Examination of Witness (Question numbers
26 APRIL 2011
I call the Committee to order and refer everyone present to the
Register of Members' Interests, where the interests of all members
of this Committee are noted. I welcome the Information Commissioner
on his first appearance before this Committee. Welcome, Mr Graham.
Chair: This evidence session
is related to the Committee's inquiry into the unauthorised tapping
into or hacking of mobile communications, but in any event the
Committee like regularly to see the Information Commissioner to
find out what is going on in respect of his activities.
Do you have an interest to declare, Dr Huppert?
Dr Huppert: I do, if I
could, Chair. The Information Commissioner's sister lives in Cambridge
and is well known to me.
Excellent. Let us proceed to the first set of questions, Mr Graham.
The issue of resources, if I could just raise this at the start,
was originally raised with a predecessor committee. Are you happy
with the resources that you have at your disposal in the execution
of the duties that you have to perform?
Mr Chairman, the Office of the Information Commissioner is funded
by two streams of revenue. I have the proceeds from the notification
fee that data controllers pay to operate under the Data Protection
Act, and that raises about three-quarters of the income for the
office, about £15 million, but that is solely to be used
on data protection work. The problem arises on the freedom of
information side of the house, where I am funded by grant in aid
from the Ministry of Justice. Like all public authorities, we
are having to take our slice of the cuts. We are responding to
that constructively, trying to achieve better for less. But the
fact is that if we are asked to do more and more under the transparency
and accountability agenda, we will need the resources to do it.
In your evidence to this Committee you say that your office has
experience of cases relating to the processing of data that has
been obtained through interception. You made it very clear in
your evidence what you are responsible for and what you are not
responsible for. You are not responsible for RIPA but you are
for data protection breaches. What kinds of cases have come to
your attention in respect of interception?
The major issue that my office has been concerned about in relation
to the unauthorised disclosure of personal information relates
to what we call blagging rather than interception or hacking.
That is misrepresenting yourself over the phone, at the doctor's
surgery or to the DVLA or to TV licensing in order to piece together
information that you have no right to: where someone lives, what
their phone number is, what their friends and family numbers are.
That was the subject of a report by my predecessor What price
privacy? followed up six months later with What price privacy
now? But this is quite historicthis is 2006.
I think the concern about the behaviour of the press
is less of a worry to us, though clearly it is before the courts
at the moment in relation to hacking and interception that you
have been investigating. Where I think we come in of relevance
to your inquiry is where there may be unlawful and unfair processing
of personal information that is the result of hacking. It is very
difficult for us to know the origin of the material, but here
again there is a restraint, which we have to bear in mind, that
the Data Protection Act, insofar as it applies to this sort of
thing, has a very broad exemption within it for what is called
the special purposes, for literature, journalism and the arts.
My investigatory powers can be very easily stymied by somebody
telling me that what they are doing is for journalism, literature
and the arts. All my powers of requiring informationinformation
notices, investigation and the more dramatic stuff, kicking the
door downI can't do if there is an exemption for the special
purposes. So my role in this area is, frankly, pretty limited.
In respect of what is in the public domain at the moment in terms
of the evidence the Committee has received from the DPP and the
Assistant Commissioner, you are not involved in any of those matters?
You are a watchful observer rather than someone who has been asked
to do anything in respect of unauthorised tapping?
We have, on occasion, been ordered by the court to provide material
from our so-called Motorman filethe material we secured
from a private investigator back in 2005. Celebrities who have
been pursuing the cases that we are aware of are very interested
to see whether information was being blagged about them. So it
is a different offence, but we sometimes come in there; and we
have certainly been involved in the case management conferences
with Mr Justice Vos.
You have complied with all the orders of the court?
We have complied with all the orders and certainly provided all
the information. But we are very interested bystanders because,
to the extent that there is a lack of clarity about how the law
stands, obviously one is concerned that that clarity should be
provided. After all, the Regulation of Investigatory Powers Act
is not legislation that I enforce, but it is an observable fact
that this was a law that was drawn up for another age and another
We will come on to that in a second. In respect of the orders
that you have been asked to comply with, how many people were
affected? How much information have you supplied? We don't need
to know the names, but is it a handful of people or tens of people?
