Surveillance: Citizens and the State - Constitution Committee Contents

CHAPTER 5: Regulators


220.  In this chapter we consider the roles played by the various commissioners who oversee surveillance and data use, and suggest how their oversight functions might be enhanced. Our focus is primarily on the Information Commissioner, who has by far the broadest remit, but we also look at the other commissioners who oversee the use of powers under the Regulation of Investigatory Powers Act 2000 (RIPA). The remit of the commissioners is set out in Box Two.


The Commissioners

The Information Commissioner: oversees and enforces the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations, as well as the Freedom of Information Act 2000 (FOIA).

The Chief Surveillance Commissioner: leads the Office of Surveillance Commissioners (OSC), which provides oversight of the conduct of covert surveillance and the use of covert human intelligence sources (CHIS) under the Regulation of Investigatory Powers Act 2000 (RIPA) and the Police Act 1997.

The Interception of Communications Commissioner: keeps under review the issue and operation of warrants permitting interceptions and the acquisition of communications data under RIPA.

The Intelligence Services Commissioner: reviews the issue by the relevant Secretary of State of warrants and authorisations for operations by the Security Agencies and Ministry of Defence (MOD) which fall under his oversight, namely warrants issued under the Intelligence Services Act 1994 and warrants and authorisations for surveillance and agents under RIPA.

The National Identity Scheme Commissioner: to be appointed in 2009. Will review the arrangements made by the Secretary of State and by designated authorities for the purposes of their functions under the Identity Card Act 2006 or its subordinate legislation; the arrangements made, by persons to whom information may be provided, for obtaining the information available to them and for recording and using it; and the uses to which ID cards are being put.

The Information Commissioner

221.  The Information Commissioner is responsible for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA). He promotes the protection of personal information by increasing public awareness and by providing guidance to individuals and organisations, and he takes remedial action when the DPA is breached.

222.  The responsibilities of the Information Commissioner's Office (ICO) have been especially onerous since the advent of FOIA. In many other countries and jurisdictions where there is a statutory basis for data protection and freedom of information, these roles are divided between separate Commissioners, although views differ on whether or not they are best combined. This issue had been debated recently in Canada, where there are separate Commissioners at the federal level, but we learned that a merger had been rejected largely owing to the strong interest in privacy (especially in the light of 9/11), and also because the tension between the principles of privacy and access to information made it preferable to represent people's rights separately in each of these fields. Both Commissioners, it was said, should share a mandate to educate the public.[93]

223.  We were struck by the number of witnesses who called for an expansion in the role of the Commissioner and for his powers and resources to be increased. The Foundation for Information Policy Research (FIPR) suggested that "the Information Commissioner's Office was designed to be weak". (p 404) Yet the overwhelming impression we received was that, given the impressive work that is currently being done by the Commissioner's Office, there is a pressing need to strengthen his regulatory hand. Dr David Murakami Wood, Lecturer at the School of Architecture, Planning and Landscape, University of Newcastle upon Tyne, and representative of the Surveillance Studies Network, told us that:

    "We regard the current Information Commissioner as being an extremely active and effective regulator who has gone in some ways way beyond what he needed to do and has indeed sparked this whole debate in the first place. He is shackled in the sense that his powers are limited and indeed the powers of his office are limited." (Q 68)

224.  We also heard from a number of witnesses about the powers made available to other Commissioners in comparable European jurisdictions. While the Information Commissioner is by no means an especially weak regulator and has been provided with an array of powers, it was also apparent that other countries such as Germany have provided his counterpart with considerably more authority. (Professor Fedtke, Q 739)

225.  The Information Commissioner, Richard Thomas, made a strong case for a number of changes to the current regulatory regime, both in terms of the requirements that should be placed on organisations responsible for handling personal data, and the powers available to the Commissioner's Office to enforce the provisions of the DPA. Specifically, he suggested five key ways in which the current legal regime could be substantially strengthened and improved:

(1)  mandatory Privacy Impact Assessments (PIAs) by government departments;

(2)  requirements to have codes of practice in place for proactive information sharing in the public sector;

(3)  proper consultation with the Commissioner before significant new developments;

(4)  increased audit and inspection powers for the Commissioner; and

(5)  effective penalties for serious disregard for the requirements of the data protection principles. (p 6)


226.  The 2008 Data Sharing Review Report, by Richard Thomas, the Information Commissioner, and Mark Walport, Director of the Wellcome Trust (the Thomas-Walport Review), proposed that the Information Commissioner should have a statutory duty to produce and periodically update a data-sharing code of practice—to be laid before and approved by Parliament—and "to endorse context-specific guidance that elaborates the general code in a consistent way."[94] Although the Commissioner has already published a Framework Code of Practice for Sharing Personal Information, in October 2007, it has no statutory basis and is not subject to any parliamentary oversight. The proposed system, by contrast, "would provide greater clarity and introduce greater scrutiny."[95]

227.  The Code, as envisaged, would "establish standards setting out how organisations involved in sharing personal information should handle and protect the data under their control" and "apply to all those involved in data sharing, who should adhere to it as a matter of good practice and consider it as an authoritative interpretation of the relevant data protection principles." While breaches of the Code would not be against the law, it "should have suitable authority and be sanctionable in the sense that the Commissioner and the courts should be expressly entitled to take non-compliance with its provisions into account when deciding whether data controllers have complied with the data protection principles."[96]

228.  We are pleased that the Government have agreed that the Information Commissioner should be placed under a statutory duty to produce a data-sharing code of practice which would be approved by Parliament.[97] In our view, this should result in a Code that would be an authoritative guide to those involved in data sharing. The role of Parliament in approving this Code would bring greater transparency to the way in which data protection principles are interpreted.


229.  In Chapter 7 we consider whether the Information Commissioner should have a right to be consulted on any legislation that involves surveillance or data powers, in order that he can communicate any concerns to Parliament. We now consider his involvement in the formation of government policy. The Commissioner told us that his approach was "founded on the need to ensure that as relevant developments occur in future data protection and privacy interests are considered at the very earliest stage. It is imperative that these important considerations are taken into account, addressed and built in as developments progress and not ignored or 'bolted on' as an afterthought." (p 4) However, the ICO explained that it was often impossible for him to be involved in this way:

230.  The Commissioner suggested that the Government's failure to consult him at a sufficiently early stage was due partly to his independent status—a requirement of the European Union Data Protection Directive 95/46/EC—which meant he was "out of the Whitehall loop". (Q 14) Dr Chris Pounder, then of Pinsent Masons, went further and told us, "the Information Commissioner, when he raises privacy issues which need to be resolved, is seen by Government (and is often treated as such) as part of the opposition to the policy. The result is that privacy concerns form part of the political debate about the policy (i.e. whether personal data should be processed) and often are not fully addressed in the implementation of policy (i.e. how to process personal data)." (p 281)

231.  We regret that the Government have often failed to consult the Information Commissioner at an early stage of policy development with privacy implications. We recommend that the Government instruct departments to consult the Information Commissioner at the earliest stages of policy development and that the Government should set out in the explanatory notes to bills how and when they consulted the Information Commissioner, and with what result.


232.  Some witnesses argued that the Commissioner needed more powers to carry out unannounced inspections of organisations to assess their compliance with the DPA. Although the Commissioner has the power to carry out audits under the Act, these audits can only be undertaken with the permission of the data controller for the organisation in question, with the result that it is difficult for the Commissioner's Office to work proactively or act as an effective deterrent against bad practice. Professor Martyn Thomas, independent consultant and representative of the UK Computing Research Committee (UKCRC), argued:

233.  Dr Daniel Neyland, then Senior Research Fellow at the Saïd Business School, University of Oxford, called for "selective, random, unannounced inspections of state funded data management systems" by the Information Commissioner. (p 424) In addition, Dr Murakami Wood suggested that he should also be empowered to inspect private sector organisations because "these vast new conglomerates of information … need to be subject to inspection as much as the state". (Q 68) Dr Eric Metcalfe, Human Rights Policy Director for JUSTICE, told us that it was a "basic anomaly" that the Commissioner could audit a private company but did not have the power to compel an audit. (Q 276)

234.  The Commissioner was clear in his desire to have his current auditing powers increased (Q 8), telling us that the requirement to have the consent of the data controller before conducting an inspection "limits proactive oversight and the deterrent effect of possible inspection in areas where there may be real risks to compliance." (pp 5-6) Deputy Information Commissioner David Smith put the situation into a broader context by suggesting that "we are, as far as we can see, almost unique as a regulator in having a set of responsibilities to oversee and not then having a power to inspect that they are being put into practice." (Q 19) The Commissioner argued that a power to carry out proactive inspections would, by contrast, "send a strong signal that compliance with the law is not just for the virtuous but needs to be taken seriously by all." (p 6) The House of Commons Home Affairs Committee reached a similar conclusion, calling for an extension of the Commissioner's inspection and audit powers.[98]

235.  The Thomas-Walport Review considered this issue. It referred to the Republic of Ireland's Data Protection Act, which grants strong inspection powers, and to the concern that without such powers the UK might not be compliant with the European Data Protection Directive. It concluded that the Information Commissioner should have "a statutory power to gain entry to relevant premises to carry out an inspection, with a corresponding duty on the organisation to co-operate and supply any necessary information" and that "where entry or co-operation is refused, the Commissioner should be required to seek a court order", although not a search warrant.[99] The report also suggested that the right to carry out spot checks of public sector organisations should be placed on a statutory footing.[100]

236.  In the wake of the data loss by Her Majesty's Revenue and Customs (HMRC), the Prime Minister authorised the Information Commissioner to spot check government departments.[101] The Government told us that the subsequent interim report of their review into Data Handling Procedures in Government "committed on extending the spot checks to the entire public sector". (p 324) The Government have now indicated that legislation for this is intended, giving the Commissioner inspection powers over public sector data controllers without consent.[102] This provision has been included in the Coroners and Justice Bill in the 2008-09 parliamentary session, but this does not extend the power to cover the private sector in circumstances where there is no reason to suspect non-compliance or a breach of data protection principles.[103]

237.  In responding to the Ministry of Justice's announcement about the ICO's new public sector inspection power, David Smith stated that "we would have preferred to have this power to undertake audits extended to private sector organisations as well."[104] The Commissioner will still have to obtain the private sector data controller's consent or, if he has reasonable grounds for suspecting a contravention of the data protection principles or a breach of the DPA, a time-limited judicial warrant giving search and seizure powers.

238.  We welcome the Government's decision to provide a statutory basis for the Information Commissioner to carry out inspections without consent of public sector organisations which process personal information systems, but regret the decision not to legislate for a comparable power with respect to private sector organisations. We recommend that the Government reconsider this matter. Organisations which refuse to allow the Commissioner to carry out inspections are likely to be those with something to hide. In addition, the protection of citizens' data may in the absence of legislation be vitiated given the growing exchange of personal data between the public and private sectors.


239.  The Information Commissioner lacks the power to punish individuals or organisations for breaching the provisions of the DPA. Instead, his power is limited to issuing enforcement notices in the event of non-compliance. Dr Pounder told us that:

240.  The ICO told us:

    "There are also limitations to the sanctions that may be imposed where data protection principles are breached. Whilst the Commissioner has the power to issue enforcement notices, these are remedial in effect and do not impose any element of punishment for wrong doing. Such an approach may be appropriate for isolated contraventions of the law or where there is a genuine misunderstanding but a more effective sanction is needed where there are flagrant far reaching breaches of the law. This is particularly true where significant security breaches occur because of the negligence or recklessness of the data controller." (p 6)

