Examination of Witnesses (Questions 20-39)
MRS ELIZABETH FRANCE CBE, MR GRAHAM SMITH AND MR DAVID SMITH
THURSDAY 11 JULY 2002
20. Can I ask you about that, because you do say, in your report, that you are responding to consultations on the Regulation of Investigatory Powers Act. I have the draft statutory instrument before me here, which was withdrawn by the Home Secretary. Were you consulted specifically on this draft statutory instrument?
(Mrs France) We were not, as far as I know, consulted on the draft statutory instrument. We had been consulted and had put publicly our comments on the primary legislation which those instruments were following on from. I have to say that in my view we had argued loudly and clearly what our view was in relation to the primary legislation, and I had taken the view that these orders followed naturally from that primary legislation. I was not asked, but I did not choose to comment on that order. I think that the order is not where I would want to focus my attention.
21. It follows from the point that Kevin Brennan was asking you, because had these orders gone through it would have given government departments, local authorities and a whole range of agencies the right to find out which e-mail addresses individuals had sent e-mails to. If I have got this wrong you are going to tell me.
(Mrs France) It is not as straightforward as that, I have to say.
22. Things rarely are!
(Mrs France) This is very complex law.
23. I am just a simple politician.
(Mrs France) There really is very complex law here, and though I was delighted to see the public response because of the anxieties about breaches of privacy, you will notice that we did not, in fact, on this occasion, join in with that cry for change.
24. One of the bodies down here that had access to information was the Information Commissioner.
(Mrs France) That is not why we did not comment, but it is certainly why I do not have the same objection to the order as some of the people who have made comments.
Mr Prentice: Why was the order withdrawn then?
25. Let us hear Mrs France just tell us what she thinks is the central point.
(Mrs France) The central point, to start with, was the point we lost. Our arguments when RIPA was going through was that orders should be subject to judicial approval and not administrative approval, and that was our key point about the Regulation of Investigatory Powers Act. That was argued two years ago and we argued that publicly, we argued it loud and we putwith othersour comments everywhere we could think of putting them, but the Government went ahead and decided they should be administratively approved orders. The order you are talking about there lists a long list of bodies, but the point you have to bear in mind is these are bodies who have a regulatory role and, in that role, have always had to have this access. What it is doing is making this transparent, putting it on a statutory basis and allowing you to look at and criticise that list. From my point of view, the important part which has perhaps been missed in the criticism is that the access is subject to a RIPA code, on which we were consulted. So this is not something which I have the same concern about as some other areas where I am very concerned still in this whole areafor example, where we are looking at the emergency powers legislation provisions to allow information to be obtained (and we have got a narrow definition of being obtained for national security purposes) but where we are concerned about what might be done with it after it has been obtained for national security purposes. Those things are far more worrying to me and far more important to me than a list of bodies who have a regulatory function and who can only exercise the ability to use the RIPA powers subject to a code of practice on which I have been consulted.
26. I understand that. Can I just very briefly return to this issue of the high level commitment to work with the Information Commissioner. Is that high level in the civil service or ministerial commitment or what?
(Mrs France) We have had high level commitment from ministers on many occasions and repeated on many occasions. In the past there have been Parliamentary questions where that has been repeated. We see the Prime Minister's commitmentin issuing, for example, the PIU privacy and data sharing reportto privacy as well as to data sharing as a joint objectives of Government and saying we will be consulted. We have seen all sorts of areas where we have been consulted early on. I think that a good example of that is the guidance we provided to the health sector where we have been working very closely with the health sector in the work they have been doing. So there is a commitment. When you ask any minister or you ask any senior civil servant they will accept that where their policies impact on the processing of personal data they will consult us early. In practice it does not always work.
27. Which brings me on neatly to the issue of the moment, which is entitlement cards, or ID cards. I am assuming that you were closely involved with the Home Office in discussing these entitlement cards.
(Mrs France) It would be a bit difficult for me to claim to have been involved when the consultation process has only just been launched. I would not necessarily expect to be closely involved prior to a consultation exercise. However, my staff have had meetings with Home Office officials in the drawing up of the consultation documents, so we have had some discussions with officials but I would not have considered that to be consultation at this stage. The Home Secretary has now opened a six-month period of consultation and we will play our part in trying to make sure that there is wide-ranging debate. We hope to put forward a very powerful response. It will be the task of my successor, towards the end of the consultation period, as we have done on previous occasions, when these issues have been raised.
28. I am not springing this on you, even though the consultation document has only been with us for a few days, because you would have thought about those issues. What are the main benefits of the ID scheme proposed by the Government and what are the drawbacks?
(Mrs France) I would not go so far as to say they are yet proposing a scheme; they have put forward issues for us to look at. You will find that we do already have, being very far-sighted, a paper on our website which sets out the points for and against any form of identity cards. Our main issue now, and in the past, has been that Government should be absolutely clear on "purpose". That is what has been lacking in all proposals we have seen to date. We have to look carefully. I am not pre-judging the current consultation exercise, but if you are not clear on purpose you cannot decide what information should be held, who should have access to it and whether it is fit for purpose. So that is one of the key questions.