I would say tens of people. If the Committee wanted a precise
number I would need to go back to the ranch and check.
Is it over 100?
In terms of court orders? No, less. Much fewer.
Less. But in terms of names of people who you have supplied information
I would say, from memory, there would have been fewer than a dozen
cases where celebrities who were seeking redress against newspapers
had got a court order to get information from the Information
Commissioner about what we had in relation to blagging.
Q139 Alun Michael:
Just on the point that you said there were a number of exemptions
that would prevent you investigating a case, who decides that
the exemption applies? Presumably somebody can't just claim the
exemption and that stops. You would have to be satisfied that
the particular issue fell genuinely under one of the exemptions,
It is a bit of a catch-22, because I would be working entirely
in the dark. In other situations, if I issue an information notice
to a data controller or a public authority I would expect compliance
and if I didn't get compliance it would be a pretty straightforward
application to the courts to get it. But if I don't know whether
a story that a journalist is working on, for example, is or isn't
in the public interest or, indeed, whether somebody blogging is
or is not a journalistwhere does journalism start and stop
in the internet age?
Q140 Alun Michael:
Clearly that is a matter of judgment, but wouldn't they have to
provide you with the evidence that they are pursuing that activity
in order to satisfy you? Essentially, don't you have to make a
judgement and doesn't the person that claims the exemption have
to show evidence that the exemption does genuinely apply?
But it would purely be a fishing expedition on my part if I didn't
Q141 Alun Michael: But
you wouldn't be asking the question in the first place unless
you thought there was a question that should be answered.
But I am not sure I could make an information notice stick under
these circumstances. As the Chairman has pointed out, there are
issues of resources and like any good regulator following better
regulation principles, your intervention has to be well directed
All I am saying is that in relation to that tiny
part of the universe relating to your inquiry that falls to me,
which is section 55 offences under the Data Protection Act where
people are blagging information from databases, the special purposes
exemption, which is there for a very good reason, makes life a
little difficult for me.
Q142 Alun Michael:
Sorry, I will pursue this just one point further. The purpose
of Parliament, in agreeing that exemption, is to exempt genuine
cases; it is not to provide an excuse that makes it impossible
for you to pursue cases. Surely you must have the authority to
say, "Show me that this exemption is soundly based,"
rather than having to accept it just because somebody claims it?
I would have to make a judgment on whether it was a good use of
Alun Michael: That is
a different point.
Well, it is a very material point because I have limited resources
and a range of responsibilities given me by Parliament.
Q143 Alun Michael:
But it is for the person who is claiming the exemption to showit
is they who have to do the work in order to satisfy you. You have
got to the point of saying, "There is something I think I
ought to pursue."
But I still have to enforce the information notice in court, I
have to brief counsel, go to court and so on. All I am saying
is I would be operating in the dark, but really this is a sideshow:
the main issue surely is that we have a law and a regime around
hacking, blagging, interception that is very, very unclear, very,
very uneven. I am trying to
Q144 Alun Michael:
But essentially you are saying to us, and you are saying to the
wider public, "Well, claim the exemption because I won't
challenge it." That can't be right, surely.
I am implementing the law that Parliament has given me.
But you are worried about the lack of clarity that exists at the
moment? This is something that other witnesses have talked about.
Mr Michael has an important point in that you are put under a
huge amount of pressure, and you are responding to say you really
can't do everything because you don't have the resources to do
it, but at the end of the day this comes from Parliament's lack
of clarity as far as RIPA is concerned.
I am only a small part of the solution. I am saying that perhaps
the issue that the Committee will want to think about when they
come to report is the fact that there is a mosaic of regulation
covering an area that is now very current, but perhaps in 2000
was not. RIPA was drafted for the wiretap age. We are now talking
about the internet, we are now talking about deep packet inspection,
we are now talking about online behavioural advertising, and yet
there are a series of commissioners working away in different
parts of the wood
Yes, just remind the Committee, how many different commissioners
and authorities are involved in this process? There is yourself
I think four would be of relevance.
Who are the four?
