Members present:

Tony Wright, in the Chair
Annette Brooke
Kevin Brennan
Mr David Heyes
Mr Ian Liddell-Grainger
Mr John Lyons
Mr Gordon Prentice
Brian White


Examination of Witnesses

MRS ELIZABETH FRANCE CBE, Information Commissioner, MR GRAHAM SMITH, Deputy Commissioner, MR DAVID SMITH, Assistant Commissioner, Office of the Information Commissioner, examined


  1. Could I call the Committee to order and welcome our witnesses this morning. In particular, it is a pleasure to welcome Mrs France again. We have had some very constructive meetings with you over the years - not least when we were grappling with freedom of information issues. We were disappointed to learn that you are not going to be the Information Commissioner in the future, which I think everyone would have liked. However, we wish you well in your new pastures. Would you like to say anything by way of introduction?
  2. (Mrs France) First, let me welcome the opportunity you have provided to come and talk to you, particularly at this stage in the year when I have published my annual report. Perhaps I should introduce to you the two people who appear with me: Graham Smith is one of my Deputy Commissioners and takes the lead in my office on developing policy on freedom of information and David Smith is one of my Assistant Commissioners, who at the moment is specialising on Criminal Justice issues within my office but has a long history of dealing with all the data protection issues which my office deals with. Apart from that, I think that there is a broad range of issues that you might want to raise and I would not want to delay you further at this stage, and we will see, at the end of the questions you have, whether there is anything that we have not covered.

  3. Thank you for that. I know that one of the issues we have talked about with you before is the way in which there is not a routine Parliamentary occasion for you to come and talk about your data protection role, and that is a weakness on Parliament's side. I know that you would have valued that over the years, and we have just provided a paler substitute for that. However, because we are at the moment where you produce an annual report, I do notice (and it has been picked up in the report) that there has been this large increase in the caseload that you have been dealing with over this last year. Can you tell us how that is to be explained? Does it show that there are more problems out there? Or is it just that the nature of the beast is changing?
  4. (Mrs France) I do not think you can conclude that problems are greater elsewhere from those figures. You have to read them with the other big increase, which is the increase in awareness of rights. Awareness of rights hovered in the teens for all my early years in posts - it went up and down but it always stayed just under the 20 per cent level - but it went up to 27 per cent last year and to 42 per cent in the year on which we are just reporting. These are the answers to a standard question asked in a large tracking survey for us by those who do this year in, year out. So you have to add that understanding to your understanding of the increase in casework, because if 42 per cent of the population are now aware that they have rights to see their information (which is the question we asked them) but rights in relation to their information, then more people are going to be prepared to exercise their right to come to us to allege that they believe there has been a breach of the Data Protection Act. So the package, really, is that over the years our office, I hope, has contributed to people being much more aware of their rights. At the same time, the nature of processing of personal data has become more visible to people in their everyday lives, and they have become therefore much more aware of the potential risk. We know that if we were to run an advertising campaign saying "Come and complain to us about alleged breaches" we would be swamped. My predecessor did that in 1993, I think - perhaps a little earlier, I cannot remember the year - and it took a long time for the office to recover. We actually design our advertising to encourage people to go out and exercise their rights themselves and only to come to us when things go wrong. Of course, not everybody heeds that advice, but I think looking at our complaints workload as an indicator of problems in the wider world in relation to data protection dangers, it is more of a reflection of people's interface with processing and their awareness that they have rights.

  5. That is interesting. How do you explain the mismatch between that greater awareness on the data protection side, reflected in the casework that you do, and this dismal lack of awareness on the access to information side, the code, which the Ombudsman laments all the time?
  6. (Mrs France) I cannot easily explain that because I am only now beginning to look at how we raise awareness on freedom of information issues. We have done some baseline tracking research on that in the report as well, and you will find in the annual report - though not picked up because it is not a dramatic figure - that we have had last year and this year an awareness figure where the percentage of members of the public aware that there are rights in relation to freedom of information has gone up from 11 per cent to 12 per cent, and the awareness within public authorities has gone up from 14 per cent to 23 per cent - so nearly a quarter of them know that they have to comply with their obligations in the months ahead. We have begun that as baseline tracking information, so we will, over the years, be able to monitor whether we can increase that awareness. Perhaps our remit is rather different from that which the Ombudsman has had, in that I do have a statutory duty to raise awareness. So I think it will be interesting. It is too early for us at the moment to go out there raising awareness in a dramatic way about rights that do not come on stream until 2005, when we will begin to see an increase. What we have done this year, in consultation with the Ombudsman, is to change the fulfilment literature we provide in response to our advertising campaigns. We try to run an advertising campaign about rights each year and we are currently running a summer campaign in a number of magazines drawing people's attention to their right to see information about them. It is usually right that we are advertising what I call the gateway right, because if you know what is held about you you know whether there are other problems. In conducting that campaign this year the headline statements in the advertisement encourage you to send for the fulfilment leaflet. That leaflet, for the first time, includes not only an explanation of how to make an application under the Data Protection Act but, also, how to use your right under the code of practice. So we have begun to move into the area of encouraging people to use their rights.

