To be published as HC 962-i

House of COMMONS



JUSTICE Committee

the work of the information commissioner’s office

tuesday 5 february 2013

christopher graham, david smith and graham smith

Evidence heard in Public Questions 1 - 41



This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.


Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.


Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.


Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

Oral Evidence

Taken before the Justice Committee

on Tuesday 5 February 2013

Members present:

Sir Alan Beith (Chair)

Steve Brine

Rehman Chishti

Jeremy Corbyn

Mr Elfyn Llwyd

Andy McDonald

Graham Stringer


Examination of Witnesses

Witnesses: Christopher Graham, Information Commissioner, David Smith, Deputy Commissioner and Director of Data Protection, and Graham Smith, Deputy Commissioner and Director of Freedom of Information, gave evidence.

Chair: Welcome to the Information Commissioner and to the two Mr Smiths. We are very glad to have you with us this morning. We have a number of things to cover and I am going to ask Graham Stringer to open the questions.

Q1 Graham Stringer: Good morning. Lord Justice Leveson does not think that your structure is capable of dealing with largescale issues as it presently stands. I understand you disagree with that but have made some changes in the structure. Could you explain your reasoning and the changes you have made to the Committee, please?

Christopher Graham: Good morning, Chairman, and Mr Stringer. Lord Justice Leveson’s inquiry was examining, so far as the Information Commissioner’s Office was concerned, events that happened between 2003–2006 and subsequently. When I gave evidence, I was not questioned at all about the structure of the ICO. Lord Justice Leveson felt that the Commissioner sole model was-I do not think he used the phrase-what might be characterised as a bit of a oneman band, whereas we come before you as a trio to demonstrate the information rights in the round, responsibilities that we have for data protection and for freedom of information.

The Office has grown and changed considerably since the period that the judge was looking at. We now have 386 colleagues-that is, the equivalent of 363 full time-and the structures that support the Commissioner are considerably developed. The judge did not ask me about the management board that we have, with nonexecutive colleagues joining us, and he did not ask about the structure of the executive team, the leadership group and so on. So the evidence of what we did or did not do between 2003 and 2006 does not help us to decide what is the appropriate model for an ICO that is now charged with many and varied responsibilities, only one of which deals with privacy and the media. Of course, we will listen carefully to what the judge was saying and I hope very much there is going to be a wideranging debate and consultation about what the structure might be in the future, but, as for now, I would say, "If it ain’t broke, don’t fix it."

Q2 Graham Stringer: Two questions follow from that. Can you put some flesh on the bones in terms of numbers-how many people there are working for you now compared to the 2003–2006 period? Can you comment on Leveson’s observations that your predecessor did not involve himself enough in Operation Motorman?

Christopher Graham: I thought the criticism was that the Information Commissioner either then or now took too much personal responsibility and there was not enough collective discussion. That is a wrong description, both on how things were and how things are. We have expanded simply because of a number of changes that my predecessor introduced, which persuaded the Government to introduce a tiered notification fee, so our resources increased and held up very satisfactorily on the data protection side. Of course, there was also the introduction of the civil monetary penalty regime and our good practice audits and so on. That is really where the expansion has come. I am confident that it is well managed, well directed and that we have clear policies and strategies, but if Parliament wants it to be structured another way then let us have the debate.

Q3 Graham Stringer: Can you put some numbers on the change in the number of employees, the change in number of officials-an order of magnitude, not precise?

Graham Smith: In around 2003 there were about 120 employees. The organisation was primarily focused on data protection because the Freedom of Information Act had been passed, but the Government then decided not to bring it into full effect until 2005. So we took on additional staff when the Freedom of Information Act came fully into effect. The organisation then grew to about 200. As you have heard from Mr Graham, the organisation has now grown to about 360 and most of that growth has been on the data protection side. In terms of our resources, whereas around 2005–06 it was two parts data protection to one part freedom of information, it is now, today, four parts data protection to one part freedom of information.

Q4 Chair: Is there not a sense among the public-particularly those who have been affected after all that has gone on, not only in Leveson but in other things such as personal injury insurance-related issues and all of these things-that a completely cavalier attitude to data protection has remained quite widespread in public bodies, including the police, and that the Information Commissioner’s Office has not been either strong enough or capable enough to deal with it?

Christopher Graham: I am going to ask David to contribute on this in a moment, but I would refute that. We can show evidence of the action of the ICO, with the increased resources and increased powers that we have, really making people sit up and take notice, but I don’t know what you would say, David.

David Smith: That is right, Chairman. "Cavalier" would be going too far, particularly when talking about public bodies. There are undoubtedly cavalier operators in the area of the Privacy and Electronic Communications Regulations, spam texts and unsolicited calls. We have already taken some enforcement action and I have another monetary penalty notice with me against another organisation which I think you would fairly describe as cavalier. Public bodies have featured prominently in our monetary penalties. "Cavalier" goes a bit too far, but insufficient attention to getting privacy right and protecting personal data has not been high enough up their agenda. Our powers are driving that. I do not think we are before you today, Chairman, as we might have been a few years ago, arguing for very much increased powers. We do have-and I am sure the Commissioner will say a little more about that-still the question of section 55 and the custodial sentence.

Chair: We are going to ask him questions about that shortly.

David Smith: Also, there are our audit powers and whether we should be able to go in as of right to audit businesses rather than only be able to do so with consent.

Q5 Andy McDonald: This is probably a question for David Smith and it is the issue of blacklisting and the Consulting Association. I am talking about the Opposition Day debate we had last week. The GMB’s principal concerns were that there was distinct inaction in terms of steps taken against companies who had used the blacklisting service; some had been involved in public contracts, including the construction of this very building. Secondly, the concern was about the steps or lack of steps taken to inform people who had been on that blacklist. Specifically, can I ask you what steps you are taking to rectify the fact that, after three years, only 7% of those 3,213 individuals on the blacklist held by the Consulting Association know that they were on such a list in the first instance?

David Smith: You raise a number of points there. One was the criticism by GMB and others that we did not take appropriate action against the construction companies. I have to say, Chairman, that we refute that. Our powers at that time did not extend to monetary penalties. The only criminal action was that of Ian Kerr, who ran the Consulting Association, the holders of the blacklist, who was not notified or registered as a data controller. We did prosecute Kerr and, indeed, we got the case taken up to the Crown court rather than just the magistrates court, albeit that the fine was still only £5,000. The other organisations-those construction companies that supplied information to Kerr-breached the data protection principles but there was no punishment available to us at that time. The only power was to issue an enforcement notice that required those organisations to change their practice.

We did pursue some enforcement notices, but we did not go to the ends of the earth in issuing enforcement notices against all the businesses because, essentially, we were issuing them with an order to stop them conducting a practice that had ceased because the Consulting Association had closed down. We had the blacklist. It would not have served any useful purpose to have pursued that further.