The Information Commissioner. There is the Interception of Communications
Commissioner, there is the Surveillance Commissioner and there
is the Interim Closed Circuit Television Commissionerwho
is about to morph into something elseand we are all operating
different bits of legislation. It is very important that we operate
in a joined-up way and I recently took an initiative to write
to my colleagues and say we need to liaise very closely to make
sure that business doesn't fall through the gaps.
Until you did that, was there any mechanism by which the four
commissioners perhaps met for lunch once a month or had a meeting
once a month to discuss this? Before you wrote and did this, was
there a process, is there a process that allows this to happen,
other than your initiative when you brought them together?
My staff were working very closely with the staff of the Interim
CCTV Commissioner and from time to time we had dealings with the
Interception of Communications Commissioner's staff, and the Surveillance
Yes, we understand that, but did the four of you meet together?
No, the four of us have never met together in the same room at
the same time. But over the next
I have only been in post since July 2009 so I am not perhaps
Chair: So in the last
two years there has been no meeting between the four commissioners?
Met individually but not the four of us. By the end of June we
will have done that.
Chair: Thank you.
Q150 Dr Huppert:
You seem to have made a strong case for perhaps unifying commissioners
into some sort of structure. Can I ask about the difference between
having a formal role in something and having a looser more advisory
role, giving advice to people involved? Let me give you an example
of what I mean. I recently contacted the National Policing Improvement
Agency, who have a covert advice team that provides advice to
police forces in terms of how to use interception, and asked them
what advice they had given to police forces. They gave a detailed
response, which I will circulate to members of the Committee and
make sure is in the report, saying that they have been providing
essentially the same advice from 2003 to 2010, which says inter
alia that voicemail messages stored on the servers would still
remain in the course of transmission irrespective of whether the
message had already been read or listened to by the intended recipient,
so we know that the police were being advised professionally by
the NPIA about how to interpret this. That is not the same as
the DPP who we have explored separately.
I think this is something we should explore separately
with the Met Police, but have you been asked to give advice in
that sort of way? Do you have a track record of people contacting
you asking for your opinion on things, even if they are not directly
We can't give advice on legislation that we have no responsibility
for, and the Regulation of Investigatory Powers Act, which is
what you are referring to, is just not our piece of legislation.
What is interesting, I think, is where you have RIPA and also
the of Computer Misuse Act, where the penalty for a breach is
very serious, up to two years in prison, and it is a very high
hurdleto take a case and to establish it is in the public
interest is quite a rare eventbut there is nothing below
that very high hurdle of the sort of activity of a regulator,
which is absolutely standard for the Data Protection Act. Most
of my job, and my staff's job, is about giving advice to data
controllers and to members of the public and sorting out individual
problems. The prosecutions under section 55 of the Data Protection
Act are pretty rare. It is not the main thing of what we do.
What is interesting about this patchwork regime for
hacking and blagging and interception is that there is no equivalent
of the Information Commissioner giving very practical advice to
Government agencies, to commercial organisations. You either get
into serious trouble and are locked away for two years or nothing
happens so far as I can see. There must be something in between.
Q151 Dr Huppert:
Are you aware of any interception cases where section 55 of the
Data Protection Act has been used?
I am not aware, and I am not surprised that I am not aware, because
if the police after investigation have concluded that a prosecution
isn't in the public interest, it is very difficult for me to follow
on behind and see whether I can make a lesser charge stick. Remember
the maximum penalty for blagging under section 55 of the Data
Protection Act is a fine of up to £5,000 in the magistrates
court, unless it is prosecuted in the Crown Court, in which case
it gets a bit more serious.
Very recently Government has woken up to the fact
that this is a modern scourgeand it is not about newspapers,
it is about dodgy private investigators and child custody battles
and nasty matrimonial disputesand the lack of a serious
penalty is a real problem. The Ministry of Justice is exploring
the restitution of the profits of crime, they are talking to the
Sentencing Advisory Council about making clear that section 55
offences are not just the equivalent of pinching the office stationery,
a crime against the boss; these are crimes against citizens that
need to be properly prosecuted with a real deterrent penalty.
We have found that very limited fines in the magistrates court
doesn't do the trick.
Q152 Dr Huppert:
So you would like to see higher penalties for that sort of offence,
or you would like to seefor instance, you implied that
if the police have already looked at a case and decided that it
is not sufficiently serious for them to want to do anything, you
would feel debarred from taking any action?
