CHRISTOPHER GRAHAM

26 APRIL 2011

Q131   Chair: I call the Committee to order and refer everyone present to the Register of Members' Interests, where the interests of all members of this Committee are noted. I welcome the Information Commissioner on his first appearance before this Committee. Welcome, Mr Graham.

Christopher Graham: Thank you.

Chair: This evidence session is related to the Committee's inquiry into the unauthorised tapping into or hacking of mobile communications, but in any event the Committee like regularly to see the Information Commissioner to find out what is going on in respect of his activities.

  Do you have an interest to declare, Dr Huppert?

Dr Huppert: I do, if I could, Chair. The Information Commissioner's sister lives in Cambridge and is well known to me.

Q132   Chair: Excellent. Let us proceed to the first set of questions, Mr Graham. The issue of resources, if I could just raise this at the start, was originally raised with a predecessor committee. Are you happy with the resources that you have at your disposal in the execution of the duties that you have to perform?

Christopher Graham: Mr Chairman, the Office of the Information Commissioner is funded by two streams of revenue. I have the proceeds from the notification fee that data controllers pay to operate under the Data Protection Act, and that raises about three-quarters of the income for the office, about £15 million, but that is solely to be used on data protection work. The problem arises on the freedom of information side of the house, where I am funded by grant in aid from the Ministry of Justice. Like all public authorities, we are having to take our slice of the cuts. We are responding to that constructively, trying to achieve better for less. But the fact is that if we are asked to do more and more under the transparency and accountability agenda, we will need the resources to do it.

Q133   Chair: In your evidence to this Committee you say that your office has experience of cases relating to the processing of data that has been obtained through interception. You made it very clear in your evidence what you are responsible for and what you are not responsible for. You are not responsible for RIPA but you are for data protection breaches. What kinds of cases have come to your attention in respect of interception?

Christopher Graham: The major issue that my office has been concerned about in relation to the unauthorised disclosure of personal information relates to what we call blagging rather than interception or hacking. That is misrepresenting yourself over the phone, at the doctor's surgery or to the DVLA or to TV licensing in order to piece together information that you have no right to: where someone lives, what their phone number is, what their friends and family numbers are. That was the subject of a report by my predecessor What price privacy? followed up six months later with What price privacy now? But this is quite historic—this is 2006.

I think the concern about the behaviour of the press is less of a worry to us, though clearly it is before the courts at the moment in relation to hacking and interception that you have been investigating. Where I think we come in of relevance to your inquiry is where there may be unlawful and unfair processing of personal information that is the result of hacking. It is very difficult for us to know the origin of the material, but here again there is a restraint, which we have to bear in mind, that the Data Protection Act, insofar as it applies to this sort of thing, has a very broad exemption within it for what is called the special purposes, for literature, journalism and the arts. My investigatory powers can be very easily stymied by somebody telling me that what they are doing is for journalism, literature and the arts. All my powers of requiring information—information notices, investigation and the more dramatic stuff, kicking the door down—I can't do if there is an exemption for the special purposes. So my role in this area is, frankly, pretty limited.

Q134   Chair: In respect of what is in the public domain at the moment in terms of the evidence the Committee has received from the DPP and the Assistant Commissioner, you are not involved in any of those matters? You are a watchful observer rather than someone who has been asked to do anything in respect of unauthorised tapping?

Christopher Graham: We have, on occasion, been ordered by the court to provide material from our so-called Motorman file—the material we secured from a private investigator back in 2005. Celebrities who have been pursuing the cases that we are aware of are very interested to see whether information was being blagged about them. So it is a different offence, but we sometimes come in there; and we have certainly been involved in the case management conferences with Mr Justice Vos.

Q135   Chair: You have complied with all the orders of the court?

Christopher Graham: We have complied with all the orders and certainly provided all the information. But we are very interested bystanders because, to the extent that there is a lack of clarity about how the law stands, obviously one is concerned that that clarity should be provided. After all, the Regulation of Investigatory Powers Act is not legislation that I enforce, but it is an observable fact that this was a law that was drawn up for another age and another circumstance.

Q136   Chair: We will come on to that in a second. In respect of the orders that you have been asked to comply with, how many people were affected? How much information have you supplied? We don't need to know the names, but is it a handful of people or tens of people?