There is then the question of the victims. We were very clear at the time that we seized the Consulting Association database back in 2009 that there was a responsibility to victims, for them to be able to find out if they were on the database and to access the information. Once we had seized the database, we did make available what I would describe as a fasttrack access service whereby individuals could inquire of our Office as to whether they were on the database. If their identifying details matched up with those on the database, they would get a full copy of the information kept about them.

We had some 2,000 inquiries and about 200 hits in that time scale. That operated up until-it is continuing to operate-about the middle of last year. We heard nothing, no criticism and no suggestion that that was not a satisfactory mechanism, as I say, until the middle of last year, when we were approached by Liberty in conjunction with the GMB asking us to do more to proactively inform the victims. We have set up arrangements since then with the GMB and a number of other trade unions to help them contact their members where there is an apparent hit on the database. All that is going well. I can look up the figures, Chairman, but we had more inquiries and more hits as a result of that. I think there were something like 50 to 60 from the GMB, who now have the data.

The other step we are taking is to use a commercial service, operated by Equifax, so that where we have a name and address on the Consulting Association records-and some of these records are very old and not entirely reliable-we can check whether there is a good likelihood that that person is still living at the address there. Then we are going to write to those people. We signed the contract with Equifax yesterday and we will be starting that exercise this week. But we do have large numbers on the database with unreliable addresses. You have to appreciate the nature of the business these people were in. They were construction workers on building sites by and large, they moved around the country and some of this information is 20 or 30 years old. To write out to simply everybody and say "You may be on a blacklist" to addresses where we have reason to believe they are no longer at would be-

Q6 Andy McDonald: Can you check the electoral register to see if they are there?

David Smith: One of the services through Equifax will be a check against the electoral register.

Christopher Graham: As Commissioner, I think the ICO has been taking all reasonable steps since 2009 when we closed down the Consulting Association. I read in the debate in the House on 23 January the Opposition spokesman saying that, as a result of the blacklisting, "lives have been ruined, families have been torn apart and many have been forced out of the industry." I cannot help thinking that, after three years, where that has happened, the individuals concerned will have had a suspicion that something had gone wrong and they will be the ones who have been contacting the ICO.

I am very glad that we are now able to work with the trade unions and the credit reference agencies to track people down, but then there is a question of how much resource one should be putting into the proactive contacting of people whose names may be on that database but who may not have suffered detriment apart from the fact that they were on that database. How much is down to the ICO and how much is down to the trade unions? The resources we are piling into our information governance section to deal with the calls that have been generated by newspaper stories and so on is quite considerable. I do not say we should not be doing it, but if we do more in that area we are going to do less in another area. It is a question of proportionality.

Q7 Andy McDonald: But you are in the ideal position to come to a view about the damage that has been caused because you are going to have that information at your fingertips if this process continues. Would it be reasonable to ask you to come back to say the damage that has been caused to these individuals in this process?

Christopher Graham: I do not think I am in a position to say that. The individuals concerned know what damage has been caused to them. I am very glad to take up the invitation of the Secretary of State for Business to meet and discuss the issue more generally, but I do not really think it is for the ICO to be conducting some great public inquiry into the phenomenon of blacklisting. We are doing what we can now, but please remember that we did close down the construction industry database in the first place.

Q8 Chair: But the phenomenon, in principle, in your field is the abuse of data. That is a phenomenon which you, especially, are responsible for investigating and policing.

Christopher Graham: Yes; I absolutely accept that. Had we had the powers in 2009 that we have now, I am certain we would have done more than issue enforcement notices against 14 companies, but that is another country.

Q9 Mr Llwyd: I am a bit perturbed about something Mr Smith said. Apparently, because the Consulting Association was wound up, that was a justification for no further action against these large construction companies. I am afraid, if that were a general principle at law, there would be a lot of very guilty people laughing all the way to the bank each and every day. Many of those firms had Government contracts-which makes it possibly more serious, possibly not-but I cannot understand why they were just let off the hook completely.

David Smith: Let me come back, Chairman. I can only say that there was nothing we could do to punish them. Today, we would investigate them and almost certainly some of them would face fines-monetary penalties. But we did not have that power then. All we could do was order them to comply with the law in future in a formal enforcement notice, wit which non-compliance is a criminal offence that can be prosecuted. All these companies assured us that they were no longer involved with the Consulting Association and, indeed, we closed down the Consulting Association. It did wind up and we were entirely satisfied with that. All we would have done was issue them with a formal order which required them to stop doing what they had already stopped doing. It would not have served a useful purpose or been a good use of our time and effort. It would have achieved nothing further than was achieved anyway.

Christopher Graham: Subsequently, of course, the law was changed and blacklisting was specifically made illegal, but we are talking about what we might or might not have done in 2009 when it was not illegal to the extent that it is now and we did not have the civil monetary penalty power to enforce. We can’t rewrite history. We did what we could do at the time. We are now working effectively with the trade unions and the credit reference agencies. All the publicity that has been given to this means that, if anyone else is out there who suffered detriment as a result of being in a file somewhere, they can simply exercise their subject access request with the ICO and we can get them the information that enables them to seek a legal remedy.

David Smith: Chairman, if I may, it is worth putting on record here the same assurances that we have given to other committees and to the trade unions, that if we receive credible evidence that blacklisting is continuing-sufficient evidence on which to investigate some positive leads-then we will have no hesitation in investigating again and using the full ambit of our powers.

Q10 Andy McDonald: We acknowledge the success of closing down the Consulting Association, but some other organisation or individual may come along who is going to do the self-same thing in future years. You are saying that you did not have the tools then that you have now, but am I right in thinking that the tools you have now are limited to financial penalties imposed upon individuals who supply the information or who access such a database? Do you need any other tools beyond financial penalties on companies or individuals-learning the lessons from this process?

David Smith: Essentially, the tools we have at the moment are fines of up to £500,000, primarily against the businesses rather than individual directors. We have the same questions that a lot of regulators do about how you can pin responsibility on individuals within a company rather than the company itself. But the power-again, which we may come to-which would be welcome is that of compulsory audit, for us to simply be able to go up to some of those construction companies today, knock on their door and say, "We have a power to come in and check your HR systems to satisfy ourselves as far as we can that you are not still involved in that practice." That is a deficiency in our powers.

Q11 Jeremy Corbyn: Thank you for those answers and for what you do. When it comes to a question of credible evidence, where there is a big construction company involved, a union involved, and there are a number of responsible people around who can come up with evidence, I can see what you can do. But if it is a nonorganised sector, computers or something like that, and there is a suspicion of an informal network that is keeping certain people out of employment, are you able to investigate that sort of thing, and what is your threshold of evidence before you would seek to investigate them?