  7. So it looks as though we are talking about a cultural change that will take some time to kick in, both in relation to the public and in relation to the organisations, but it seems, in your case, to have kicked in properly.
  8. (Mrs France) Yes, but it has taken time. The first Data Protection Act was passed in 1984, came fully into force in 1987 and I am really saying it took 15 years before we got above the 20 per cent mark in terms of awareness of rights. It is partly to do with how relevant the right is to people, and I do think the ubiquitous use of IT and awareness of processing has worked with our raising awareness, so that you have got a dual push.

  9. I know colleagues want to raise some of these issues with you, but just to continue for a moment, it is often said now that the fact that the Government has decided to postpone the introduction of access rights on the FOI side until 2005 when, as you know, it was promised that they would come in resolute and, therefore, there would be progressive learning and a culture change - is it your sense that this means that organisations will put this on the back burner again?
  10. (Mrs France) I think that some of them may believe they can. We shall certainly do our best to make sure that they do not do that because if they do they will store up problems for themselves in 2005. One of the key reasons the Government gave for pushing that date to 2005 was that procedures needed to be properly established and records management needed to be properly in place. That means there is a lot of work for public authorities to do by 2005, and of course we are pushing ahead now with publication schemes.

  11. I was going to ask you about those. Just on this initial point, though, when you read the latest Ombudsman reports and you see his cry of despair, really, about the failure of government departments to respond properly to his own work under access requests, does that lead you to think there is a real problem there?
  12. (Mrs France) Time will tell. If you recall, Chairman, when he and I appeared before you together and you asked us what the difference in the regimes would be and what the different effect would be, at that stage, the Ombudsman was able to say that his recommendations had always been heeded. I think, at that stage, there had been less use of the code provisions and, indeed, it is the publicity about freedom of information that seems to have led people to become aware and to begin to exercise their rights under the old government code. So that some more sensitive issues, perhaps, than had previously come to the Ombudsman have arrived on his desk and led to the difficulties that he has reported in his annual report. The only thing I can say about the difference in the regimes is that the FOI Act provides a formal enforcement framework so that it does not stop at a recommendation from the Commissioner. Indeed, it is not a recommendation at all. What the Act provides is the ability to make a decision. My successor will make a decision, if that decision is challenged by a government department then it will be appealed to an information tribunal. If the information tribunal decides the decision is the appropriate one then the government department will be in breach of notice if they do not act on it. So there is a different framework.

  13. In a way, if we wanted final confirmation of the need to move from code to act, it required, in a sense, an Ombudsman recommendation not to be accepted and information not to be released because, as you say, under the act it would happen through you and through proper enforcement.
  14. It is interesting that this refusal has come at the stage where the process will be changing and does, indeed, I think, assist us to appreciate the importance of the change in structure, but I would hope that before 2005 we will have achieved something of the culture change we all claim to be looking for so that these confrontations do not occur.
  15. Just tell us one thing, before I hand over, about publication schemes, because the one thing that has to happen now and is supposed to be happening is the production of these publication schemes by public bodies. I know the House of Commons has just produced its own publication scheme. Someone did tell me that it may be the first one. Is that right?
  16. (Mrs France) That is absolutely right.

  17. Is that not splendid!
  18. (Mrs France) We opened for business on 1 July. As I said, we have to have received publication schemes from all those who come under the auspices of the Ombudsman - Parliamentary Commissioner. That is the first tranche of public authorities, and they have to have those with us over the summer period. We had a handful in the first days. They were encouraging, I have to say. My staff tell me - and it is Graham Smith who has been looking after this - that the first batch are, perhaps predictably, those who are confident that they can deliver a scheme and they have come in early with their schemes. We were very pleased with the quality of the one from the House of Commons. We have yet to agree with them what the review period will be, but that apart we have approved the scheme and hope it will be the first of many that we are able to approve over the summer.

    Chairman: As I say, I am sure colleagues will pick up some of these points.

    Kevin Brennan

  19. You mentioned in your remarks the rapid growth now in the ubiquity of IT use in government departments and so on. I just wondered whether you had actually given any thought to some of the implications of the almost completely ubiquitous use of e-mail in government communications in your role?
  20. (Mrs France) Yes. We looked not just in government departments but at the use of e-mail generally. There are some big issues that, if we are talking about public authorities, the authorities have to look at, in terms of deciding whether an e-mail is actually part of a public record or whether it is ephemeral, so they have to look at their policies about how long they are retained and what they are going to do with the information. However, e-mails are not hugely different from any other sort of communication; you have to apply some sort of criteria, but the issues which arise are more issues of management, issues of not having thought through what your policy is in relation to e-mails, allowing some, perhaps, undisciplined use so that you are not as aware as you were with paper records about what the rules of the game are. I think some recent examples of e-mails that have come to light and people using their right to subject access under the Data Protection Act have been as good a lesson as any in telling government departments and others that they need to set policies within their organisations as quickly as they can. There are all sorts of other issues about "Have we really deleted e-mails?" I do not know whether you want to get into that, but there are issues around that.