Christopher Graham: I would say tens of people. If the Committee wanted a precise number I would need to go back to the ranch and check.

Q137   Chair: Is it over 100?

Christopher Graham: In terms of court orders? No, less. Much fewer.

Q138   Chair: Less. But in terms of names of people who you have supplied information on?

Christopher Graham: I would say, from memory, there would have been fewer than a dozen cases where celebrities who were seeking redress against newspapers had got a court order to get information from the Information Commissioner about what we had in relation to blagging.

Q139   Alun Michael: Just on the point that you said there were a number of exemptions that would prevent you investigating a case, who decides that the exemption applies? Presumably somebody can't just claim the exemption and that stops. You would have to be satisfied that the particular issue fell genuinely under one of the exemptions, wouldn't you?

Christopher Graham: It is a bit of a catch-22, because I would be working entirely in the dark. In other situations, if I issue an information notice to a data controller or a public authority I would expect compliance and if I didn't get compliance it would be a pretty straightforward application to the courts to get it. But if I don't know whether a story that a journalist is working on, for example, is or isn't in the public interest or, indeed, whether somebody blogging is or is not a journalist—where does journalism start and stop in the internet age?

Q140   Alun Michael: Clearly that is a matter of judgment, but wouldn't they have to provide you with the evidence that they are pursuing that activity in order to satisfy you? Essentially, don't you have to make a judgement and doesn't the person that claims the exemption have to show evidence that the exemption does genuinely apply?

Christopher Graham: But it would purely be a fishing expedition on my part if I didn't have—

Q141   Alun Michael: But you wouldn't be asking the question in the first place unless you thought there was a question that should be answered.

Christopher Graham: But I am not sure I could make an information notice stick under these circumstances. As the Chairman has pointed out, there are issues of resources and like any good regulator following better regulation principles, your intervention has to be well directed and proportionate.

All I am saying is that in relation to that tiny part of the universe relating to your inquiry that falls to me, which is section 55 offences under the Data Protection Act where people are blagging information from databases, the special purposes exemption, which is there for a very good reason, makes life a little difficult for me.

Q142   Alun Michael: Sorry, I will pursue this just one point further. The purpose of Parliament, in agreeing that exemption, is to exempt genuine cases; it is not to provide an excuse that makes it impossible for you to pursue cases. Surely you must have the authority to say, "Show me that this exemption is soundly based," rather than having to accept it just because somebody claims it?

Christopher Graham: I would have to make a judgment on whether it was a good use of my resources—

Alun Michael: That is a different point.

Christopher Graham: Well, it is a very material point because I have limited resources and a range of responsibilities given me by Parliament.

Q143   Alun Michael: But it is for the person who is claiming the exemption to show—it is they who have to do the work in order to satisfy you. You have got to the point of saying, "There is something I think I ought to pursue."

Christopher Graham: But I still have to enforce the information notice in court, I have to brief counsel, go to court and so on. All I am saying is I would be operating in the dark, but really this is a sideshow: the main issue surely is that we have a law and a regime around hacking, blagging, interception that is very, very unclear, very, very uneven. I am trying to—

Q144   Alun Michael: But essentially you are saying to us, and you are saying to the wider public, "Well, claim the exemption because I won't challenge it." That can't be right, surely.

Christopher Graham: I am implementing the law that Parliament has given me.

Q145   Chair: But you are worried about the lack of clarity that exists at the moment? This is something that other witnesses have talked about. Mr Michael has an important point in that you are put under a huge amount of pressure, and you are responding to say you really can't do everything because you don't have the resources to do it, but at the end of the day this comes from Parliament's lack of clarity as far as RIPA is concerned.

Christopher Graham: I am only a small part of the solution. I am saying that perhaps the issue that the Committee will want to think about when they come to report is the fact that there is a mosaic of regulation covering an area that is now very current, but perhaps in 2000 was not. RIPA was drafted for the wiretap age. We are now talking about the internet, we are now talking about deep packet inspection, we are now talking about online behavioural advertising, and yet there are a series of commissioners working away in different parts of the wood—

Q146   Chair: Yes, just remind the Committee, how many different commissioners and authorities are involved in this process? There is yourself—

Christopher Graham: I think four would be of relevance.

Q147   Chair: Who are the four?

