The functions, powers and resources of the Information Commissioner: Government Response to the Committee's Ninth Report of Session 2012-13 - Justice Committee Contents

Appendix: Government response

Letter dated 30 June 2013 from Rt Hon Lord McNally, Minister of State for Justice,
to the Chair of the Committee

I am writing in response to the Justice Committee's report of 12 March 2013, entitled, The functions, powers and resources of the Information Commissioner. My officials agreed with the Committee Clerk that the Government's response would take the form of a letter to the Committee, as opposed to a command paper. I am sorry it has taken me some time to respond to you. There appears to have been some confusion about whether a Government response was necessary following a single, oral evidence session with the Information Commissioner but I am pleased to be able to set out the Government's views on the Committee's recommendations.

I am delighted that the Committee has recognised the good reputation of the Information Commissioner's Office (ICO). My department enjoys a constructive relationship with the Commissioner and his staff and I engage regularly with Christopher Graham on a range of matters relevant to your Committee's report. The ICO we have today is considerably different to the one Mr Graham took over in 2009 and it faces a range of new challenges that could barely have been conceived when it was originally created, particularly with the rapid development of technology and the increasing importance of data. Your Committee has raised a number of issues in relation to the ICO's funding, structure and powers, and I welcome the opportunity to highlight the work we have been doing, and will continue to do to ensure the ICO has appropriate powers and resources to do its job effectively.

The ICO's finances, status and accountability to Parliament

I have had a number of conversations with the Information Commissioner over the last few months about the short and long-term funding pressures facing his office. I agree with the Committee that the ICO should be commended for improving both its efficiency and performance over the current spending period. However, it is clear that pressures on public spending will continue in the future. This, combined with recent and ongoing changes to the information rights landscape and possible changes to the ICO's funding and role as a result of the Leveson Inquiry and the EU Data Protection proposals, mean that it is essential that we take a fundamental look at the ICO's funding and operating model. We need to ensure that it is robust and flexible enough to withstand future international, financial and technological developments.

I would like to draw the Committee's attention to the steps we are taking in partnership with the ICO to move forward on this issue. In regard to the short-term pressures, my officials have been working with the ICO to explore the potential for greater flexibility in the way the ICO apportions shared costs between the Freedom of Information (FOI) and Data Protection (DP) funding streams, in line with the Committee's recommendation. Given the financial climate we are in, any proposed solutions to the ICO's short term funding issues will need to be found within the existing funding restraints, and will, of course require approval by HM Treasury and the National Audit Office.

We also intend to prioritise work on developing a future funding and operating model for the ICO that will take account of the issues I outline above. The ICO's current mixed system of funding based on grant in aid for FOI and notification fee income for DP dates back to a time when there was a clear demarcation between these two areas of work. However, the ICO's role as an enabler and upholder of information rights has grown in recent years and their responsibilities now include conducting audits under the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004. In addition, as the Committee has recognised, notification is likely to be abolished under the proposed new EU data protection regime. Taken together, the current context provides an opportunity to develop a system that is responsive to changing future needs. The work we intend to undertake in partnership with the ICO will include drawing upon research commissioned by the ICO into future funding options, and analysis they have done into the effectiveness of the tiered notification fee system which has been in place since 2009. I would like to reassure the Committee that the Government is committed to ensuring that the Information Commissioner is appropriately resourced.

In respect of the Committee's recommendation that the Information Commissioner be directly responsible to and funded by Parliament, the Committee with be aware that the Commissioner is already accountable to Parliament in a number of ways. He is required to lay before Parliament his annual report and statement of accounts; he may be called before the Public Accounts Committee in relation to his management of the money available to him, and before other committees to give evidence on a range of other matters, including by the Justice Select Committee.

Whilst there are currently no plans for the Information Commissioner to be a Parliamentary body or to be funded by Parliament, the work we are taking forward on the ICO's long-term funding and operating model will consider the range of recommendations that have been made by your Committee and others, including Lord Justice Leveson in relation to the future powers, governance and accountability arrangements of the ICO. I look forward to updating the Committee in due course.