It is not a question of being debarred, it is simply that the
police have all the resources to make a charge stick. I am labouring
under some difficulty with the special purposes in relation to
some of the activities of the press. I am on the record as saying
that I think section 55 offences under the Data Protection Act
should be on a par with section 1 of RIPA and the Computer Misuse
Act, and there should be the availability of a custodial penalty
of up to two years. That would put everything on all fours. I
am very ready to see whether the Ministry of Justice has any luck
with persuading the courts to impose more realistic fines and
to go after the profits of what is a very profitable business.
The trade in unlawful personal information is hugely profitable.
Do you have an estimate as to how much it is?
Well, if I tell you that one case before the courts, which is
awaiting sentencing and an order, I hope, under the recovery of
the proceeds of crime procedure, involved the employees of a company
who were selling customer information to rival companies. Those
individuals, we are told, were making £70,000 a year over
and above their basic, so it is very, very profitable.
So this would run to millions of pounds a year?
Q155 Mark Reckless:
Mr Graham, you say the police have all the information, but to
take this issue of phone hacking, surely it is the mobile operator
that has a lot of this information and, although you say that
RIPA isn't your field, you do say that it is your role to give
advice to data controllers. I wonder what advice you would give
to a data controller were they to come to you and say, "We
have evidence that a mobile phone perhaps has been improperly
accessed and one of our clients would like the information as
to who or what telephone numbers have tried to access that information."
Would you advise them to give their client that information?
Again, any advice that I give under RIPA is purely going to be
out of the goodness of my heart. It is not official advice and
it is not something that anyone should rely on. You have to be
very clear the Information Commissioner has no status in relation
to RIPA or the Computer Misuse Act.
Q156 Mark Reckless:
But you have status with respect to data controllers, and the
mobile phone company is a data controller and they are holding
this data on what telephone numbers have attempted to access one
of their clients' accounts. Should they be prepared to give that
data to that client?
Under the new Privacy and Electronic Communications Regulations
that are coming into force on 25 May, there is provision for compulsory
breach notification. So that if a data controller is aware of
a breach of data security, they have to tell not only me as the
Information Commissioner but also the affected customers, so that
might well be one solution.
Q157 Mark Reckless:
That would certainly help, but in the meantime, under existing
legislation, would you be able to answer my question as to what
advice you would give to that data controller?
Chair: Unlimited or not?
Mark Reckless: Or otherwise.
The reason I am making the point about whether it would be official
advice or merely helpful big society citizen advice is that there
is a real problem here of the division of responsibility and legislation
that doesn't reflect the modern world. I can help outI
will do my boy scout act for you if you likebut that is
not really the point. Parliament has to focus on the fact that
legislation that was passed in 2000 to deal with wire tapping
is now facing much more contemporary problems, and we need a contemporary
solution to that because the issues that are concerning people
are about online behavioural advertising or deep packet inspection
of emails rather than the circumstances that RIPA was designed
for, which is basically making sure that the official community
stick to the rules.
Q158 Alun Michael:
You said a few moments ago that you have no role, if I understood
you correctly, in relation to the Computer Misuse Act. You talked
primarily about section 5 but do you have no role at all in relation
to the Act as a whole, is that what you meant? And you have no
role in relation to section 1 of the Act?
Alun Michael: Of the Computer
I am not the prosecuting authority is the point I am making. So
if there is anything to be done under RIPA or the Computer Misuse
Act it has to be taken forward by the police or the Director of
Public Prosecutions. If Parliament wants to do it a different
way, fine. I am not here pitching for a different mandate. I carry
out statutory duties given to me by Parliament. All I am saying
is there is a complicated situation and the legislation, the regulation,
doesn't quite match the need.
Q159 Alun Michael:
Yes, I understand what you have been saying up until now. I am
trying to ask you specifically about the Computer Misuse Act.
Are you saying that you have no role in relation to the Computer
Misuse Act? I wouldn't want to misinterpret it; I thought that
was what you said.
The advice that I have had as the Information Commissioner since
I came in in July 2009 is that, because we are not the prosecuting
authority for the Computer Misuse Act, we are never going to get
anywhere down that route.