David Smith: It is really a question of having some leads to go on. If we just have one person who says, "I was turned down for all these jobs. I think there is a blacklist", that is not a sufficient basis for an investigation. If we see a particular pattern, then, yes, we would look further. I have to say that, with the Consulting Association, we were greatly helped by journalists-it was a journalist that dug deeply and gave us the leads-and by, essentially, a whistleblower from within the industry who told us this was going on, something to bite on that we could go and investigate. We have powers of access to our communications data, which we used in this investigation. That gave us the leads as to where the various calls were being made, to check people, and led us to Ian Kerr. There is a plea there, Chairman. Looking at the regulation of investigatory powers area in the draft Communications Data Bill, we see there is a suggestion that we may no longer have that power of access to communications data. That is very important to us in these sorts of investigations because so much is done over the telephone or the internet these days and that is what enables us to track these things down.

Q12 Jeremy Corbyn: Do you get many complaints that you do not follow up?

David Smith: It would be flippant to say no. Every complaint we get we look at and it gets a response, but we do not conduct a detailed investigation where we go to the business in every case. We have tens of thousands of cases a year. The trick for us is to spot among those complaints the ones which really do reveal serious wrongdoing and investigate those.

Christopher Graham: One should add that, as to the recent civil monetary penalty we imposed on two individuals who were running a spam text operation, the evidence came from information given to us by consumers using the ICO website and flagging their concerns about text messages and unsolicited phone calls. We could then put together a jigsaw and, working with the phone companies, one could pinpoint the warehouse where the payasyougo mobile phones and the unregistered SIM cards were firing off these nuisance text messages. We certainly use the evidence that comes to us. We have a very good enforcement team, led by a distinguished retired detective from the Greater Manchester Police, and they are very good at running these scams to ground. We are very proud of them.

Jeremy Corbyn: We should record that you did very well on that and I have not had one of those messages for nearly a month.

Chair: Were you going to move on to monetary penalties, Mr Corbyn?

Q13 Jeremy Corbyn: Yes, indeed. As an organisation you have been given powers to introduce monetary penalties and you have indeed increased the amount you have collected in monetary penalties. I can see how it works in the private sector, but I ask myself what is the point of a monetary penalty against a public sector organisation, the NHS or local government, because, in effect, it is one public sector organisation taking from another.

Christopher Graham: I would much prefer to have the power in local government, for example, of compulsory audit. We are pressing for that power to cover the NHS and local government. Many of our civil monetary penalties have been imposed on local government, on councils, for actions that would make your hair stand on end. I take no joy from visiting a civil monetary penalty on local authorities who are hard-pressed as it is, but they do very stupid things. The message seems to be getting through, but it would be much better if we could simply send in the good practice audit team to help them get things right. Until that happens-and I regret to say that the Department for Communities and Local Government remains to be convinced that this is a good idea-we have to continue down the civil monetary penalty road. David, you might like to expand on that.

David Smith: Yes. It is a difficult one because there is no doubt that, when we impose a penalty on a public body, it is essentially taking public funds from that body and giving them to the Treasury, because we do not keep the proceeds. There is a very strong argument that compliance by public bodies is just as important as-perhaps in some cases more important than-compliance by private sector bodies. There must be an effective punishment for public sector bodies that do not comply. There is, as we can see it and as the law sets out, no alternative available. A fine on a public body makes that public body account for the loss of funds. The body itself faces a fine, it hits the local newspapers and draws attention to the failings of the body, and that trust and confidence question, we think, drives compliance. It also drives accountability within the business. If it is my department that has incurred a £500,000 fine on behalf of the organisation I work for, I am going to be answerable for that and am quite likely to face disciplinary action or similar. So it is a driver, even though it is not necessarily a perfect mechanism. It is the same way other public sector regulators operate within the health service and so forth.

Q14 Jeremy Corbyn: The last point from me is this: you suggested, Mr Graham, that we have a compulsory audit of local government and health authorities. Please explain what that means, and do you have the resources to do it?

Christopher Graham: We have been expanding our good practice team. At the moment we have a system of consensual audits, and those councils and others who have invited in the ICO good practice team have been very pleased with the results. We get glowing opinions and very good customer satisfaction surveys. But, of course, the councils that really need the advice are the ones who do not ask for it and are sometimes quite resistant. There is the power, which can be exercised by order, for compulsory audit.

At the moment that just applies to Whitehall Departments. We made the case some time ago now for that to be extended to NHS bodies and to local councils. It does not have to be very onerous. It is simply the ICO coming in and asking, "How do you do things? You are going to be in trouble if you carry on doing that, so here is a list of things you need to do." You are only in serious trouble with the ICO if, having got the list, you do not do anything about it. It is the only free consultancy you are going to get, so why on earth would a council that had nothing to hide not want to cooperate with the ICO? I do hope that I can persuade the Secretary of State for Communities and Local Government that this is not an imposition, not a burden, but a help. It is a darn site more helpful than just being hit with a civil monetary penalty of £200,000.

Q15 Chair: You have made a business case to the MOJ for extending compulsory audit powers, haven’t you, but it depends, in the case of local government, on the Secretary of State-

Christopher Graham: Within Government they like to get agreement on these things. We can fairly say that the Health Department is very supportive but DCLG is strongly opposed. We continue to make the case. I think probably we will go ahead with the health service and come back to DCLG on another day, but, unfortunately, until local government gets the message, local council tax payers will continue to be hit with civil monetary penalties for really stupid basic errors. These involve sensitive personal information being sent to the wrong fax machine, being put in the wrong envelope, being dropped in the street, being left on unencrypted laptops and memory sticks. What else?

Q16 Chair: I think you have made the case very well indeed. There is also the issue of section 55 powers, which you referred to briefly earlier. Would you like to say a little bit more about that?

Christopher Graham: Yes. This is uncompleted business. Every Select Committee that has looked at this agrees that we need to move away from a fineonly regime for the offence of unlawful disclosure of personal information. It is section 55 of the Data Protection Act, where, typically, you go to the magistrates court and get a very modest fine because, of course, it is about ability to pay. Most of the cases that we see are family disputes, marital disputes, child-care battles and grudges-smalltime stuff.

Q17 Chair: But it is where information has been obtained by one of the parties to the dispute.

Christopher Graham: Yes. One of the parties who has access to a database, either at a bank or an NHS walkin centre, passes on that information because of a marital dispute or to a claims management company, who will follow up a broken arm with a call, "Would you like to sue your employer?"-that sort of thing. But the penalty is so modest. The going rate-and it keeps going down-is about £120. Years ago, in the Criminal Justice and Immigration Act 2008 there was a proposal, a proposition-

Chair: A provision.

Christopher Graham: -which is there in suspension, to be commenced, that there should be the potential of a custodial penalty for this sort of thing. But there it stayed. I worked very hard before Lord Justice Leveson’s inquiry got under way to try and separate out this section 55 issue from everything else in the hue and cry about the press, but I did not succeed; so nothing happened during the inquiry. At the end of the inquiry, Lord Justice Leveson agreed that it was a bad principle to have un-commenced legislation and that the Government ought to get on and commence section 77 of that Act and also section 78, which gives an enhanced public interest defence for journalists.