In respect of ongoing negotiations on the future European Data Protection framework, I recently wrote to the Chairs of the Scrutiny Committees, European Union Committee and others, including the Justice Committee, to provide them with an update (letter to European Union Committee attached at Annex A[1]). The Government continues to be concerned about the financial implications that the proposed Regulation could have on the ICO. We agree with the Information Commissioner's view that the proposals, as drafted, 'cannot work' and is a regime which 'no-one will pay for'. The Government is negotiating to secure a more flexible and sensible instrument and for the obligations placed on data controllers and supervisory authorities to be proportionate.

Breaches of section 55 of the Data Protection Act 1998

I agree with the Committee that effective sentencing options need to be available to the Courts for the most serious breaches of the Data Protection Act 1998 (DPA). As the Committee will be aware, the previous Government consulted twice on whether to make an Order under section 77 of the Criminal Justice and Immigration Act 2008 (CJIA) introducing custodial penalties for breaches of s55 DPA and on whether to commence the enhanced public interest defence under section 78 (CJIA); but this was not followed through. Since then the Information Commissioner has further repeated his calls for custodial penalties to be introduced for breaches of s55 DPA and this has been echoed by the Home Affairs Committee, the Joint Committee on the Draft Communications Data Bill and your own Committee.

The Committee will recall that in 2011 the Government announced that it was to keep the matter of whether to introduce custodial penalties for breaches of s55 and the commencement of the journalistic defence under review, as it would be inappropriate to make a change to the data protection regulatory landscape governing the media, at a time when it was being examined by Lord Justice Leveson.

The Committee will have noted that in addition to recommending that the Government makes an Order under section 77 CJIA introducing custodial penalties for breaches of s55 of the DPA (and commences the enhanced public interest defence under section 78 (CJIA)), Lord Justice Leveson also made a range of other data protection related proposals which are potentially far reaching in their nature, and in particular on the conduct of responsible investigative journalism.

The issues raised in the data protection elements of Lord Justice Leveson's report were not subject to the same level of public scrutiny as other elements of the inquiry. It is therefore the Government's view that the recommendations require careful consideration by a wide audience. We therefore intend to conduct a public consultation on the full range of data protection proposals, including on whether to make an Order introducing custodial sentences under section 77 CJIA (a statutory requirement), which will seek views on their impact and how they might be approached.

It is of course arguable that the proposals to introduce custodial penalties for breaches of s55 have been subjected to more detailed scrutiny than Lord Justice Leveson's other data protection related proposals and therefore a case could be made to move forward with this issue more quickly. However, we think it is important that the public get the opportunity to consider the question of whether to introduce custodial penalties for breaches of s55 in the context of Lord Justice Leveson's wider proposals relating to the data protection framework.

Powers to compel audit

The Committee is right to highlight the concerns that exist about the secure handling of personal data across the NHS and local government. These are two of the largest data controllers in the UK and between them process a huge amount of personal data on a daily basis. The Government is committed to ensuring that all organisations that handle personal data do so in accordance with the DPA and continues to work closely with the Information Commissioner in considering all available options to ensure that he has appropriate powers and tools to regulate an effective data protection regime.

As the Committee will be aware, on 25th March 2013, the Government published a consultation paper proposing that the Secretary of State uses the order making power under section 41A(2)(b) of the DPA to extend the powers of the Information Commissioner to carry out compulsory assessments of NHS bodies' compliance with the data protection principles under the Act. The consultation closed on 17 May and the Ministry of Justice is now considering the responses with a view to setting out next steps in due course.

There are currently no plans to extend the Information Commissioner's powers of compulsory audit to local government but the Department for Communities and Local Government are taking a partnership approach to improving local government's compliance with data protection principles. These include a joint letter from the DCLG Permanent Secretary and the Information Commissioner to Local Authority Chief Executives urging them to follow existing data handling practices and a section in the revised Code of Recommended Practice for Local Authorities on Data Transparency reminding councils of the need to have good information governance in place. In addition, the Information Commissioner is working closely with the Department for Communities and Local Government and the Local Government Association to develop an effective sector-led approach in improving data protection standards and establishing better information governance practice within local government. I have asked the Information Commissioner to keep me informed as to whether this approach is achieving a notable improvement in local government's compliance with data protection legislation.

I will be happy to provide clarification to the Committee on any of these points, if required. I am grateful to the Committee for its insight and observations on the valuable work the ICO does and look forward to updating you in due course on our ongoing work in relation to the issues raised.

1   Not published Back

previous page contents

© Parliamentary copyright 2013
Prepared 11 July 2013