and Electronic Communications Regulations are
applied appropriately. I have a duty to
Parliament to sound the alarm, again, if I think that Parliament is charging
ahead with projects that breach the Data Protection Act. We must not get ahead of ourselves. The Data Protection Act implementing the
Privacy Directive has some very good principles that must be adhered to, and
they must be adhered to by Parliament as well, to make sure that we can get the
best out of online services and avoid the nightmares.
Q26 Bob
Russell: Mr Graham, despite the existence of the
Information Commissioner's Office, high-profile incidents of data "being left
on trains" as an example still occur, so is there any proof that the ICO is
actually improving data handling and preventing such incidents, or are you
really just there to ensure that public bodies comply with bureaucratic
guidelines and targets?
Mr Graham: The recent data handling review
update was really quite encouraging. I
think that public service is seized of the need for security, and in the
private sector I know that the introduction of the civil monetary penalty has
had an electrifying effect -----
Q27 Bob
Russell: Can you remind us what the penalty is?
Mr Graham: The civil monetary penalty
potentially is up to half a million pounds which would really make you sit up
and take notice. I have had emails from
colleagues in organisations where I have worked previously saying, "Thank you
so much for what we are now being put through with data protection training,
all because your Office might fine us half a million pounds", and my reaction,
I am afraid, has been, "Good". This has
really made everyone sit up and take notice.
Q28 Bob
Russell: Is that the organisation or the individual who
faces that penalty, because what I would like to ask whether stiffer penalties are
needed to prevent data loss? For
example, should culpability in such cases become a criminal offence for the
individual as opposed to the organisation?
Mr Graham: As in corporate
manslaughter? So far as the civil
monetary penalty on organisations is concerned, I hope we do not have to impose
a lot of these. I am a great believer in
the big stick in the cupboard. Everyone
knows it is there and we might get it out, and probably in the early years we
will have to get it out in order to make the point. I think the perfect combination would be the
civil monetary penalty for the organisation and the ability to impose a
custodial sentence on individuals who are responsible for serious breaches
under section 55 of the Data Protection Act, because, as I said earlier, the
prospect of a £5,000 fine in the magistrates court is just not a deterrent if
rogue employees have got a little operation going. There was publicity at the end of last year
about a mobile phone company where individuals, it is alleged, were selling
customer information to the other side, and it is alleged that those
individuals were earning something like £70,000 above their basic salary
because of this little operation they had got going. A £5,000 fine in the magistrates court - and
this is yet to come to court so I had better not say much more - is not much of
a disincentive if you are standing to make £70,000. What we have got to get across to individuals
in organisations, and in the end the human factor is very important, is that
this is not a victimless crime, but somehow it feels it does not matter
awfully. Nobody can take it really
seriously. We had a private investigator
ring us up, having been done by the ICO in the magistrates court, and he said,
"This fine - is that going to appear on the Police National Computer?" We said, "No, it is not an arrestable
offence; it will not appear on the PNC".
He said, "That is good because we are taking the family off to Disneyland and I thought we might get turned back at the
airport, but it is good to know that we will be all right". You need a really effective penalty to deal
with the individuals who may frustrate all the hard work that is put in by
companies and organisations with systems and training and whatever it is.
Q29 Bob
Russell: Mr Graham, you make a very powerful case
against the rogue individual, but, putting that to one side, does what you have
just said not prove that ultimately the ICO good intentions will founder
against individual mistakes and data will continue to be lost or misused?
Mr Graham: I cannot that I can wave a
magic wand and make sure that things will never go wrong, but what I can say is
that a combination of education and enforcement can put us in a much better
place. The ICO is positioning itself to
be the very effective regulator that we all need in the online world.
Q30 Bob
Russell: Is advice given to organisations that it is
inappropriate for members of their staff to take home with them, or, in a case
in my constituency took on holiday with them, the laptop containing all the
data on everybody registered at the primary trust or the local hospital; I
cannot remember which one it was now? Is
that advice given: "Do not take laptops home with you"?
Mr Bamford: It often is with
organisations, yes. One area where we
have made significant inroads, which really touches this, is that it is not
just the fact of taking a laptop home and then losing it; it is what have you
done to protect that laptop if it does fall into the wrong hands. We have been very active in essentially
issuing enforcement action against organisations that have not encrypted
laptops or other memory devices, so if the worst happens and somebody does lose
a memory stick in the car park getting into the car or leave a laptop on a
train the data becomes very hard to ever access if it is properly encrypted, so
there are technical safeguards. The Data
Protection Act does say that organisations have to take appropriate security
precautions and those include technical and organisational and also ensuring
the reliability of the staff, so you would expect there to be appropriate
sanctions in place for members of staff who breach the rules.
Q31 Bob
Russell: He lost his job. Thank you.
Mr Bamford: That might be one of them!
Q32 Mr
Winnick: With all the emphasis on privacy, when I in my
private capacity changed my domestic gas supplier the company in question knew
my creditworthiness. I had nothing to
fear; it is one which is hardly likely to cause any difficulties for the
company concerned but they knew that automatically. One would assume that they have pretty
detailed information on virtually every individual who applies to become a
customer of theirs.
Mr Graham: Yes, but I would expect that.
Under the Data Protection Act we have got the right to check what the various
credit reference agencies are holding about us on their files. One could make a subject access request and
say to Experian or whoever, "I want to have a look at the record". You might conclude that something had gone
wrong because you had suddenly -----
Q33 Mr
Winnick: Your information is passed from company to
company, is it not? Despite the Data
Protection Act and the rest, this detailed information about your financial
status is known.