Q160 Alun Michael:
Does that mean that you are not able to provide advice formally,
other than as a former member of the scouts, and that nobody else
Nobody else is.
Alun Michael: So nobody
has the role of advising people under the
That is the point I am making, that most
Q161 Alun Michael:
Yes, we have that point. What I would ask you, though, is what
your experience is of proceedings under section 1 of the Computer
Misuse Act, and do you think there is a gap in the regulatory
regime, other than the point of where do you go for advice, on
which you have made it very clear that there is a gap?
Because we are not the people who can do anything about it, people
don't really consult us about the Computer Misuse Act, so I can't
really say anything very useful there. What I will say is that
the regulatory regime is a thing of shreds and patches and the
Committee will no doubt want to address that.
Alun Michael: No, no,
we have that point.
Q162 Mr Winnick:
In all this controversy, Mr Graham, about phone hacking and the
rest of it, the question has been touched on of the companies
concerned, the mobile companies. Do you feel they should take
more responsibility for misuse such as hacking?
I wish they were a bit noisier about advising their customers
on how they can keep their information secure. It is a general
point, I think. There are responsibilities on communication service
providers and internet service providers, and there are also things
that individual consumers and citizens can do, but you kind of
have to be told about them to know what it is you can do. We recently
did some survey work and found that a very high proportion of
people had no idea whether their home wi-fi was passworded or
not. That is a pretty basic step. I wonder how many of us are
very, very careful to password protect our mobile phones, not
just the voicemail mailbox but also the machine itself, the device
itself. I would like the mobile phone operators to be much louder
in their advice to customers saying, "Look, your Smartphone,
your iPhone, it's a wonderful thing, you can do fantastic things
on it but there's a downside. Be careful, make sure you've set
appropriate permissions, make sure you've set appropriate passwords."
That should not be in the small print of some agreement written
in lawyer-speak that nobody can understand; it should up front,
I have found that the mobile phone companies are
getting much better at this. I have been invited to give presentations
to global privacy conferences by two of our leading mobile providers
recently. They really are interested. The reason they are interested
is, I think, they have got that we are now beyond the stage of
kiddies in the sweet shop bowled over by the wonders of what we
can see; we are a bit more questioning.
Chair: We will be taking
evidence from them.
There is a commercial reason for treating customers with respect.
Q163 Mr Winnick:
I assume that no one would want to hack into your phone but presumably
when you bought your own mobileI take it you have onesuch
security advice was not given in your own individual case?
I can't remember anyone making a great fuss when I bought a personal
mobile. Any piece of equipment that is issued to me by the Information
Commissioner's Office is passworded to the nth degree. I can't
move for passwords.
Q164 Mr Winnick:
Accepting that, of course, as I expected, you say you are meeting
with some of the mobile companies. Have you written to these companies
along the lines that you have just been telling usthat
this should not be advice given in small print and the rest of
it but very much otherwise, letting people know what needs to
be done to safeguard their communications?
It is a very constant theme. Also, in our recent code of practice
on personal information online, we made that point both to companies
and to consumers, because the consumers need to take some initiatives
themselves to make sure that they act responsibly about their
Q165 Mr Winnick:
How can they do that then? How can the consumers do that unless
They go to the ICO website and download the very useful consumer's
guide on personal information online. We are providing all sorts
of help and guidance for those bits of legislation that we are
responsible for. What we can't do is to second-guess what the
advice should be in relation to the Computer Misuse Act or the
Regulation of Investigatory Powers Act, because I don't know that
the regulators of those two pieces of legislation would take the
Q166 Mr Winnick:
In essence what you are saying, as I understand it, is it is up
to the mobile companies to do much more than they have done up
until now and to give every sort of advice about security?
I think there is a lot more they could do, a lot more they should
do, and the clever ones realise that you maintain
Mr Winnick: And you are
telling them that?
Yes, I am telling them that and they also realise they maintain
the confidence of their customers by treating them like grown-ups
and helping them to keep safe online.