My worry now is that there is going to be another lull while there is a major consultation on all things Leveson, including changes to the Data Protection Act and its treatment of the media, including the constitution of the Information Commissioner’s Office and so on, and that section 55 is going to be part of that general consultation. That will be the third consultation on this proposal.

There is another problem in getting rid of the fineonly regime because it involves the dreaded word "custodial". I cannot imagine anyone is going to go to prison, but it does access all the other fines-the community penalties, for example-which the magistrates and the Crown courts cannot impose for this offence; it is only fines at the moment. So, all the very important debates about the balance between a free press and privacy in that general consultation will be muddied by the suggestion of prison. I can see the Daily Mail was at it on day one following Leveson, "Journalists will go to jail under Leveson proposals." The clever thing to do is to get on and do the section 55 business first and then have your wideranging consultation about all things Leveson. I would really press that very strongly.

We cannot afford further delay. I have been banging on about this for the three and a half years that I have been Information Commissioner. Despite the fact that I persuaded this Committee, the Home Affairs Committee, the Joint Committee on the Draft Communications Data Bill and Lord Justice Leveson himself, we are still no further forward, and I see this going off into a black hole of Leveson consultation with presumably nothing done this side of a general election.

Q18 Chair: This is an issue on which the Committee has given a firm opinion. I think we might have reason to repeat that opinion to Ministers.

Mr Smith, you have raised concerns that the European Commission is seeking to confine the application of data protection regulation to the private sector using the directive format for the public sector. Why do you think that is a problem?

David Smith: This is primarily about having clear law which works primarily for citizens, for individuals, because that is what data protection law is there to protect, but is also understandable by businesses. The more we have divergent legal instruments, so one legal instrument applies to the public sector and something different applies to the private sector-

Q19 Chair: Can I stop you there for a moment to underline that there is a difference between what we are talking about here? In the public sector there is a particular concern, for example, that police forces not sharing information that will lead to the safeguarding of children from paedophile attacks, and all of this sort of thing, is a failing of the system as well and that that brings a dimension to the public sector cases which is normally absent from the private sector cases.

David Smith: The argument is strongest with the police and justice area. The Commission’s proposals at the moment are a regulation for, basically, all areas, public and private sector, apart from police and justice, where there is a directive. When we gave evidence before, we discussed that area. Our view is that we prefer one instrument. You can give flexibility to the police and justice area within one instrument. What we see now as the risk is a proposal that is being driven-and we understand most strongly by Germany-to have not just a directive for the police and justice but to have a directive for the public sector as a whole and a regulation for private sector businesses. There are so many examples these days of contracting-out of services and partnership working, public services that are delivered in the private sector and local councils having commercial activities as well as straight delivery of public services. They will be faced by two different regimes. There are no matters of principle here, Chairman, other than keep it simple and consistent and, the more it is all in one instrument, the easier that will be.

Q20 Chair: On a related point, which is something you have mentioned, of work going into the private sector that has traditionally been done in the public sector, the approach this Committee has taken so far to how you handle freedom of information in that area is that the public commissioning body retains the responsibility to provide the information and the contracting mechanism is the method by which it ensures that it has that information, rather than creating a situation in which private companies are directly subject to FOI in some of their activities and not in others. Are you satisfied that that can work or do you have any doubts about it?

Graham Smith: It remains to be seen whether it can work properly. That is the conclusion that this Committee and the Ministry of Justice have come to. Where we have tackled those sorts of issues in the context of the Environmental Information Regulations, where the definition of a public authority is looser, there have been genuine legal problems with identifying organisations that hold environmental information and discharge the functions of a public authority.

It should not, it seems to me, be impossible for legislators to have a go at putting together a definition along the lines of the sort of thing that applies at the moment with freedom of information. For example, health practitioners are covered by the Freedom of Information Act to the extent that they are providing NHS services but not to the extent that they are providing private health services. There is that kind of comparison, but the difficulty comes when you apply the facts of a situation of a private company providing a range of different services and a range of contracts for a range of different purposes-some public sector and some private sector-and just identifying then what is subject to the Freedom of Information Act and what is not.

One area that can be explored further, and it arises sometimes in cases-and there was an important tribunal judgment a week or so ago involving the London Borough of Southwark and a privatised leisure centre-is the issue as to whether in fact you can say that the contractor holds information on behalf of the commissioning public authority. That issue arises. It can present some real practical difficulties and you can have a situation where, in law, on the balance of probabilities, it is found that the contracting organisation does hold the information on the public authority and the public authority might say that it does not actually have any right of access to it. That is where the contractual provisions will come in.

Q21 Chair: The contract needs to be clear in that respect.

Graham Smith: Exactly. There is some provision under the existing code of practice because this was anticipated, to an extent, when the Freedom of Information Act first came in. The current section 45 code makes some provisions about transparency clauses and contracts, but I think we need to take that a lot further because the stakes are a lot higher given the climate now of more privatisation.

Q22 Chair: It is not a new problem in the health service where, in general practice, doctors’ practices have always enjoyed exemption because they are private businesses. But things are proceeding apace in probation, for example. We cannot hang about. We have to make sure we have got this right.

Graham Smith: Yes.

Christopher Graham: Yes. Where you get reorganisation of services, even if it does not involve contracting, we are seeing the phenomenon of the FOI territory contracting. For example, the Serious Organised Crime Agency or various parts of the ACPO world are being merged into the National Crime Agency. The National Crime Agency, as I understand it, is not going to be designated under the Freedom of Information Act, but various functions that were previously within the realm of FOI are no longer.

Q23 Chair: We only just got FOI into ACPO within the last year.

Christopher Graham: Yes, but there are various functions that are transferring to the National Crime Agency. I know this has been debated and there are pros and cons, but we have to be ever vigilant. It seems bizarre that all the talk about openness and transparency on the one hand and the restructuring of the delivery of public services on the other may be leading to less accountability rather than more. Transparency and openness cannot just be a oneway street. It cannot be what those who are running these organisations think it would be good for the citizen to know. It is also for the citizen to have the right to ask the awkward questions, which very often elicits important information.

Q24 Chair: Just going back to the question of the European directive and regulation, we quoted your fairly cataclysmic prophesies about the potential cost of it as it then stood. Are you gearing up to implementing something like it at some point or are you sceptical about whether we will ever get there?

Christopher Graham: We must be, as they say in the Boy Scouts, prepared, but we have also at this moment to wait and see because the process of legislating within the European Union is certainly interesting. Over the next year or so we will have to see how it all ends up. I suspect there will be some pretty significant compromises at the last minute if this thing is going to get on to the statute book, but one thing is clear from the proposals as they stand. The principle of notification for all processing of personal data is out of the window, and that is a bit of a problem for the ICO because our data protection work is funded by notification fees. As Graham said earlier, 80% of our income comes from notification fees. So we are undertaking a lot of scenario planning and options considerations for what life would be like for the ICO, not just under the new regulation but given the various responsibilities that Parliament wants us to undertake as apparently the sort of goto regulator at the moment.