  21. I think we are very interested in this, actually, because we have recently been doing an inquiry into Government information, communications and so on, particularly in relation to the DTLR affair recently and the role that e-mail played in that. That is not the major thrust of our inquiry but it has come along as an incidental element of that. It just occurred to me that Joseph Kennedy once said "Never write anything down you would not like to see on the front page of The New York Times", yet e-mail and the manner in which it is used, particularly if you like by a new generation of users, for whom it is almost a natural form of communication, like idle chat in the corridor, consists of all sorts of things. You used the word "ephemeral". Presumably that has got some technical meaning?
  22. (Mrs France) Just as you rightly say, I was brought up and trained in public service in the days when we were only talking about paper files and we were certainly always told only to write down things we were prepared to see published. If you had early experience, as I did, of having your files subject to judicial review, it teaches you at an early stage that that is very important. The trouble is it is this learning curve; we all knew that if we wrote a brief note on the front of a file, entirely meant simply to say something which was chat, it did not get recorded, it did not go on the file. We have another issue on freedom of information where people have been worried about notes of that kind disappearing that should not disappear, but you have to get the balance between what is part of the public record and what genuinely is of short-term interest and relevance and should not be kept. We have done some work not just in looking at public authorities but more generally. It has come up in a code of practice we are producing for employers as well, and David Smith has done quite a bit of work on that.

    (Mr David Smith) Yes, the only thing I would add is that when we do this work producing an employment code probably the hottest topic in that code about employers' access to work is e-mail.


  23. You are getting a bit of a battering, are you not?
  24. (Mr David Smith) Yes, we are. That is fair comment. I will come back to that, or perhaps Mrs France can deal with that. I think one of the problems we face with e-mail is that everyone says it is like the post in one way or it is like a telephone call in another way, and actually it is like nothing else; it is something different, it is a different medium of communication. Some aspects of e-mail have similarities to the post, some are much more akin to telephone calls, some are even more akin to just a private conversation, and it is when these things come together in one system that the issues come. We have been very much keen to say "Look, this is a new medium, you have got to approach it differently and not just say 'Oh, it is like the post that we have always dealt with in the past.'"

    Kevin Brennan

  25. I am still not clear in my mind what you are saying in terms of what one could write in an e-mail or not write in an e-mail and expect to be regarded as part of the public record. What is your message?
  26. (Mrs France) It has to be an issue for the management to establish how it wants to conduct its business. Just as public servants have always been disciplined, or should have been, as to what should be written on files that are going to be kept as part of the public record, they have to understand, when they are using those e-mails in the sense of something that is contributing to the decision-making process and to the public record, what they are doing is actually having the equivalent of a conversation that would have disappeared into the ether once it had been completed. However, you need the rules of the game, and you need policies within departments about retention periods for different types of records. I think what we fail to do is to address this new medium in the way we should have done. A lot of work has been done in the field of records management for the public sector on this, and that, again, will be picked up when we look at freedom of information and the records management code.

  27. Are you issuing guidance on this? Is that part of your statutory responsibility?
  28. (Mrs France) Part of our statutory responsibility is certainly to look at guidance on any of these areas because I have a general duty to offer best practice guidance in any of the areas covered by either of the acts. On records management and record keeping there is a code of practice which is a code of practice produced by the Lord Chancellor and owned by the Keeper of the Public Record. That is actually part of the formal structure of the Freedom of Information Act. I will enforce it, but in consultation with the Keeper of the Public Record.

  29. If I rather rashly sent you an e-mail which contained a remark in bad taste about September 11, for example, or something like that, should that be regarded as part of the public record?
  30. (Mrs France) That you cannot answer in that way because it depends on how you sent it to me and whether you sent it to me in a document that was also progressing policy in a way that required it to be recorded. You could be doing that simply because you wanted to send an e-mail about that which had no relevance to public business at all, or you could be sending me something which was designed to take forward a decision-making process, and if it is an element of the decision-making process it needs to be recorded.

  31. Perhaps the real answer is that people should not be sending the sorts of e-mails which are quite common in workplaces these days, which are really nothing to do with their work.
  32. (Mrs France) That is what I say is a management issue, and the FOI Act covers all recorded information and the Data Protection Act covers any information which is held in - and in structured manual files as well - any automated process. But, if you have a policy - not one retrofitted, but a clear policy - about which sorts of pieces of recorded information are retained and which sorts of pieces of recorded information could be deleted, then you will not be breaching either Act if that information is not available at the time that it is requested. However, you must not be retrofitting that policy; you have to think ahead. So what it requires is managers who take this seriously, and public authorities to decide what their policy is; whether they allow private e-mails and, if they do, where they are to be stored, where they are to be handled and whether they build in deletions for those. That is really in the hands of what we, in technical terms under the Data Protection Act, call the data controller.

  33. Can I take the opportunity of asking you one question on which, maybe, I will write to you if it is not the right time to ask you? In your view, if somebody had had a Benefits Agency medical service report on them and they gained access to that information but believed that the report was sub-standard and had not been conducted correctly, should they have access or be given access to the report on the report, if you like - the assessment of the doctor's report on them?
  34. (Mrs France) I would have to look at the particular case, but if the assessment of the doctor's report constitutes personal data about the individual and is maintained either in electronic format or in a structured manual file, then the starting point would be that they had access. There could be exemptions because, in relation to medical information, there may be a decision to withhold if it would be in the interests of the patient. So I would have to look at the individual case.