Christopher Graham: The Information Commissioner. There is the Interception of Communications Commissioner, there is the Surveillance Commissioner and there is the Interim Closed Circuit Television Commissioner—who is about to morph into something else—and we are all operating different bits of legislation. It is very important that we operate in a joined-up way and I recently took an initiative to write to my colleagues and say we need to liaise very closely to make sure that business doesn't fall through the gaps.

Q148   Chair: Until you did that, was there any mechanism by which the four commissioners perhaps met for lunch once a month or had a meeting once a month to discuss this? Before you wrote and did this, was there a process, is there a process that allows this to happen, other than your initiative when you brought them together?

Christopher Graham: My staff were working very closely with the staff of the Interim CCTV Commissioner and from time to time we had dealings with the Interception of Communications Commissioner's staff, and the Surveillance Commissioner—

Q149   Chair: Yes, we understand that, but did the four of you meet together?

Christopher Graham: No, the four of us have never met together in the same room at the same time. But over the next—

Chair: Ever?

Christopher Graham: I have only been in post since July 2009 so I am not perhaps—

Chair: So in the last two years there has been no meeting between the four commissioners?

Christopher Graham: Met individually but not the four of us. By the end of June we will have done that.

Chair: Thank you.

Q150   Dr Huppert: You seem to have made a strong case for perhaps unifying commissioners into some sort of structure. Can I ask about the difference between having a formal role in something and having a looser more advisory role, giving advice to people involved? Let me give you an example of what I mean. I recently contacted the National Policing Improvement Agency, who have a covert advice team that provides advice to police forces in terms of how to use interception, and asked them what advice they had given to police forces. They gave a detailed response, which I will circulate to members of the Committee and make sure is in the report, saying that they have been providing essentially the same advice from 2003 to 2010, which says inter alia that voicemail messages stored on the servers would still remain in the course of transmission irrespective of whether the message had already been read or listened to by the intended recipient, so we know that the police were being advised professionally by the NPIA about how to interpret this. That is not the same as the DPP who we have explored separately.

I think this is something we should explore separately with the Met Police, but have you been asked to give advice in that sort of way? Do you have a track record of people contacting you asking for your opinion on things, even if they are not directly your responsibility?

Christopher Graham: We can't give advice on legislation that we have no responsibility for, and the Regulation of Investigatory Powers Act, which is what you are referring to, is just not our piece of legislation. What is interesting, I think, is where you have RIPA and also the of Computer Misuse Act, where the penalty for a breach is very serious, up to two years in prison, and it is a very high hurdle—to take a case and to establish it is in the public interest is quite a rare event—but there is nothing below that very high hurdle of the sort of activity of a regulator, which is absolutely standard for the Data Protection Act. Most of my job, and my staff's job, is about giving advice to data controllers and to members of the public and sorting out individual problems. The prosecutions under section 55 of the Data Protection Act are pretty rare. It is not the main thing of what we do.

What is interesting about this patchwork regime for hacking and blagging and interception is that there is no equivalent of the Information Commissioner giving very practical advice to Government agencies, to commercial organisations. You either get into serious trouble and are locked away for two years or nothing happens so far as I can see. There must be something in between.

Q151   Dr Huppert: Are you aware of any interception cases where section 55 of the Data Protection Act has been used?

Christopher Graham: I am not aware, and I am not surprised that I am not aware, because if the police after investigation have concluded that a prosecution isn't in the public interest, it is very difficult for me to follow on behind and see whether I can make a lesser charge stick. Remember the maximum penalty for blagging under section 55 of the Data Protection Act is a fine of up to £5,000 in the magistrates court, unless it is prosecuted in the Crown Court, in which case it gets a bit more serious.

Very recently Government has woken up to the fact that this is a modern scourge—and it is not about newspapers, it is about dodgy private investigators and child custody battles and nasty matrimonial disputes—and the lack of a serious penalty is a real problem. The Ministry of Justice is exploring the restitution of the profits of crime, they are talking to the Sentencing Advisory Council about making clear that section 55 offences are not just the equivalent of pinching the office stationery, a crime against the boss; these are crimes against citizens that need to be properly prosecuted with a real deterrent penalty. We have found that very limited fines in the magistrates court doesn't do the trick.

Q152   Dr Huppert: So you would like to see higher penalties for that sort of offence, or you would like to see—for instance, you implied that if the police have already looked at a case and decided that it is not sufficiently serious for them to want to do anything, you would feel debarred from taking any action?