We are concerned that policymakers in the Ministry of Justice turn their minds to the funding of the ICO so that we can maintain the independence of the Information Commissioner but have adequate resources to do our job. The regulation as it is currently formulated would be very expensive to run because it is very much defined by process rather than outcome. We can see it will be a very expensive regime, but we can also see that our source of income for data protection goes. We have to come up with something else, and we have to have partners in the Ministry of Justice who are able to turn their minds to what that alternative system might be, whether it is an information rights fee that everybody pays and organisations pay, covering both data protection and freedom of information, or whether we are able to raise some more of our money through commercial activities or whatever. But, if you want the ICO to do an effective job of patrolling information rights in the 21st century, we are going to have to have the resources to do it.

Chair: Mr Llwyd, I have temporarily distracted you.

Q25 Mr Llwyd: Can I ask you about the use of ministerial vetoes, which is again a very important point? In your report, Mr Graham, on 3 September last you said: "For the Statement of Policy, ‘exceptional’ does not mean rare or unusual. Rather, it means a case where an exception should be made and disclosure blocked. In that sense, the ‘exceptional’ could occur very frequently." You go on to say that in the future "use of the veto should be ‘genuinely exceptional’". I think that is a view which most people would agree with. Could you expand on the concerns that you have expressed in that report? I am thinking about the veto on the minutes relating to the discussions on Iraq, in particular on the question of whether this was "exceptional". Is it the case in fact that the Government do not seem to be following their own statement of policy or that that statement of policy is actually wrong?

Christopher Graham: I reported to this Committee on 3 September about the ministerial veto activated by the AttorneyGeneral on 31 July in relation to the Iraq minutes. I did that because my predecessor established a very good discipline, which I follow, that each time the veto is used I report that fact to this Committee and we discuss it. I welcome the opportunity of exploring that further. Being a simple soul, I would assume that "exceptional" meant not very often, but I realised, looking more deeply at the guidelines, that it was simply civil service-speak for those occasions when an exception ought to be made. I have come to the conclusion that it might happen very frequently.

I was very struck by the AttorneyGeneral scattering the "E" word around-there were a lot of instances of "exception" and "exceptionally" in the notice supporting the certificate. That seems to me to conflict with what was said in Parliament at the time that the law was passed, which was: "The Government considers that the veto should only be used in exceptional circumstances and only following a collective decision of the Cabinet. This policy is in line with the commitment made by the previous administration during the passage of the Freedom of Information Bill that the veto power would only be used in exceptional circumstances, and only then following collective Cabinet agreement."

Jack Straw-the then Secretary of State for the Home Department-said in Hansard on 4 April 2000: "I do not believe that there will be many occasions when a Cabinet Minister-with or without the backing of his colleagues-will have to explain to the House or publicly, as necessary, why he decided to require information to be held back which the commissioner said should be made available."

The first part I quoted is from a statement of policy. The second part is from Mr Straw’s statement in the House. I understood that the veto would be invoked very rarely and I do not think that the Commissioner or the tribunal is suddenly scattering unacceptable decision notices around.

The problem that we have here is that there is a conflict between the Bill as debated, the Act as passed, and its implementation. I am now in a very difficult position. I absolutely heard what the Committee said in the report on postlegislative scrutiny about the importance of the safe space. The safe space is something that the Commissioner and the tribunal have upheld in countless decisions, but, ultimately, I have to take a decision where there is a public interest balance to be taken. The one thing I cannot take into account legally is whether I think a Cabinet Minister might subsequently decide to impose a veto. So I am between a rock and a hard place. We have to go through the whole business of the public authority considering a request, and no doubt an internal view, the Information Commissioner considering an appeal, possibly the tribunal getting in on the act, and then, at the last minute, the Cabinet Minister says, "That is one we are going to veto." There seems to be very little guidance in the statement of policy about what should or will happen. It is a most unsatisfactory state of affairs but perhaps something I have to live with. I do not know whether Graham would like to expand on that.

Graham Smith: Not really. The position is perhaps further complicated by the fact that, on at least two of the aspects of information on which the veto has been exercised, the requests have come around a second time. As to the report we have just been talking about in terms of the Cabinet minutes on Iraq, that request has gone through the cycle twice, and likewise the minutes on devolution. It just seems that, when we are all recognising that there are legitimate concerns about the burden that FOI places on public authorities, that is an aspect of the system which one feels perhaps could be improved upon to avoid those sorts of wasteful repeat experiences.

Q26 Mr Llwyd: Following on from that point, my understanding is that the Government will now be reviewing and revising their policy on the veto, including in fact its application in cases which do not involve Cabinetrelated information. First, how do you think it should be revised? Secondly, will you be in a position to inform that particular discussion?

Graham Smith: Perhaps that initial reaction suggests that we are not involved at the moment in that particular discussion. There is no legal requirement on the Government to have a veto policy here. They decided themselves that they would have a policy on the exercise of the veto, and I think now they are trying to extricate themselves from having their hands tied by the policy that they came up with, which, as I think you say, was in the context of Cabinet material being envisaged as what would most likely be the subject of the veto. I should say that it was the previous Government we are talking about there.

We have now had two cases-one involving the NHS risk register on the proposed reforms there, and the other one more recently on the Prince of Wales’ correspondence-which do not involve Cabinet discussion. My understanding is that the Government are looking for a policy which can be applied in a wider set of circumstances than perhaps had been originally envisaged. But there is no obligation on them to have a policy and there is no obligation on them to consult the Commissioner about that policy. When a veto is issued, we are given advance notice of it and offered the opportunity to comment on the statement before it is released. We do not have any experience of seeing things changed as a result of that. We recognise that the veto is an aspect of the statutory scheme as it stands at the moment. We have considered and, on occasions, taken advice as to whether the exercise of the veto was susceptible to judicial review, but on the occasions when we have sought that advice we have been told no, and so, for us, the matter has stopped there.

Christopher Graham: Perhaps I could add that I absolutely accept that the veto is part of the legislation. It is an important part of the legislation and it ought to provide reassurance within the public service that the most significant matters will not be left to the Information Commissioner or even to the tribunal. There is a long-stop, so we should not have all this nonsense from civil servants saying, "I can’t possibly write anything down. I can’t give you my best advice because, because, because". I absolutely accept that the veto is there, but the Commissioner has a responsibility to this Committee and to Parliament to analyse those instances where the veto is imposed and to say whether the reasoning is very convincing.