    Kevin Brennan: I may write to you about that.


  35. Just before we leave you on that, lest we miss the moment, you seem to be talking about different categories of e-mails. I do not want to pin you down about this, but is it not just a common-sense case that the Jo Moore e-mail would sit in one of those categories - that is, that it falls directly into some kind of policy position about what the department might do - as opposed to what you might call a Dan Corry e-mail, which simply says "Who are these people?" Are these not different kinds of species?
  36. (Mrs France) One always has to look at the context very carefully and I would not want to comment on these particular e-mails. I think my point is that if something is part of the decision-making process which, in traditional form, we would have expected to find on the file when we looked back to see how a decision was arrived at, then regardless of whether it was written with a fountain pen on a piece of paper or written in an e-mail it should find its way into the record of the development of policy. If it is something which in the past we would have expected, as I say, to have been part of a conversation that did not need recording, then we would still not expect to see it recorded. In neither of those cases, though, does that decide what the limit on retaining should be, and even where something contributes to policy there will be decisions about which policy papers are kept forever, which are kept for only a brief period and which are kept for the medium term. That, again, applies to all forms of public records. We do not keep everything forever. Talking to the Keeper of the Public Record, he is very anxious to make sure that we get new guidance on records management, to make sure that we are discriminating in what we keep for the purpose of the long-term public record.

    Mr Prentice

  37. Mrs France, I am interested in how well you get on with government departments. I have been reading your annual report and in your foreword you say that your objective as Information Commissioner has been "to ensure that policy makers consider data protection and freedom of information compliance issues at an early stage". Then, later in that paragraph, you say "...there remain cases where there is a reluctance to consult on legislative proposals at an early stage, despite a high level commitment to work closely with us." When you wrote that, what did you have in mind?
  38. (Mrs France) There are a variety of responses we get from different departments at different times, and I accept that sometimes their drivers for policy change lead them to forget that there are personal data implications and they may not come to us as soon as they can. However, there are occasions where we have been involved very early on in discussing the sorts of issues that departments are considering. I am trying to think of examples now, and I cannot recall which ones we put in the report, so I will come back in a moment, perhaps, and ask David Smith to add to this. Generally speaking, however, we have been involved at early stages and we can then contribute to the way the legislation is drafted or the way codes of practice are drafted instead of coming in late and having to object to what is being proposed and asking people to re-think. If I can give you an example of where we, perhaps, had an early opportunity to comment, it was on the Social Administration Fraud Act (?) - the last one - where we were involved with officials from a very early stage and where we still, in the end, had to go in, but were welcome to go in, and talk to ministers and did get an amendment to the legislation as it went through. At the other extreme and for understandable political reasons, the emergency legislation which the Home Secretary introduced post-September 11 was one where there was little time for consultation - and I entirely accept that - but where there was no opportunity for us to express views on differences in drafting which might, in our view, have made all the difference to the balance of rights. However, late in the process of the Bill it was agreed there would be a code of practice which my office will contribute to the department on. I would have preferred, had it been possible, for that to have been agreed at the drafting stage and for it to be done in a slightly different way.

  39. Can I ask you about that, because you do say, in your report, that you are responding to consultations on the Regulation of Investigatory Powers Act. I have the draft statutory instrument before me here, which was withdrawn by the Home Secretary. Were you consulted specifically on this draft statutory instrument?
  40. (Mrs France) We were not, as far as I know, consulted on the draft statutory instrument. We had been consulted and had put publicly our comments on the primary legislation which those instruments were following on from. I have to say that in my view we had argued loudly and clearly what our view was in relation to the primary legislation, and I had taken the view that these orders followed naturally from that primary legislation. I was not asked, but I did not choose to comment on that order. I think that the order is not where I would want to focus my attention.

  41. It follows from the point that Kevin Brennan was asking you, because had these orders gone through it would have given government departments, local authorities and a whole range of agencies the right to find out which e-mail addresses individuals had sent e-mails to. If I have got this wrong you are going to tell me.
  42. (Mrs France) It is not as straightforward as that, I have to say.


  43. Things rarely are!
  44. (Mrs France) This is very complex law.

    Mr Prentice

  45. I am just a simple politician.
  46. (Mrs France) There really is very complex law here, and though I was delighted to see the public response because of the anxieties about breaches of privacy, you will notice that we did not, in fact, on this occasion, join in with that cry for change.

  47. One of the bodies down here that had access to information was the Information Commissioner.
  48. (Mrs France) That is not why we did not comment, but it is certainly why I do not have the same objection to the order as some of the people who have made comments.

    Mr Prentice: Why was the order withdrawn then?


