Protection of Freedoms Bill

Memorandum submitted by Richard Thomas CBE, I nformation Commissioner, 2002-9 (PF 17)

Clause 95 - Appointment and tenure of Information Commissioner

This Memorandum argues that, if the Information Commissioner will be unable to serve more than a single term of office, a maximum of five years will be too short.

1. The new Paragraph (3C) to be inserted into Schedule 5 of the Data Protection Act by Clause 95(1) of the Bill provides that the Information Commissioner may not be appointed again for a further term of office. This is welcome as part of the package of measures intended to reinforce the essential independence of the Commissioner.

2. However, I consider that it is necessary to make a further change to the Schedule which stipulates a maximum term of five years. Otherwise no Commissioner will be able to serve more than a single term of five year s.

3. I was appointed by Her Majesty as the Information Commissioner for an initial five year term taking effect from November 2002. In line with the existing law, I was then re-appointed for a second term on the understanding that I would retire on my 60th birthday in June 2009. I therefore served for a total of almost seven years.

4. I consider that a single term of five years would be undesirable for two main reasons:

1. It would restrict the field of candidates;

2. Five years is not long enough for a Commissioner to adopt the necessary strategic approach to the functions

Field of Candidates

5. I applied to be the Commissioner at the age of 52. I was then working – at a higher salary than was then paid to the Commissioner – for a law firm. I had previously worked across public, private and voluntary sectors. Appointment as Commissioner amounted to a considerable gamble in career and personal terms. Both of my predecessors had been re-appointed for second terms. The unspoken expectation – and my own calculation - was that I would be appointed for a second term unless, of course, I was judged to be unsuitable. I am clear that I would not have applied for a single five year term, which would have expired around age 57.

6. It is my view that many people in their late 40’s or early 50’s would have taken a similar view, especially those with suitable skills and experience within the private and voluntary sectors. (The location of the ICO office in Wilmslow, near Manchester, further acts to narrow the field.) There is a real prospect – which could undermine at least perceptions of independence – that the most interested candidates would be civil servants used to a culture of a job change every five years.

A Strategic Approach

7. The role of Information Commissioner is complex and demanding. The Commissioner carries considerable personal responsibility – everything is done in his or her name - and is in effect both Chairman and Chief Executive. This involves both strategic and external functions and internal and operational functions - as well as the judgements that need to be made on a wide range of cases and other matters across an extraordinary range of subject-matter. In addition, data protection and freedom of information law will be (as in my case) largely unfamiliar to most incoming Commissioners.

8. It is my view that five years is not a long enough period for a Commissioner to get to grips with the responsibilities, to build up know-how and contacts, to decide the strengths and weaknesses of the organisation and what changes are needed and to decide and implement the necessary strategic approach. Ironically, a contrary risk is making unwise changes and mistakes in haste. More than five years are needed to get the right balance of both change and continuity.

9. I have discussed this matter with a number of current and former Privacy and Information Commissioners in other parts of the world and there is a consensus that five years are not long enough.

What term?

10. If a five year term is too short, ten years would be too long. There is no magic solution, but I suggest that seven years should be the new maximum. This would require amendment of paragraph 2(1) of Schedule 5 of the Data Protection Act 1998.

I would be happy to elaborate the personal views expressed in this Memorandum.

March 2011