241.  Similarly, Toby Stevens, Director of the Enterprise Privacy Group, warned us that "the majority of organisations in the private sector, if they were to choose to do so, could disregard most of [the DPA's] requirements, knowing that the outcome will probably be cheaper than the cost of compliance." However, Mike Bradford, Experian's Director of Regulatory and Consumer Affairs, did remind us that "while the cost of non compliance in terms of censure may be potentially minimal, for a commercial organisation, especially a plc, to end up with a headline that says 'There has been a data breach at Company X' is a phenomenal cost to the business … the deterrent is in the breach which will potentially be reported." In respect of the public sector, Toby Stevens said, there were often no penalties "where there is little point in transferring taxpayers' funds from one body to another in the form of a fine." (Q 329)

242.  Since we received this evidence, the Commissioner's concerns have been addressed in the Criminal Justice and Immigration Act 2008. The Act empowers the Commissioner to impose monetary penalties on data controllers (in the public or private sector) for breaching the data protection principles knowingly or recklessly in ways that are serious and likely to cause substantial damage or distress; the penalty may be appealed to the Information Tribunal (section 144). However, the Commissioner's new power has not yet been brought into force, and the Secretary of State has not set the maximum penalty level. The Thomas-Walport Review called for the power to be brought into force by 8 November 2008[105] and for the penalties to "mirror the existing sanctions available to the Financial Services Authority" with "high, but proportionate" fines related to turnover.[106]

243.  We welcome the new powers for the Information Commissioner to levy fines on data controllers for deliberately or recklessly breaching the data protection principles, and we recommend that the Government bring these powers into force as soon as possible. The maximum level of penalties should mirror that available to comparable regulators, and should not be disproportionate. This must be subject to an appropriate appeals procedure.


244.  The new powers proposed above will have resource implications for the ICO. The ICO's data protection activities are funded by the £35 notification fee paid by data controllers, whilst its Freedom of Information activities are funded by the Ministry of Justice. Several witnesses felt that the ICO was under-funded. Toby Stevens told us that the ICO "is not adequately resourced to keep up with the legislative burden being placed upon it" and that it therefore has to remain focused on "promoting data protection awareness rather than enforcing data protection because that requires such a great resource intensiveness". (Q 329) The Information Commissioner confirmed that "our resources are very limited". (Q 15)

245.  Although Dr Pounder acknowledged that the introduction of new powers would require the resources of the ICO to be substantially increased, he was of the view that this was not an unreasonable demand:

246.  The House of Commons Justice Committee highlighted "the anomaly that the same basic registration fee of £35 is paid by individuals, small businesses, large companies and large government departments or agencies" and suggested that "a graduated rate would be more appropriate, more likely to reflect actual costs, and more suited to providing an adequate income for the policing of data protection."[107] Echoing this recommendation, the Thomas-Walport Review concluded that "changes should be made to the notification fee through the introduction of a multi-tiered system to ensure that the regulator receives a significantly higher level of funding to carry out his statutory data-protection duties."[108] We are pleased that the Government have accepted this proposal.[109]

The RIPA commissioners


247.  There are three commissioners with oversight duties under RIPA: the Chief Surveillance Commissioner, the Interception of Communications Commissioner and the Intelligence Services Commissioner.[110] The Association of Chief Police Officers (ACPO) did not believe that this regulatory structure is effective and appropriate, telling us that the commissioners "adopt different methodologies, have different styles and do not co-ordinate their inspection activities" and that the current arrangements are "inefficient, cause duplication and are anachronistic." (p 43) Assistant Chief Constable Nick Gargan, the former Chair of the Covert Investigation (Legislation and Guidance) Peer Review Group within ACPO, argued that the duplication had a "bureaucratic cost" because of the resources needed to prepare for inspections that often resulted in conflicting advice which confused staff. He said that the structure was "an irritation rather than a substantial problem" but that a combined inspectorate would be "an opportunity both for lessening the burden on police forces but also for improving the quality of regulation." (Q 132)