The use of the word "exceptional" provides too great an opportunity for the Commissioner to say, "Not really very convincing." I hope they can come up with a better policy, and I hope that politicians will never use the veto because there is something that is just "rather embarrassing". It has to be a pretty nuclear situation for the veto to be imposed. I could point to countless decisions of the Commissioner and the tribunal where the safe space has been respected and information that a request is wanted has not been forthcoming because we are responsible people and we are applying the Act as Parliament intended. But what I cannot do, in carrying out my duties and fulfilling the law, is second-guess what a politician might decide to do further down the track. Just to emphasise this, there is an awful lot of public money potentially to be wasted in this merrygoround. It might be better to have greater clarity about what is truly off limits and what is merely rather embarrassing.

Q27 Chair: You will recall that this Committee took the view that it was preferable to have the long-stop of the veto than to yield to the pressure to create some wide general exemption, which was the alternative approach being suggested by senior excivil servants, in order to protect the safe space, which of course is under threat probably rather more from public inquiries such as Leveson and Chilcot than it is from the Freedom of Information Act. We felt it was dangerous to be going along the road of a general exemption, and the lesser evil was the use of the veto from time to time, which provided some reassurance.

Graham Smith: We welcome that as an outcome but it does take us to this inevitable place of going through a process. Perhaps, if one wanted to, one could take a fairly inspired guess that the veto would be exercised, but we have to consider and weigh up the public interest, as does the tribunal, conscientiously on the facts, the arguments and the subject matter of the information that is put before us. We can say, with the statutory scheme as it is drafted, that is an inevitable consequence and it is something we all have to live with. It is just slightly galling when there are so many other things that we feel we could usefully spend our time and resources on.

Christopher Graham: This Committee pointed out in the postlegislative scrutiny report on the Freedom of Information Act on this very point that there is a political price to be paid for imposing the veto. All I am saying is that the Commissioner will always respond with an analysis to this Committee and sometimes it does not make very comfortable reading for politicians.

Q28 Mr Llwyd: Heaven forfend that politicians should wish to hide any embarrassing material. I cannot for one minute believe that to be true. Gentlemen, in light of the fact that you are asked to comment on each use of the veto, can you give the Committee a rough idea of the annual rates at which vetoes are imposed?

Graham Smith: We have had six instances of the exercise of the veto so far. I think four of those have been in the last 12 to 18 months-the repeat vetoes in relation to the Iraq Cabinet minutes, the devolution subcommittee minutes, and then the Prince of Wales correspondence and the NHS risk register. I should point out that the Prince of Wales correspondence veto is slightly unusual and you have not had a report from us on that one. That was a case where the Commissioner upheld the Government’s withholding of the information, but our decision was overturned by the upper tribunal and so the veto has been exercised in relation to the upper tribunal. But in fact the requester in that case, The Guardian newspaper, has applied for leave to judicially review the exercise of the veto in that case. So the legal process is not yet complete.

Q29 Rehman Chishti: I have a few questions in relation to costs of compliance. First, what is your view of the Government’s proposals, in their response to our report on postlegislative scrutiny of the Freedom of Information Act, to reduce the costs to public authorities of compliance with freedom of information legislation?

Graham Smith: We are talking here about the proposals for the cost limit, which threatens to remove from the ambit of the Freedom of Information Act considerable numbers of requests, irrespective of their public interest merit. That is very concerning. The Committee, I think, rightly recognising that there were genuine issues of burden, suggested that it might be appropriate to reduce the cost limit marginally, and I think you suggested two hours of search and retrieval time. But the Government’s response said that that is so marginal that it would not have any significant effect. They are also looking at including in the activities that can be taken into account when calculating the cost limit the consideration of the information against the exemptions in the Freedom of Information Act. That is the thing that I think threatens to remove a lot of requests from the ambit of freedom of information.

If the cost limit was both reduced in terms of the actual amount that we are talking about and the amount of time that we are talking about, and these additional activities could be taken into account when calculating the cost limit, then we really would be talking about a significant number of cases being potentially removed from the ambit of freedom of information. But we do not have detail of the Government’s proposals yet. We have not seen any. We have not been asked to comment on or discuss any potential formulae that they might come up with. So at the moment we are just feeling somewhat trepidatious about the situation.

Q30 Rehman Chishti: You will be delighted to hear that on 24 January this year the Minister, Helen Grant, said that there will be a detailed consideration and consultation of this.

Graham Smith: Yes.

Q31 Rehman Chishti: As to the information that you have just given now, will there be that consultation with yourselves on this as well?

Graham Smith: I would certainly expect there to be. We believe that the proposals that the Government are coming up with could be dealt with through secondary legislation rather than primary legislation, so, yes, we would expect to be consulted on that. I should say that our experience, both before the Act was brought into force and since, is that we have had full opportunity to comment on proposals from the Ministry of Justice on such things as the fees regime. It just has not happened yet on this occasion.

Christopher Graham: I did not find that terribly reassuring from the Minister. Talking about cost limits, she thought that the Committee had not gone far enough, and said, "The Justice Committee recognised that issue in recommending a small reduction in the cost limit beyond which requests need not be complied with. We believe that would result in only the most minimal reduction of costs, so we will consider whether to go further."

I appreciate the opportunity for consultation, but the direction of travel seems to be rather in tightening up the regime with the specific aim of deterring requests. What we have said in our memorandum to you for this session is that it does not follow that the most burdensome requests are those of least merit. We will be looking at the Government’s proposals very carefully, but I think it is the responsibility of the Commissioner to point out where measures to address the administrative burden might act to frustrate the aim of the legislation. We will judge where the proposed changes are addressing a real as opposed to a perceived problem and whether they are appropriate in the light of their likely effect. So we wait to see.

Q32 Rehman Chishti: I am grateful for that because you obviously have more information at your fingertips than I have over here. If I may move on to my supplementary, do you accept that there is a phenomenon of "industrial" use of the Act, which is proving overly burdensome to public authorities-perhaps local authorities in particular?

Graham Smith: We recognise that there are some users of the Act who use the rights on a large scale. On occasions, that can be regarded as abuse. We discussed the provisions under the Act for vexatious requests at some length in the postlegislative scrutiny sessions before this Committee. There has just been a very useful and important upper tribunal decision on vexatiousness in this context, which again was released last week, and that will help public authorities and the Commissioner in the application of those provisions.

Where I would disagree with the impression I was getting from some of the Committee’s deliberation is that this "industrial" use is, if you like, ascribed to some journalists, who, in my experience, are on the whole using the Act very effectively. It has to be said that it is through journalists that a number of very important pieces of information in the public interest have been disclosed under the FOI Act which otherwise would have been kept secret, and we have been talking about some of them today in the course of the discussions.

One area about which concern has been expressed is the use of the Act by companies for commercial gain. I should preface my comments with the fact that we see things only when they have gone wrong on FOI. We get the complaints when people are not happy with the responses that they have received. We do not get that many complaints from companies that they are disappointed with the outcome and they want to challenge the refusal of a request. We get some. We get companies that are seeking information about successful tenderers where they have been unsuccessful, and we get them from companies seeking information about existing contracts with a view to putting themselves into a better position when they anticipate that contract or a similar contract might come up in the future.