  49. Let us hear Mrs France just tell us what she thinks is the central point.
  50. (Mrs France) The central point, to start with, was the point we lost. Our arguments when RIPA was going through was that orders should be subject to judicial approval and not administrative approval, and that was our key point about the Regulation of Investigatory Powers Act. That was argued two years ago and we argued that publicly, we argued it loud and we put - with others - our comments everywhere we could think of putting them, but the Government went ahead and decided they should be administratively approved orders. The order you are talking about there lists a long list of bodies, but the point you have to bear in mind is these are bodies who have a regulatory role and, in that role, have always had to have this access. What it is doing is making this transparent, putting it on a statutory basis and allowing you to look at and criticise that list. From my point of view, the important part which has perhaps been missed in the criticism is that the access is subject to a RIPA code, on which we were consulted. So this is not something which I have the same concern about as some other areas where I am very concerned still in this whole area - for example, where we are looking at the Emergency Powers Act provisions to allow information to be obtained (and we have got a narrow definition of being for national security purposes) but where we are concerned about what might be done with it after it has been obtained for national security purposes. Those things are far more worrying to me and far more important to me than a list of bodies who have a regulatory function and who can only exercise the ability to use the RIPA powers subject to a code of practice on which I have been consulted.

  51. I understand that. Can I just very briefly return to this issue of the high level commitment to work with the Information Commissioner. Is that high level in the civil service or ministerial commitment or what?
  52. (Mrs France) We have had high level commitment from ministers on many occasions and repeated on many occasions. In the past there have been Parliamentary questions where that has been repeated. We see the Prime Minister's commitment - in issuing, for example, the PIU privacy and data sharing report - to privacy as well as to data sharing as a joint obligation on Government and saying we will be consulted. We have seen all sorts of areas where we have been consulted early on. I think that a good example of that is the guidance we provided to the health sector where we have been working very closely with the health sector in the work they have been doing. So there is a commitment. When you ask any minister or you ask any senior civil servant they will accept that where their policies impact on the processing of personal data they will consult us early. In practice it does not always work.

  53. Which brings me on neatly to the issue of the moment, which is entitlement cards, or ID cards. I am assuming that you were closely involved with the Home Office in discussing these entitlement cards.
  54. (Mrs France) It would be a bit difficult for me to claim to have been involved when the consultation process has only just been launched. I would not necessarily expect to be closely involved prior to a consultation exercise. However, my staff have had meetings with Home Office officials in the drawing up of the consultation documents, so we have had some discussions with officials but I would not have considered that to be consultation at this stage. The Home Secretary has now opened a six-month period of consultation and we will play our part in trying to make sure that there is wide-ranging debate. We hope to put forward a very powerful response. It will be the task of my successor, towards the end of the consultation period, as we have done on previous occasions, when these issues have been raised.

  55. I am not springing this on you, even though the consultation document has only been with us for a few days, because you would have thought about those issues. What are the main benefits of the ID scheme proposed by the Government and what are the drawbacks?
  56. (Mrs France) I would not go so far as to say they are yet proposing a scheme; they have put forward issues for us to look at. You will find that we do already have, being very far-sighted, a paper on our website which sets out the points for and against any form of identity cards. Our main issue now, and in the past, have been that Government should be absolutely clear on purpose. That is what has been lacking in all proposals we have seen to date. We have to look carefully. I am not pre-judging the current consultation exercise, but if you are not clear on purpose you cannot decide what information should be held, who should have access to it and whether it is fit for purpose. So that is one of the key questions.

  57. I am thinking aloud here, but maybe the Government could have avoided all these problems by consulting you in great detail before issuing the consultation document, even though there was contact between your office and the Home Office beforehand.
  58. (Ms France) They might have been able to but we need to see proposals and to involve others, wider audiences, in consultation. We are not opposed - let me be quite clear about this - to a form of identity document of some kind. I have to be careful what I say there, document is perhaps the wrong word.

  59. Entitlement card.
  60. (Ms France) For data protection purposes if there is to be more on-line business done between the citizen and Government, as individuals we need to be confident that only our data is being accessed by us and that we can do business with confidence with Government. Some form of token, which would allow authentication and validation, is going to be vital if e.Government is to go forward. The issue is whether that is what this is for. If that is what this is for it need say very little about the individual, it can simply be a token. It does not need to have things on the face of it that can be used by other people. It does not need to contain information which can allow what I would call purpose creep. It can simply be a token which validates a transaction with Government. That would be a genuine entitlement token, something that is facilitator for the citizen.

  61. Is it possible, given the state of technology that we have today, to have one definitive record of a person's identity because that is what the Government says in its consultation document, one definitive record. There must be criminals out there who are just salivating at the thought of being able to break through and access one record, one entitlement card, let us call it, which would allow them to go anywhere within the system because that would be seen by Government Departments and banks and everybody else as the definitive statement of a person's identity.
  62. (Ms France) There are all sorts of technical problems involved but the bigger problem and the technical problem is the problem of the quality of historic records. There is an enormous task for Government if it seriously believes that it can now put on to the front end of its processes anything which identifies you or me and gives us access to records which are already held. This is where I talk about quality of record keeping, quality of historic records, because it would be very difficult for them to be sure that the records they hold already are records which relate to you or me. This is in written information, if you want an example of my concern about the issue of criminal records. Criminal record certificates are now being issued. An enormous amount of work has been done by those setting up that office to make sure that at the modern, front end of the process they are taking every possible step to make sure you are the Gordon Prentice who is making the request to see whether there is a criminal record. The problem is that the records stored by PNC over a generation were not kept with that in mind. Therefore, the standard of record keeping will make it difficult to assign the right bits of record to the right files even though we know we have got the right person at the end of the chain. If you follow what I am saying that is magnified then many times if you are suggesting that existing historic records held by the Department of Health, DWP, Immigration & Nationality Department, have been kept to a standard which would allow that interface. That is one issue. The other issue is that if you are going to do it properly it is going to require, in my view, enrolment afresh by all of us and not reliance, for similar reasons, on any existing database of citizens. These are early thoughts and I want to look properly, I do not want to pre-empt the consultation period. One of the key things I should say is that we would expect something as serious as this to be set out on a statutory basis and that statute should make clear what the permitted uses are. One of the things we worry about enormously is whether there will be - although the Home Secretary has said it will not be something he has in mind - a creep towards a duty to identify yourself. Unless the statute prohibits that it would become an informal use that people will say "You need to show your card".