Christopher Graham: It is not a question of being debarred, it is simply that the police have all the resources to make a charge stick. I am labouring under some difficulty with the special purposes in relation to some of the activities of the press. I am on the record as saying that I think section 55 offences under the Data Protection Act should be on a par with section 1 of RIPA and the Computer Misuse Act, and there should be the availability of a custodial penalty of up to two years. That would put everything on all fours. I am very ready to see whether the Ministry of Justice has any luck with persuading the courts to impose more realistic fines and to go after the profits of what is a very profitable business. The trade in unlawful personal information is hugely profitable.

Q153   Chair: Do you have an estimate as to how much it is?

Christopher Graham: Well, if I tell you that one case before the courts, which is awaiting sentencing and an order, I hope, under the recovery of the proceeds of crime procedure, involved the employees of a company who were selling customer information to rival companies. Those individuals, we are told, were making £70,000 a year over and above their basic, so it is very, very profitable.

Q154   Chair: So this would run to millions of pounds a year?

Christopher Graham: Yes.

Q155   Mark Reckless: Mr Graham, you say the police have all the information, but to take this issue of phone hacking, surely it is the mobile operator that has a lot of this information and, although you say that RIPA isn't your field, you do say that it is your role to give advice to data controllers. I wonder what advice you would give to a data controller were they to come to you and say, "We have evidence that a mobile phone perhaps has been improperly accessed and one of our clients would like the information as to who or what telephone numbers have tried to access that information." Would you advise them to give their client that information?

Christopher Graham: Again, any advice that I give under RIPA is purely going to be out of the goodness of my heart. It is not official advice and it is not something that anyone should rely on. You have to be very clear the Information Commissioner has no status in relation to RIPA or the Computer Misuse Act.

Q156   Mark Reckless: But you have status with respect to data controllers, and the mobile phone company is a data controller and they are holding this data on what telephone numbers have attempted to access one of their clients' accounts. Should they be prepared to give that data to that client?

Christopher Graham: Under the new Privacy and Electronic Communications Regulations that are coming into force on 25 May, there is provision for compulsory breach notification. So that if a data controller is aware of a breach of data security, they have to tell not only me as the Information Commissioner but also the affected customers, so that might well be one solution.

Q157   Mark Reckless: That would certainly help, but in the meantime, under existing legislation, would you be able to answer my question as to what advice you would give to that data controller?

Chair: Unlimited or not?

Mark Reckless: Or otherwise.

Christopher Graham: The reason I am making the point about whether it would be official advice or merely helpful big society citizen advice is that there is a real problem here of the division of responsibility and legislation that doesn't reflect the modern world. I can help out—I will do my boy scout act for you if you like—but that is not really the point. Parliament has to focus on the fact that legislation that was passed in 2000 to deal with wire tapping is now facing much more contemporary problems, and we need a contemporary solution to that because the issues that are concerning people are about online behavioural advertising or deep packet inspection of emails rather than the circumstances that RIPA was designed for, which is basically making sure that the official community stick to the rules.

Q158   Alun Michael: You said a few moments ago that you have no role, if I understood you correctly, in relation to the Computer Misuse Act. You talked primarily about section 5 but do you have no role at all in relation to the Act as a whole, is that what you meant? And you have no role in relation to section 1 of the Act?

Christopher Graham: Of RIPA?

Alun Michael: Of the Computer Misuse Act.

Christopher Graham: I am not the prosecuting authority is the point I am making. So if there is anything to be done under RIPA or the Computer Misuse Act it has to be taken forward by the police or the Director of Public Prosecutions. If Parliament wants to do it a different way, fine. I am not here pitching for a different mandate. I carry out statutory duties given to me by Parliament. All I am saying is there is a complicated situation and the legislation, the regulation, doesn't quite match the need.

Q159   Alun Michael: Yes, I understand what you have been saying up until now. I am trying to ask you specifically about the Computer Misuse Act. Are you saying that you have no role in relation to the Computer Misuse Act? I wouldn't want to misinterpret it; I thought that was what you said.

Christopher Graham: The advice that I have had as the Information Commissioner since I came in in July 2009 is that, because we are not the prosecuting authority for the Computer Misuse Act, we are never going to get anywhere down that route.