248.  Gareth Crossman, the then Director of Policy at Liberty, also favoured creating a combined inspectorate to replace the three RIPA commissioners, arguing that the tripartite system was a pointless historical anomaly. He concluded that "we should get rid of the whole lot and have a single Commissioner responsible for the oversight of intrusive surveillance currently covered by RIPA." (Q 279)

249.  The analysis of the current system given by Nick Gargan was disputed by the Interception of Communications Commissioner, Sir Paul Kennedy. Sir Paul contested the point about duplication on the grounds that "the activities being considered by the representatives of the Office of Surveillance Commissioners … and those being considered by the Inspectors from my office are different." He also disputed Nick Gargan's claims about clashing inspection visits and conflicting advice from different offices. (pp 62-63)

250.  Nick Gargan explained that his comments on duplication reflect "a strongly held and often repeated viewpoint of many senior practitioners" and reiterated his view that a merged body could rationalise the inspection process. He repeated the point about conflicting advice and gave an example where Sir Paul Kennedy's office had given advice that contradicted guidance from the Office of Surveillance Commissioners (OSC). (pp 64-66) Subsequently, Assistant Chief Constable Suzette Davenport, his successor as Chair of the Peer Review Group, wrote to us on behalf of ACPO to underline the point that "there is much overlap between inspection regimes", and to assert that "greater clarity around the remit of each inspection regime can only be of benefit both in terms of efficiency and in avoiding any misunderstandings around role, function and remit." (pp 66-67)

251.  The Chief Surveillance Commissioner, Sir Christopher Rose, argued against a merged inspectorate:

    "The answer to that is no, because the job has to be done. The areas which Sir Paul covers are entirely different from mine, and those processes have to be inspected by somebody, so if you had a single Commissioner responsible for everything, there would still have to be the same inspection carried out of the public authority or the law enforcement agency in relation to that particular sphere of activity. I would have thought, particularly in an area which is, partly as a result of the legislation and partly for practical reasons, quite technical and difficult, the more specialism you have among those who are keeping an eye on what goes on, the better the public interest is served." (Q 643)

252.  We are concerned that three different offices overseeing the operation of the Regulation of Investigatory Powers Act 2000 (RIPA) may result in inefficiencies and disjointed inspection. We recommend that the Government examine the feasibility of rationalising the inspection system and the activities of the three RIPA Commissioners.


253.  Sir Christopher Rose told us that law enforcement agencies were inspected every year by his Office while public authorities were inspected only "every two years or every three years". The inspection process consisted of "a dip sample of the paperwork" which led to a report which he then had to approve and, in the case of law enforcement agencies, a follow-up meeting with the Chief Constable. (Q 648) Sir Christopher accepted that this system had its limitations:

254.  Sir Paul Kennedy, as Interception of Communications Commissioner, operates by inspecting interception warrants issued by the Home Secretary and random samples of applications for communications data within law enforcement agencies and public authorities. He told us that such inspections needed to continue indefinitely but that compliant institutions would be inspected less frequently than non-compliant ones. (QQ 684, 706, 724)

255.  This regime of inspections seems to be a proportionate and cost-effective way of examining the use of RIPA powers, and to be leading to a general improvement in the level of compliance.[111] However, the system does not provide any scope for targeted inspections in response to alleged abuses that may have caused public concern. For example, when it emerged that Poole Borough Council had used covert surveillance powers under RIPA to monitor a family to establish whether they lived in a particular school catchment area,[112] and later to monitor fishermen,[113] there was substantial public concern. The OSC, however, took no action and did not examine the use of the powers in these cases. The ICO did investigate, but the OSC only assessed the Council's conduct as part of its two-yearly inspection process.