  63. Just to pull that together so that we are clear for the record. When you look at this document and the areas where lights might flash for you, listening to you I got the sense that it was the confusion of purpose issue which is the central one, is that right?
  64. (Ms France) Yes. I would not want to suggest that the Home Secretary on this occasion is confused as to purpose because I want to look at the consultation paper properly. In any previous proposals we have seen there is a confusion of purpose because we lose sight of one narrow purpose and begin to suggest this will solve all sorts of peripheral problems. Once you do that you lose any ability to decide what appropriate access should be, who should decide what information goes on the card, all sorts of other issues come into play. There is that. There is the ability for the card to be used for more purposes because it is designed with that intended. There is the problem of existing historic databases and worries about the quality of any existing foundation database of citizens. I do not think there is one which we could rely on as being, if you like, the source document for a new scheme.

    Chairman: That is very, very helpful. Thank you very much indeed.

    Mr Liddell-Grainger

  65. In your review of the year you talk about the Article 29 Data Protection Working Party in Europe, and it is adopting recommendations related to the employers' application of law, model contracts for international transfers of personal data. Where has that got to and what effect has the European Union and the European Commission had, which has approved the whole contract now? Has that moved on?
  66. (Ms France) Yes, it has moved on and there are now model contract clauses available for us. Perhaps I could ask David Smith to add something to that.

    (Mr Smith) Yes. Model contract clauses have been developed and approved by the Commission and they are available for organisations to essentially take off the shelf, fill in the gaps and use themselves. There is quite a lot of business resistance to the use of those contract clauses because many businesses feel they are essentially over the top because they are overly demanding. I know the Commission is open to business organisations developing their own models and bringing those to the Commission with a view to having them approved. That avenue is still being explored. Indeed, in the UK it is still open to businesses to develop their own clauses, not simply to rely on the model, and provided those deliver proper protection businesses can use them. What they do not get though is the absolute guarantee that they get if they pick the Commission's model.

  67. The Commission itself is directing this country to try and use a model which is not within the country?
  68. (Ms France) I think "directing" is the wrong word.

  69. Suggesting.
  70. (Ms France) It is an item on the menu from which companies can pick in order to satisfy the requirements of the Directive.

  71. What is your relationship with the European Commission? You went out and spoke to the Council of Europe on data protection, was that part of an ongoing programme?
  72. (Ms France) Yes, we do that. The Council of Europe is rather different. I think what I should say to start with is to make clear, which I know you do understand, we are independent of Government, do not represent Government when we go to these meetings. The meetings of the Article 29 are meetings of experts. When we meet in the Article 29 Committee we are meeting with fellow independent commissioners to advise the Commission. So we are there as expert advisers and in that role we have been looking at various aspects of the Directive. We spent an enormous amount of the time we have had looking at transport data flows but we are moving on now to other issues. We are looking at European Codes of Practice. For example, direct marketers have been one of the first to produce one, FEDMA is the European Direct Marketing Organisation. We have been looking at - interestingly - employment issues and whether there should be a common employment code across Europe. There are all sorts of other areas in which we have joined together but we are acting as experts, making recommendations to the Commission. It is then a matter for another group, imaginatively named the Article 31 as opposed to the Article 29 group. That comprises Government Members where the Lord Chancellor's Department is represented. They take the decisions on the issues of that kind.

  73. Bringing you closer to home, you have opened offices now in Edinburgh, Cardiff and Belfast.
  74. (Ms France) We have not yet done so.

  75. You have not yet done so. Right. Is one of the reasons that you are doing that - and I am thinking more about Cardiff and Edinburgh as opposed to Belfast - to be able to keep a weather eye on the Assembly and the Parliament?
  76. (Ms France) I would not call it "keep a weather eye" I would say have a productive dialogue. We do feel that as a response to devolution we should make sure that we are visible in the devolved areas and have an opportunity - going back to earlier questions - to be seen and to be there, to be involved in policy discussions where that is appropriate. We have decided that we need a representational role in all these areas and we have taken a policy decision that we will appoint Assistant Commissioners in each of those areas. What we are discussing in-house is what other work will be done. Clearly they will have that representational role but we are trying to decide what other work from our office could be conducted in those areas. We have put on our website now a statement to allow people to express interest in these roles. In fact, we are working towards taking this further. In Scotland there is another reason for doing it, of course, in that my FOI role is rather different in Scotland. In Scotland my office is responsible for freedom of information issues as they relate to UK bodies based in Scotland. Therefore, we need to be there I think to have a close personal relationship with the Scottish Information Commissioner in the interests of the citizen so that if there are any concerns about who should be dealing with a problem we can solve it without bouncing the citizen between our offices.