On the whole, we find that public authorities tend to be overly cautious in their use of the commercial interest exemptions and we tend to come down in favour of disclosure of information in those circumstances, partly through a point of public accountability for the service that has been provided and the money being spent on it, and partly also because we think that, the more that is understood about the way that contracts are delivered, that drives up performance and improves competition when you come to the next round of bidding. We see the public interest factors there very much strongly in favour. So I think one has to be a bit careful about using a very generic term such as "industrial use" and break it down. That is what I have just tried do in that reply.

Christopher Graham: That is an illustration of the contribution that freedom of information makes to shining the torch into the dark corners of public spending. We hear so much about burdens, but there must be a massive net saving in public expenditure by organisations abandoning practices which do not pass the blush test, by greater competition in the award of public contracts and so on. Much more can be delivered simply through the transparency and open data approach, which is very welcome but is insufficient. The aggravation of freedom of information is a price we pay for more effective delivery of services because there is a constant prod to do things more effectively and more efficiently because you cannot do things behind closed doors any more. I make absolutely no apology for that. That is what we are here for.

Q33 Rehman Chishti: Sure. I have a final supplementary, if I may. Should fees be charged to requesters who take cases to information tribunals?

Graham Smith: That is very difficult. It would very much change the scheme as it has been introduced. I believe that this is being looked at in the context of the idea of fees for applications tribunals generally and not singled out for information. We floated in our written submission in the postlegislative scrutiny the question whether in fact the right of appeal should be restricted to points of law, as it is in Scotland, but we were not particularly advocating that. We just raised it as an interesting issue that might be addressed, but neither the Committee nor any of the other witnesses picked up on it. Where you do have an appeal to the tribunal, to impose a gateway fee would significantly restrict the number of appeals that go forward.

What is relevant is that we have seen, in the last couple of years in particular, much more efficient use by the tribunal of its case management powers so that cases that have no reasonable prospect of success can be the subject of a strikeout application, and we make those applications. The tribunal judges are much more willing to consider those cases very seriously. Whereas in the previous business year we saw about 15% of tribunal appeals being struck out right at the very early stage, so far this year that is running at about 20%. So I think the tribunals themselves are aware of the need to be more efficient and more costeffective. My own view is that a gateway fee is perhaps a rather blunt instrument in those circumstances, although I can see the attraction in pure cost-saving terms because it would no doubt reduce the number of appeals. Again, it would be arbitrary because it does not necessarily mean that the appeals that are deterred are those without merit, whereas the current strikeout arrangement does address that issue. We spend quite a lot of money on appeals and the cost of legal fees taking them, so it would reduce that.

Q34 Graham Stringer: Can you give us a broadbrush view of the problems, as you perceive them, of getting public bodies to comply with the freedom of information, both in the spirit of the Act and the detail of the Act?

Christopher Graham: We have had considerable success as the Act has settled down in recent years by being quite aggressive about those local authorities that do not comply in a timely way. We have a programme of monitoring. At the moment, we have just four public authorities who are being watched over the first quarter of the year. One of them is the Department for Education. In recent years the list has been much longer than that. As the ICO itself has speeded up its consideration of appeals, that, as we intended, has had a salutary effect on the rest of the public service, and other people have got on with it because they realise that the Information Commissioner will not take years to get on to their case. The whole thing has speeded up very satisfactorily.

I do notice the stresses and strains within the public service. We all have fewer resources to devote to information governance, and the ICO is no exception on the freedom of information side, certainly; so it is more difficult. We have had to become much more productive and we have succeeded in dealing with an increased demand for our services while reducing the time taken to deal with things. That is a model for other organisations to follow. But there is no hiding place on this, and those organisations who understand what their obligations are, both under the Data Protection Act and the Freedom of Information Act, usually demonstrate that, in managing information rights, they are pretty good at managing other problems as well. The organisations that cannot manage information rights do not seem to be very good at managing social services, housing or whatever. Things are getting better, but it is not easy.

Q35 Graham Stringer: Would it be fair to say, going back to your previous answer, that things are improving, but they would improve more quickly if you were able to audit public bodies?

Christopher Graham: Certainly, because we would concentrate our efforts on those organisations. Wirral borough council is on the watch list at the moment. I would really like to send in a good practice squad to Wirral borough council, but I do not have the powers do that. I am not picking on Wirral; it is just an example that comes to mind.

Q36 Graham Stringer: The Liverpool Echo might think you are. As to section 45, there are two ways of dealing with that-as a code of practice or setting extra time limits. What is your view of that?

Graham Smith: We came forward with a proposal that, if there were statutory time limits, that would put in more of a kind of framework and help to prevent some of the undesirable practices that we see on some occasions, when either the response to a request is spun out on public interest grounds-they take too long under a public interest test extension-or, without a statutory time limit on an internal review, those can take months and months. There is no obligation to give reasons for exercising a public interest test extension or for how long it takes for an internal review. Again, we can do something about it if the complainant comes to us, but, quite often, they do not come until they ultimately get their response and then we find that it has taken six months. Then we can do something about it by way of a practice recommendation.

Certainly for some public authorities, who do not come to the table with a willingness to comply either with freedom of information requests generally or with specific freedom of information requests which they find, say, politically inconvenient or unhelpful, it gives them the opportunity to kick them into the long grass. We do see evidence of that. Our powers to do something about it are limited, and I think the Act would be stronger if there were statutory time limits. A code of practice is fine, but, by definition, it is a code of practice. While we can take action by way of a practice recommendation for frequent breaches of a code of practice that we have evidence of, it is not the same as an enforcement notice power or a decision notice power where there has been a clear infraction of the Act itself.

Christopher Graham: I noticed in the Westminster Hall debate the other day that the suggestion was made that it takes one to two years or more to get a response. I was not clear whether that was referring to internal reviews, but certainly it does not refer to the Information Commissioner’s Office. Whatever may have happened a long time ago, we are now turning round appeals under the Freedom of Information Act very quickly. I have a couple of troublesome cases that have been with us for months and months, but in 90% of the cases requests are dealt with very promptly.

We do not have a backlog, but I will, if I may, take the opportunity to tell the Committee that the squeeze on grantinaid money for freedom of information has been relentless. I said in my memorandum-when I came before you four years ago for approbation or otherwise-that I had resisted the temptation from one of the members of the Committee to say I would only take the job if there were adequate resources for freedom of information. I said, "No, I want to go and have a look." We have made considerable changes and we have speeded up, but we are now getting to the point where the squeeze on the grantinaid is such that I have to hold posts open and am just beginning to see the threat of a backlog returning if we are not careful. We are determined to manage things to make sure that that does not happen, but we are beginning to run out of road because I can only spend grantinaid money on freedom of information. I cannot subsidise freedom of information work from the data protection side of the house. It is a very funny way to run a £20 millionorganisation. I am cash rich on the data protection side but very cash poor on the freedom of information side.