256.  When we asked Sir Christopher if he would consider investigating specific cases reported by the press such as those in Poole, he answered as follows:

    "Certainly not. It would be totally impossible to do that. As I say, there are a very large number of authorities which we inspect, we have a carefully designed programme. I mean, I am not ruling it out absolutely, if there was a well documented manifest abuse of power by a local authority, well then, of course we would try and do something about it, but I am afraid responding to press reports is not always a fruitful activity when you only have a small amount of resources at your disposal." (Q 653)

257.  This answer is unsatisfactory. Whilst we understand that resources are constrained, it is essential that the regulators overseeing the use of RIPA powers should maintain public confidence in the regime. We recommend that the Chief Surveillance Commissioner and the Interception of Communications Commissioner should introduce more flexibility to their inspection regimes, so that they can promptly investigate cases where there is widespread concern that powers under the Regulation of Investigatory Powers Act 2000 have been used disproportionately or unnecessarily, and that they seek appropriate advice from the Information Commissioner.


258.  The Investigatory Powers Tribunal (IPT) is charged with investigating complaints against organisations, including the intelligence services, over their use of powers regulated by RIPA. The IPT also has jurisdiction over complaints brought by an individual concerning the acquisition, storage and use of information by the intelligence services of his or her entry in the National Identity Register established under the Identity Cards Act 2006. We note the concern expressed by Nick Gargan that "very few people" know about the IPT and that this represents a "missed opportunity" to demonstrate the transparency of the RIPA regime and to provide a visible means of redress for those who feel they have been wrongly treated. (Q 142) He told us that "the tribunal ought to be encouraged to be a more publicly visible facility both in terms of encouraging people to use it and, where meaningful claims have been made, to actually publicise those findings so as to reassure the community that they are being protected and we are using our powers responsibly." (Q 144)

259.  We recommend that the Investigatory Powers Tribunal publicise its role, and make its existence and powers more widely known to the general public.

93   Appendix 4, para 28. Back

94   Data Sharing Review Report, op. cit., Recommendations 7(a) and 7(b), paras 8.30-8.31, 8.34. Back

95   ibid., para 8.34. Back

96   ibid., paras 8.35, 8.38. Back

97   Response to the Data Sharing Review Report, op. cit., pp 14-16. Back

98   A Surveillance Society?, op. cit., para 195. Back

99   Data Sharing Review Report, op. cit., paras 8.61-8.65. Back

100   ibid., para 7.9. Back

101   HC Deb 21 Nov 2007 col 1179. Back

102   Ministry of Justice, The Information Commissioner's Inspection Powers and Funding Arrangements under the Data Protection Act 1998: Summary of Responses, November 2008, p 6. Back

103   ibid., pp 16-17. Back

104   ICO, Statement, 24 November 2008.  Back

105   That is, six months after the Act received Royal Assent. Back

106   Data Sharing Review Report, op. cit., paras 8.52-8.53 Back

107   Protection of Private Data, op. cit., para 26. Back

108   Data Sharing Review Report, op. cit., Recommendation 13, p 4. See also para 8.67. Back

109   The Information Commissioner's Inspection Powers: Summary of Responses, op. cit., pp 19-20. Back

110   There is also an Investigatory Powers Commissioner for Northern Ireland. See Box Two above for a description of the commissioners' responsibilities.  Back

111   See for example the Annual Report of the Chief Surveillance Commissioner to the Prime Minister and to Scottish Ministers for 2007-2008, July 2008 (HC 659); and the Report of the Interception of Communications Commissioner for 2007, July 2008 (HC 947).  Back

112   Poole Borough Council "admitted using laws designed to track serious criminals to spy on a family for nearly three weeks to find out if they were lying about living in a school catchment area." Schlesinger F, "Council uses criminal law to spy on school place applicants", The Guardian, 11 April 2008. Back

113   See for example Morris S, "Council used terror law to spy on fishermen", The Guardian, 14 May 2008. Back

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2009