  77. The question I was going to ask was is the Scottish law situation slightly different and of course it is. That is one of the main reasons you are doing this. I noticed actually the amount of people coming to you now is from 8,000 to 12,000 in a year. Is this because more people are beginning to, shall we say, fall foul of data protection?
  78. (Ms France) I think it is the fact that there has been an increase in people's awareness of the issues, an increase in the awareness of their rights and a willingness to take people to task where they think that is appropriate. We have tried to set out clearly on our website what our procedures are and to try to manage expectations so that people know what we can do. We are a rather odd body, we are not an ombudsman and our enforcement powers are more those of a regulator. Although 12,500 people have come to us with individual requests for assessment, we can assess whether there is likely to have been a breach of the Data Protection Act. We can try to make sure that the individual things are put right but our powers are designed to deal with systemic breaches, to get organisations to put their procedures right rather than to provide compensation for the individual who the Data Protection Act requires still to go to the courts if that is what they are seeking.

  79. Out of the 12,500 how many had genuine grievances?
  80. (Ms France) Well, genuine grievances ----

  81. Did you feel had genuine grievances.
  82. (Ms France) I do not think I can answer whether they had genuine grievances but I can say what proportion we decide on the papers rather than investigating. Now that does not mean they were not genuine grievances but sometimes we can simply explain to people what the situation is. Of the cases that we looked at we simply gave advice in about 60 per cent of the cases. We refused to look at just seven per cent but that will be because they really were not areas within our competence. Then we break down what we did in other ways in our annual report. The split is usually about that, advice given in two thirds of the cases.

  83. Was there any one body that you felt compelled to go and talk to and say "Now there is obviously a fundamental problem ..." just pluck figures out of the air "... 600 people have come to us to complain about you"? Have you been in touch with an organisation to say "Look, come on, you have got to improve"?
  84. (Ms France) We are in touch with organisations all the time.

  85. Is there one that you think ----
  86. (Ms France) My staff are in constant dialogue with a range of data controllers. The difficulty I suppose in picking companies is it depends on the nature of their business. Year after year since 1987 I have to tell you that credit reference agencies would come top of the list but that is because they are dealing with credit information coming from all lenders. There are only three credit reference agencies in the United Kingdom funding that information. I would want to say to you there that we have had a very, very constructive year in our discussions with the credit industry, with the credit reference agencies and lenders, in changing their approach to how they keep information. That has been something that I really think we should trumpet because it is an example of our working with industry and achieving a change in process which they have put in place and we have not had to go to the stage of full enforcement. This is an issue you will be aware of I am sure. It is an issue that takes us back a very long time when in my predecessor's day credit reference information was filed by name or address and where he took enforcement action. So since the early 1990s credit reference agencies have filed by same name, same address but not by address only. Even that was causing problems, it was not what my predecessor had looked for and the problems have got worse and worse because we get more and more complaints, particularly when you have adult children living at home, where there is an assumption of a financial connection but no financial connection exists. Now to get them to change their procedures was going to be a massive investment for them. They have had to change the way they approach the filing of information. But, taking it constructively with them, giving a reasonable amount of time for change, engaging parts of the industry and working with them, they have now agreed that filing will be, to put it at its simplest, it is more complicated than this, only bringing together names where there is evidence of a financial connection. They are working towards that. I think that is a very good example of where we have always had most of our complaints, if I can call it that, but where industry has now responded and responded positively to the need to recognise the environment in which they operate.

    Mr Heyes

  87. The data protection issue, you said in your annual report that a major project for you has been the Employment Practices, Data Protection Code. The Committee has been lobbied by the Chartered Institute of Personnel and Development, the CIPD, an authoritative and respected organisation. You say in your annual report that your purpose in putting the code of practice together was to seek to provide the clear practical advice for which there is clearly a need. The CIPD, if I try to capture their thoughts in a sentence, say "I wonder whether the Commissioner has considered whether or not the code is a proportionate response to the issue it is designed to address". That has a feel of another organisation which, in Mr Smith's words, think that you may have gone over the top. Why have you thought it necessary to go over the top?
  88. (Ms France) We have thought very carefully about whether it is a proportionate response. I have to say I am surprised the CIPD have come to you because I had understood the CIPD ---- I do not know when they lobbied you...?

  89. I can tell you, 3 July.
  90. (Ms France) They had been constructively involved in our restructuring of the advice and I had hoped we had met any concerns that they had expressed. Indeed, we have been having very positive feedback from a number of lawyers and those involved within large corporations with compliance issues on those parts of the code we have now published on our website. Let me start from the beginning very briefly.

    Chairman: It will have to be very brief. We are going to be interrupted shortly by some bells. We had hoped to finish before the bells but we may have to go through the bells. There will be two lots of bells.