Q160   Alun Michael: Does that mean that you are not able to provide advice formally, other than as a former member of the scouts, and that nobody else is either?

Christopher Graham: Nobody else is.

Alun Michael: So nobody has the role of advising people under the—

Christopher Graham: That is the point I am making, that most—

Q161   Alun Michael: Yes, we have that point. What I would ask you, though, is what your experience is of proceedings under section 1 of the Computer Misuse Act, and do you think there is a gap in the regulatory regime, other than the point of where do you go for advice, on which you have made it very clear that there is a gap?

Christopher Graham: Because we are not the people who can do anything about it, people don't really consult us about the Computer Misuse Act, so I can't really say anything very useful there. What I will say is that the regulatory regime is a thing of shreds and patches and the Committee will no doubt want to address that.

Alun Michael: No, no, we have that point.

Q162   Mr Winnick: In all this controversy, Mr Graham, about phone hacking and the rest of it, the question has been touched on of the companies concerned, the mobile companies. Do you feel they should take more responsibility for misuse such as hacking?

Christopher Graham: I wish they were a bit noisier about advising their customers on how they can keep their information secure. It is a general point, I think. There are responsibilities on communication service providers and internet service providers, and there are also things that individual consumers and citizens can do, but you kind of have to be told about them to know what it is you can do. We recently did some survey work and found that a very high proportion of people had no idea whether their home wi-fi was passworded or not. That is a pretty basic step. I wonder how many of us are very, very careful to password protect our mobile phones, not just the voicemail mailbox but also the machine itself, the device itself. I would like the mobile phone operators to be much louder in their advice to customers saying, "Look, your Smartphone, your iPhone, it's a wonderful thing, you can do fantastic things on it but there's a downside. Be careful, make sure you've set appropriate permissions, make sure you've set appropriate passwords." That should not be in the small print of some agreement written in lawyer-speak that nobody can understand; it should up front, user-friendly advice.

I have found that the mobile phone companies are getting much better at this. I have been invited to give presentations to global privacy conferences by two of our leading mobile providers recently. They really are interested. The reason they are interested is, I think, they have got that we are now beyond the stage of kiddies in the sweet shop bowled over by the wonders of what we can see; we are a bit more questioning.

Chair: We will be taking evidence from them.

Christopher Graham: There is a commercial reason for treating customers with respect.

Q163   Mr Winnick: I assume that no one would want to hack into your phone but presumably when you bought your own mobile—I take it you have one—such security advice was not given in your own individual case?

Christopher Graham: I can't remember anyone making a great fuss when I bought a personal mobile. Any piece of equipment that is issued to me by the Information Commissioner's Office is passworded to the nth degree. I can't move for passwords.

Q164   Mr Winnick: Accepting that, of course, as I expected, you say you are meeting with some of the mobile companies. Have you written to these companies along the lines that you have just been telling us—that this should not be advice given in small print and the rest of it but very much otherwise, letting people know what needs to be done to safeguard their communications?

Christopher Graham: It is a very constant theme. Also, in our recent code of practice on personal information online, we made that point both to companies and to consumers, because the consumers need to take some initiatives themselves to make sure that they act responsibly about their personal information.

Q165   Mr Winnick: How can they do that then? How can the consumers do that unless—

Christopher Graham: They go to the ICO website and download the very useful consumer's guide on personal information online. We are providing all sorts of help and guidance for those bits of legislation that we are responsible for. What we can't do is to second-guess what the advice should be in relation to the Computer Misuse Act or the Regulation of Investigatory Powers Act, because I don't know that the regulators of those two pieces of legislation would take the same view.

Q166   Mr Winnick: In essence what you are saying, as I understand it, is it is up to the mobile companies to do much more than they have done up until now and to give every sort of advice about security?

Christopher Graham: I think there is a lot more they could do, a lot more they should do, and the clever ones realise that you maintain—

Mr Winnick: And you are telling them that?

Christopher Graham: Yes, I am telling them that and they also realise they maintain the confidence of their customers by treating them like grown-ups and helping them to keep safe online.

Q167   Chair: In the Mulcaire and Goodman case, are you satisfied that the mobile companies involved have now informed all the victims that their phones had been hacked? Since you are giving them constant advice, since you are addressing their conferences, since it is a constant theme, you would have noted the fact that some of the mobile companies have not informed people, their customers, that they had been hacked. Are you now satisfied that all the people have been informed?