Mr Bamford: It is quite right that
somebody who might be providing something like a gas supply or something else
which is paid for later on would want to check the credit status of the
individual to know what methods of payment are appropriate, what service to
provide. It may be quite appropriate for
the gas supply company in that instance to keep a record that it had checked
your credit record. What it would not be
quite appropriate to do is keep a record that you have got 16 credit cards, you
owe this on that, that on the other one.
The requirements in the Data Protection Act that are only to hold the
minimum amount of information necessary for the purpose would cut in at that
point and make sure that this information is not collected and held and then
disclosed to other people.
Q34 Martin
Salter: I have a couple of questions, the first on
privacy, and perhaps you can help me with this.
My personal clash with the Information Commissioner came - and it did
lead me to flirt with the Private Member's Bill that Mr Winnick talked about -
was nothing to do with wanting to keep MPs' expenses secret but everything to
do with wanting to keep MPs correspondence secret because, as we rightly said,
it is very sensitive. I got involved in
an issue where one of my constituents was being harassed quite badly and the
person doing the harassment was able to put in an FOI on correspondence that I
had written as a Member of Parliament and find out the name of the person who
had complained against him and then up his harassment as a result of it. This seemed to be a monstrous use of the
Freedom of Information Act. I put in
complaints against the local authority for releasing this and it just got lost
in the fog and confusion in your predecessor's office. Can you give us a bit of clarity as to what
protection there is for Members of Parliament or any other public
representative who wishes to take up sensitive cases but quite clearly does not
wish to see, nor does the person bringing the complaint to the Member of
Parliament, their identity revealed to a third party?
Mr Graham: I am disappointed to hear you
had a bad experience with the ICO. I do
not know the details of the case, but the intermeshing of the Freedom of
Information Act and the Data Protection Act means that it is a very good idea
to have these two pieces of legislation operating through the same regulator,
because a high profile case that we have been deciding on in recent weeks, a
freedom of information case, very often has a big data protection dimension, so
the pressure may be on to publish some document in the public interest but it
contains a lot of sensitive personal information and that can be one of the
exemptions under the Freedom of Information Act which would make me conclude
that the document should not be published or should be published in redacted
form with some of the names missing. I
do not know the details of your case so I should not really comment, but -----
Q35 Martin
Salter: It is on your files.
Mr Graham: Okay, I will have to go and
look it up, but it would be very typical -----
Q36 Mr
Winnick: Will you write to Mr Salter?
Mr Graham: I would be delighted to do
so.
Q37 Martin
Salter: It could be my last ever letter.
Mr Graham: It will be a privilege.
Q38 Martin
Salter: Thank you very much. This was a few years ago and local
authorities were still getting used to having to relate to the Freedom of
Information Act and they probably were over-enthusiastic in terms of not
producing redacted information. The
final question I have for you is again about third parties. Should public bodies, for example, the DVLA,
which is a classic one, be allowed to sell to commercial organisations
information about people's driving records, for example, wheel clamping
companies, which are clearly the subject of some controversy and whose behaviour
is often pretty questionable? Why on
earth should they be allowed to buy data at a price? Does that not cut across the principles in
both pieces of legislation?
Mr Bamford: To deal with the specific
instance of the DVLA, there is legislation under the Road Traffic Act which
provides for the DVLA, where people show reasonable cause, to provide
information to that third party and levy a fee for doing it.
Q39 Martin
Salter: Has that not been superseded by the Data
Protection Act and the Freedom of Information Act?
Mr Bamford: Not if it is written in a law
that that has to happen in that particular way.
To use that example and then perhaps go back to the general if I can,
the DVLA have tightened up the circumstances where third parties can use this provision. They have a code of practice in place, I
think. They have a system of trying to
make sure that the organisation's bona
fides are appropriate. Indeed we
have had discussions with the DVLA previously and have done an audit there to
try and make sure the provisions are being followed correctly, so there is a
degree of scrutiny of that. On the
general point about the use of public information, public databases for private
gain, if I may put it like that, that is something which does engage general
privacy concerns. Where you can exploit
information that is held by the public sector without any privacy intrusion,
then clearly some good can come of that.
An example in the past would be, where vehicles which often failed their
MOTs, for the Vehicle Standards Authority to reveal that. Clearly that an help inform the public
without revealing who all the vehicle keepers are. If Ford Mondeos, for the sake of argument,
are particularly problematic, it might be helpful for somebody who is
contemplating a purchase in that area.
For us the real concern is to what extent does information about the
individual become available to a third party, and clearly the public has some
concern about the wide availability of that, particularly if a law requires
them to provide that in the first place or on pain of some sanction or penalty and
for that then to be used for something unconnected to the reason for putting
that very severe imposition in place.
That starts to concern the public and it concerns us. There needs to be a well argued case. When you start to look at these in the
future, things like privacy impact assessments where you are trying to work out
what is going to happen to information before you do it, they become helpful in
clarifying the debate.
Q40 Bob
Russell: Is that not an invasion of personal privacy?
Mr Bamford: If that is a traffic fine
camera, where there can be a debate about who is driving a vehicle then it
might be quite proper to -----
Q41 Mr
Winnick: Mr Bamford, perhaps Mr Russell could be
written to over that. Can you arrange
for that?
| 