    Mr Heyes

  91. Can I try to help Chairman. I am particularly interested really in how you make the decisions as an organisation between the need to be thorough and comprehensive and fall into a trap of being over-prescriptive, that is the purpose of my question.
  92. (Ms France) We had for the first time in the1998 Act the ability to create codes of practice ourselves rather than agree other people's codes of practice. The first one we issued was on CCTV. The reason we looked at the employment code next was because we were getting very, very many questions from human resources departments, human resources staff, managers of companies asking us what the Data Protection Act meant for them. Instead of dealing with those piecemeal we decided the easiest thing for them and for us was to set it all down in a code of practice.


  93. Two hundred pages.
  94. (Ms France) It has been a mammoth task because employment law and data protection law and where they interface is a complex issue. Now it is, I think, somewhat shooting the messenger to accuse us of making things over-complex. What we are trying to do is explain what is a complex set of law. The number of pages you have just mentioned, I think you will find our approach now is rather different from when we started out. We have had a lot of people asking for more. We have had a lot of people write in and say "You have not covered this" or "You have not covered that" and "Why can you not say more about this" and we have others saying there is too much and it is too complex. What we have tried to do is set out some guidance with a set of checklists at the back. We have changed the structure completely. We have sent it out to technical writers to try and make it more accessible and we are inviting the Small Businesses Council to write for us a version for small businesses so it is simpler. This is not meant for small businesses, it is meant for organisations which have a human resources department and have in-house compliance advice. Clearly we have to get the balance right. I would like people to take time to look at how useful this turns out to be. The response we are getting currently from practitioners now that we have got several parts on our website - we have actually got three parts out there, three parts of a four part code available on our website for them to look at - the feedback that we are getting is that the checklists are particularly helpful. Now although the checklist adds to the number of pages in terms of density of script they are meant to be easy to use. It is much easier to navigate than our initial drafts. We have been delighted with the response from people like CIPD and we have tried to take account of their comments. I hope they agree that it is far better document than the document we set out with. All I can say is that as a regulator I will be obliged to look at allegations of breach of the data protection law in relation to employment issues. Employment issues are ones which are going to come up time and time again. Trades unions are very interested in employee rights. Is it not better for me as a regulator to set out in anticipation of those my interpretation of the Data Protection Act as it interfaces with employment law rather than to announce what my interpretation of the high principles set out in the Data Protection Act are at the point at which I am faced with a particular decision to take? My intention is to be a model regulator and to be out there giving you my interpretation of high level law in advance of decisions. We will listen to criticism. This is not set in concrete because it is guidance. It is there on our website. It will clearly be amended in the light of individual cases. At the end of the day it is up to individuals to decide how far they want to use this guidance within their organisation. They have three choices. They can pay heed to the guidance. They can lobby for changes in the law. Thirdly they can decide that this is simply the Commissioner's guidance and interpretation and take a risk management approach to how much notice they want to take of it but not then cry should I have to take enforcement action in the light of the individual case.

  95. There is not a lot of mileage in pursuing this specific case. The CIPD do say their "...employers will regard compliance with the code as necessary to follow the law .... the Commissioner's aim is to promote good practice, rather than simply legal compliance... It would be of interest to know whether or not she has considered issuing a guide on employee data, rather than code of practice"?
  96. (Ms France) We have considered it. We have looked at the whole remit of our responsibilities. We are satisfied that we have not added any gold plating in the code. It is our view that indeed people need to comply with the code to comply with the law. If they want to lobby for a change in the law that is a different matter.

  97. Is this then an example, which I recognise happens, of business organisations, employers, trying to squirm out of necessary controls by pleading they are over-prescriptive and lobbying about wishing to be free from regulations? Is there an example of that here?
  98. (Ms France) I repeat, I am confident, and unless anybody would like to show me examples where I am wrong, that I am not adding to the regulatory burden, I am not adding to the law, I am explaining it. It is not for me to make or change the law. I am, however, under a statutory duty to raise awareness of the legal issues in this area and to enforce if breaches are brought to my attention. If what is actually being said is that the regulatory framework is burdensome then the proper place for lobbying is Parliament and not my office.


  99. Thank you for that. I think that brings us probably to the end. All I would ask you, we are not going to see you again, I wonder if you have any parting shot for Parliament as you finish this period?
  100. (Ms France) I think the interest of this Committee in our work has been helpful. Helpful to us and I hope helpful in making what we do more visible and transparent, and I welcome that. I am sure my successor would want to keep a relationship with this Committee which I would see as one which is developing at the moment. I think that this whole area of work is one that has become more centre stage and will become even more centre stage because information in the hands not just of Government but of businesses everywhere is one of the key assets and is increasingly one which will create difficult situations and will perhaps sometimes be one where we are bound to point out to people what their obligations are in a way they might not feel comfortable and where it is valuable to have the opportunity to explain why we have done it. So your continuing interest will be welcome.

  101. Thank you for that. You have been a most distinguished Data Protection Commissioner and a most distinguished Information Commissioner. I think we are all in your debt for that. I think there is genuine regret - as I said at the beginning - that you are not going to be seeing the new statutory information regime into operation. I think we would feel more confident and secure if you were going to be. We thank you for the past and we wish you well for the future.

(Ms France) Thank you. I would just like to say that I am confident that there is a strong team in the office who will carry things forward. I am sure once we know who my successor is you will have confidence in that situation.

Mr Heyes: Probably called Smith.

Chairman: Thank you very much.