Christopher Graham: No, and I am sorry if I am boring the Committee—

Q168   Chair: No, you are not satisfied or, no, they have not been informed?

Christopher Graham: It is not an issue that I have raised. I have raised the general point about you have to give your customers better security information and, of course, as we implement the Privacy and Electronic Communications Regulations mark 2, where we are talking to the companies about statutory breach notification—

Q169   Chair: So you do not know in this specific case whether the victims of phone hacking have been informed? You have given good advice, it is a constant theme, you are meeting them, you are attending their conferences, but in this particular circumstance you don't know whether the victims have been informed?

Christopher Graham: I don't know, but as you will have gathered from my evidence I am not responsible for the Regulation of Investigatory Powers Act.

Q170   Chair: We understand. Who would need to tell them that then? If you are not responsible, which of the other commissioners?

Christopher Graham: At the moment you have a vacuum because there is no equivalent of the Information Commissioner acting as a regulator giving advice and guidance.

Q171   Chair: The Committee has just written to them, so hopefully they will provide that information to us. The Committee wrote to you on 7 April—I don't know whether you have had a chance to have a look at that letter—relating to a number of immigration matters concerned with third parties. Did you get a copy of that letter?

Christopher Graham: I did get a copy of it and I replied to it on 19 April. I have a copy here.

Q172   Chair: Excellent, that is very helpful because I have not received that. It is probably in the office due to the recess. You understand the point that we were making? These are people who enter the United Kingdom as the spouse of a British citizen. When the British citizen spouse writes to the Home Office to ask for information on whether or not the person has been removed, the Home Office writes back and says you are preventing them—you meaning the Information Commissioner, the data protection legislation—from giving that information out, even though it is the spouse that has brought those people into the country. This is a constant bugbear for the Committee over a number of years and this is the response that many Members of Parliament get—that there is no way in which this information can be forthcoming to the spouse. What is the situation on that?

Christopher Graham: In the two-page letter that I have sent to the Committee—

Chair: Maybe you can summarise.

Christopher Graham: To summarise, it is certainly true that data protection is very often given as a reason for not doing things that are perfectly reasonable. In this case, very often the matter in hand may be about the legitimacy of the marriage or issues relating to a divorce, and it is very important that information is shared in appropriate circumstances but appropriate circumstances only. I would expect the UK Border Agency to be pretty careful about establishing the identity of who they were speaking to and what their interest was.

Q173   Chair: Of course, absolutely. Once they have done that and identified that the person they are speaking to is the very person who brought the person into the country and maybe wanting to report a fraud that has been committed. It may be a forced marriage. It may be someone who is subjected to domestic abuse. Once they have established that identity—I accept that establishment of the identity is pretty important—is that information protected?

Christopher Graham: It is horses for courses. You would have to look at individual circumstances. You mentioned forced marriages: particularly in the case of forced marriages, I would expect the UK Border Agency not to give out information particularly over the phone to somebody—

Q174   Chair: No, we understand all that. There is no question of giving out information over the phone. This is a request from the spouse of a person who is the subject of domestic abuse or a forced marriage as to whether or not the person they had married is still in the country or not.

Christopher Graham: But there might be very good reasons for not giving that information to a spouse. I think the Committee will appreciate that, if you are talking about domestic abuse or a forced marriage, the authorities have to be very careful and look at the circumstances. But there is a two-page letter that I sent on 19 April. If the Committee would like it photocopied and passed around—

Q175   Chair: No, it is all right. We have photocopying facilities. We don't need to impinge on your resources, but thank you very much for offering.

Mr Graham, your evidence has been extremely helpful. To summarise it: you find the law at the moment fragmented; you feel that RIPA was enacted at a time of a different age, things have changed since then; and you feel that greater clarity is required, not just in respect of RIPA but also as between the various commissioners. Is that your view?

Christopher Graham: Yes, it is certainly my view, but I do stress the fact that I have taken an initiative to get my colleagues together in order to make sure that we synchronise our swimming. This is not a land grab. I have quite enough to do, thank you very much.

Chair: We are quite sure that you are not trying to build your empire. We are extremely grateful. I am sorry it has taken you two years to get before us but we hope to see you again in the not too distant future. Thank you very much for giving evidence.

Christopher Graham: Thank you.