That has a bad effect. Despite the heroic efforts of my staff, it is beginning to get very difficult, and yet the demand for our services is increasing all the time. The increase in the FOI appeals caseload is 5% up this year to date, in January, it is up in data protection by 7.3%, and it is up on PECR, which is the nuisance text messages, nearly 9%. So we are very busy, but we have this crazy funding system where to save £1 of freedom of information money, which the Ministry of Justice wants me to do, I also have to save £4 of data protection money because of the gearing, when I could well do with spending that.

Q37 Graham Stringer: That is a point well made. I first came across the problems with section 77 when we were looking, on another Committee, at the allegation that the University of East Anglia had deleted emails. It seemed to be your view that there was a serious case there, but there was no prosecution possible because of section 127 of the Magistrates’ Courts Act, which puts a sixmonth limit on it. The Government are making proposals on that. Are you satisfied with the schedule the Government are proposing and with the proposals they are making?

Graham Smith: We have not seen the detail. We have seen, as you have, the statement that they are prepared to vary the six months’ time limit to run from when we become aware of an offence. We had asked for the offence to be made triable either way, and the Committee supported that suggestion in its report. We can understand issues of courts policy or administration of justice policy as to why they would not want to do that. In terms of increased sentencing, because we have not been able to bring prosecutions, we cannot bring any evidence to say the sentencing is adequate as we have never got that far. We think that the proposal that has been put forward will help, and it should enable us to avoid cases where we have suspected that offences may have been committed in the past but we have simply not had the time to investigate and to bring a prosecution, so it would be pointless to resource such an investigation. We welcome the proposal and we think we can make it work. We need to see if it does work in practice before we can say that it would not be adequate.

Q38 Graham Stringer: I may have misunderstood what you just said, but are you surmising that the proposals would be retrospective and enable you to go-

Graham Smith: No.

Graham Stringer: I thought I might have misunderstood.

Graham Smith: I am sorry if I gave that impression, but, no, I am not expecting that. I was comparing what we might do in the future with what we have not been able do in the past.

Q39 Graham Stringer: Do you have an estimate of how many of these cases there have been where it is likely that things have been destroyed or deleted and you have been unable to take action? How big has that problem been?

Christopher Graham: I do not think we should speculate. I do not think we can speculate because we simply have not done the investigation where we knew that we could not get it done in the time to bring the case to court within six months. So it is a very hypothetical question which I would prefer not to answer.

Q40 Graham Stringer: It is a hypothetical question, but in the case of the University of East Anglia, which I know most about, you did say fairly strongly that you thought there had been some misdemeanours there. I wondered if there were many other cases like that.

Graham Smith: I do not think we have had a case that has been as high profile as that one, although we have had others where evidence has been pursued much more strongly because there was clear evidence there, and we have run out of time with the investigation. But it is certainly not hundreds of cases a year. I would doubt whether it would be more than 10 to 20, but that is very much a guess. It is fairly wild speculation. We get the allegation made quite often that people feel they are denied information because they cannot believe that an organisation does not have it, or they believe that they knew that they had it once so they must have destroyed it to frustrate their freedom of information request. But, remember, we are not talking about information that has been reasonably destroyed in the proper course of business in accordance with the records management policy; it is only where it has been destroyed specifically to frustrate a request when it has come in, and we have not seen that much evidence of that.

Chair: Finally, Mr Llwyd.

Q41 Mr Llwyd: Yes, "finally", gentlemen, you will be pleased to hear. You will know that your counterpart in Scotland is an Officer of the Scottish Parliament, and for some time this Committee has advocated that you should likewise become an Officer of this House. The Government argue, of course, that your independence from them is assured and that your functions are not primarily parliamentary in nature. Do you consider that your status and independence from Government are now sufficiently safeguarded under statute and by other means?

Christopher Graham: My good friend Rosemary Agnew, the Scottish Information Commissioner, indeed reports to the Scottish Parliament, and I know that this Committee has taken the view that the UK Information Commissioner should benefit from a similar status in relation to Westminster. There certainly have been some safeguards put in place to protect the independence of the Commissioner. We have a framework agreement with our sponsor Department, the Ministry of Justice, which allows us greater independence and autonomy. There were some changes in the Protection of Freedoms Act 2012 that were very welcome.

We have been able to secure exemptions from some of the more troubling and inappropriate Government initiatives-for example, the single Government website and uniform branding, and I made the case that that should not apply to the Information Commissioner. Also, we have not been unduly troubled by some of the more irksome Cabinet Office Efficiency and Reform Group controls, so I am a bit more relaxed about some of this than I was. But we may be moving into a different territory.

Lord Justice Leveson has recommended that the ICO should be reconstituted and that we should not have a commissioner but a commission with commissioners. That is one thing that needs to be looked at. I can see the great advantages that the status of an Officer of Parliament would have in relation to the funding problems to which I have alluded. This is particularly true as Government look to the ICO for taking on different pieces of work, whether it is the Home Office and the Communications Data Bill, the Department for Business, Innovation and Skills with their "midata" initiative, or the Department for Culture, Media and Sport when they are asking us to patrol PECR in a more energetic way.

The grantinaid that comes from the Ministry of Justice is purely for freedom of information, and I am constantly saying to my friends in Whitehall, "If you want us to do this task, where is the money going to come from?" Other organisations are funded by a Treasury grant. The Parliamentary and Health Service Ombudsman, for example, has a Treasury grant. As to my friends in Ofcom, to the extent that they receive public funds, money comes from a Treasury grant. That might be a way of dealing with the problem to which I have alluded-the question of apportionment between different streams of work and the fact that we cannot vire between different activities.

I would certainly welcome a debate about the future constitution of the ICO. If it turns out that being an Officer of Parliament is the best way forward I am not theological about this, but I would certainly welcome it for those very practical reasons. To repeat, we have a shortterm problem in that the Ministry of Justice is looking for a further reduction of 5% in the next financial year on top of the plans we had for a decrease in grantinaid; we have a mediumterm problem over apportionment, in virement and not virement; and we have a longterm problem over the notification fee and its abolition.

I hope very much that the Ministry of Justice will look at this overall question in the round. What do we want from the Information Commissioner’s Office? We have become, as I say, the goto regulator, but, if you will the ends, you must will the means. We are up for all this. Give us the tools and we will finish the job. It is about powers, resources and constitution. Whether you are looking for a commission, a commissioner or an Officer of Parliament, okay, bring it on and let us have that debate. I cannot, in leading the ICO, be in a policy vacuum where I have possible responsibilities under Leveson, the Communications Data Bill and "midata", a possibly reconstructed data protection regime, a possible changed Freedom of Information Act, and a possible abolition of 80% of my income, but, "Hey, we will get round to this problem in a few months’ time or is it years?" We need to focus on these questions now, decide what we want from the ICO, fund it properly and guarantee its independence.

Chair: That seems a stimulating note on which to end. Thank you very much indeed.

Prepared 12th February 2013