In the Mulcaire and Goodman case, are you satisfied that the mobile
companies involved have now informed all the victims that their
phones had been hacked? Since you are giving them constant advice,
since you are addressing their conferences, since it is a constant
theme, you would have noted the fact that some of the mobile companies
have not informed people, their customers, that they had been
hacked. Are you now satisfied that all the people have been informed?
No, and I am sorry if I am boring the Committee
No, you are not satisfied or, no, they have not been informed?
It is not an issue that I have raised. I have raised the general
point about you have to give your customers better security information
and, of course, as we implement the Privacy and Electronic Communications
Regulations mark 2, where we are talking to the companies about
statutory breach notification
So you do not know in this specific case whether the victims of
phone hacking have been informed? You have given good advice,
it is a constant theme, you are meeting them, you are attending
their conferences, but in this particular circumstance you don't
know whether the victims have been informed?
I don't know, but as you will have gathered from my evidence I
am not responsible for the Regulation of Investigatory Powers
We understand. Who would need to tell them that then? If you are
not responsible, which of the other commissioners?
At the moment you have a vacuum because there is no equivalent
of the Information Commissioner acting as a regulator giving advice
The Committee has just written to them, so hopefully they will
provide that information to us. The Committee wrote to you on
7 AprilI don't know whether you have had a chance to have
a look at that letterrelating to a number of immigration
matters concerned with third parties. Did you get a copy of that
I did get a copy of it and I replied to it on 19 April. I have
a copy here.
Excellent, that is very helpful because I have not received that.
It is probably in the office due to the recess. You understand
the point that we were making? These are people who enter the
United Kingdom as the spouse of a British citizen. When the British
citizen spouse writes to the Home Office to ask for information
on whether or not the person has been removed, the Home Office
writes back and says you are preventing themyou meaning
the Information Commissioner, the data protection legislationfrom
giving that information out, even though it is the spouse that
has brought those people into the country. This is a constant
bugbear for the Committee over a number of years and this is the
response that many Members of Parliament getthat there
is no way in which this information can be forthcoming to the
spouse. What is the situation on that?
In the two-page letter that I have sent to the Committee
Chair: Maybe you can summarise.
To summarise, it is certainly true that data protection is very
often given as a reason for not doing things that are perfectly
reasonable. In this case, very often the matter in hand may be
about the legitimacy of the marriage or issues relating to a divorce,
and it is very important that information is shared in appropriate
circumstances but appropriate circumstances only. I would expect
the UK Border Agency to be pretty careful about establishing the
identity of who they were speaking to and what their interest
Of course, absolutely. Once they have done that and identified
that the person they are speaking to is the very person who brought
the person into the country and maybe wanting to report a fraud
that has been committed. It may be a forced marriage. It may be
someone who is subjected to domestic abuse. Once they have established
that identityI accept that establishment of the identity
is pretty importantis that information protected?
It is horses for courses. You would have to look at individual
circumstances. You mentioned forced marriages: particularly in
the case of forced marriages, I would expect the UK Border Agency
not to give out information particularly over the phone to somebody
No, we understand all that. There is no question of giving out
information over the phone. This is a request from the spouse
of a person who is the subject of domestic abuse or a forced marriage
as to whether or not the person they had married is still in the
country or not.
But there might be very good reasons for not giving that information
to a spouse. I think the Committee will appreciate that, if you
are talking about domestic abuse or a forced marriage, the authorities
have to be very careful and look at the circumstances. But there
is a two-page letter that I sent on 19 April. If the Committee
would like it photocopied and passed around
Q175 Chair: No,
it is all right. We have photocopying facilities. We don't need
to impinge on your resources, but thank you very much for offering.
Mr Graham, your evidence has been extremely helpful.
To summarise it: you find the law at the moment fragmented; you
feel that RIPA was enacted at a time of a different age, things
have changed since then; and you feel that greater clarity is
required, not just in respect of RIPA but also as between the
various commissioners. Is that your view?
Yes, it is certainly my view, but I do stress the fact that I
have taken an initiative to get my colleagues together in order
to make sure that we synchronise our swimming. This is not a land
grab. I have quite enough to do, thank you very much.
Chair: We are quite sure
that you are not trying to build your empire. We are extremely
grateful. I am sorry it has taken you two years to get before
us but we hope to see you again in the not too distant future.
Thank you very much for giving evidence.