29. I am thinking aloud here, but maybe the Government could have avoided all these problems by consulting you in great detail before issuing the consultation document, even though there was contact between your office and the Home Office beforehand.
(Mrs France) They might have been able to but we need to see proposals and to involve others, wider audiences, in consultation. We are not opposedlet me be quite clear about thisto a form of identity document of some kind. I have to be careful what I say there, document is perhaps the wrong word.
30. Entitlement card.
(Mrs France) For data protection purposes if there is to be more on-line business done between the citizen and Government, as individuals we need to be confident that only our data is being accessed by us and that we can do business with confidence with Government. Some form of token, which would allow authentication and validation, is going to be vital if e.Government is to go forward. The issue is whether that is what this is for. If that is what this is for it need say very little about the individual, it can simply be a token. It does not need to have things on the face of it that can be used by other people. It does not need to contain information which can allow what I would call purpose creep. It can simply be a token which validates a transaction with Government. That would be a genuine entitlement token, something that is facilitator for the citizen.
31. Is it possible, given the state of technology that we have today, to have one definitive record of a person's identity because that is what the Government says in its consultation document, one definitive record. There must be criminals out there who are just salivating at the thought of being able to break through and access one record, one entitlement card, let us call it, which would allow them to go anywhere within the system because that would be seen by Government Departments and banks and everybody else as the definitive statement of a person's identity.
(Mrs France) There are all sorts of technical problems involved but the bigger problem than the technical problem is the problem of the quality of historic records. There is an enormous task for Government if it seriously believes that it can now put on to the front end of its processes anything which identifies you or me and gives us access to records which are already held. This is where I talk about quality of record keeping, quality of historic records, because it would be very difficult for them to be sure that the records they hold already are records which relate to you or me. There is a recent example, if you want an example, of my concern relating to the issue of criminal records. Criminal record certificates are now being issued. An enormous amount of work has been done by those setting up that office to make sure that at the modern, front end of the process they are taking every possible step to make sure you are the Gordon Prentice who is making the request to see whether there is a criminal record. The problem is that the records stored by PNC over a generation were not kept with that in mind. Therefore, the standard of record keeping will make it difficult to assign the right bits of record to the right files even though we know we have got the right person at the end of the chain. If you follow what I am saying that is magnified then many times if you are suggesting that existing historic records held by the Department of Health, DWP, Immigration & Nationality Department, have been kept to a standard which would allow that interface. That is one issue. The other issue is that if you are going to do it properly it is going to require, in my view, enrolment afresh by all of us and not reliance, for similar reasons, on any existing database of citizens. These are early thoughts and I want to look properly, I do not want to pre-empt the consultation period. One of the key things I should say is that we would expect something as serious as this to be set out on a statutory basis and that statute should make clear what the permitted uses are. One of the things we worry about enormously is whether there will bealthough the Home Secretary has said it will not be something he has in minda creep towards a duty to identify yourself. Unless the statute prohibits that it would become an informal use. People will say "You need to show your card".
32. Just to pull that together so that we are clear for the record. When you look at this document and the areas where lights might flash for you, listening to you I got the sense that it was the confusion of purpose issue which is the central one, is that right?
(Mrs France) Yes. I would not want to suggest that the Home Secretary on this occasion is confused as to purpose because I want to look at the consultation paper properly. In any previous proposals we have seen there is a confusion of purpose because we lose sight of one narrow purpose and begin to suggest this will solve all sorts of peripheral problems. Once you do that you lose any ability to decide what appropriate access should be, who should decide what information goes on the card, all sorts of other issues come into play. There is that. There is the ability for the card to be used for more purposes than originally intended. There is the problem of existing historic databases and worries about the quality of any existing foundation database of citizens. I do not think there is one which we could rely on as being, if you like, the source document for a new scheme.
Chairman: That is very, very helpful. Thank you very much indeed.
33. In your review of the year you talk about the Article 29 Data Protection Working Party in Europe, and it is adopting recommendations related to the employers' application of law, model contracts for international transfers of personal data. Where has that got to and what effect has the European Union and the European Commission had, which has approved the whole contract now? Has that moved on?
(Mrs France) Yes, it has moved on and there are now model contract clauses available for us. Perhaps I could ask David Smith to add something to that.
(Mr Smith) Yes. Model contract clauses have been developed and approved by the Commission and they are available for organisations to essentially take off the shelf, fill in the gaps and use themselves. There is quite a lot of business resistance to the use of those contract clauses because many businesses feel they are essentially over the top because they are overly demanding. I know the Commission is open to business organisations developing their own models and bringing those to the Commission with a view to having them approved. That avenue is still being explored. Indeed, in the UK it is still open to businesses to develop their own clauses, not simply to rely on the model, and provided those deliver proper protection businesses can use them. What they do not get though is the absolute guarantee that they get if they pick the Commission's model.
34. The Commission itself is directing this country to try and use a model which is not within the country?
(Mrs France) I think "directing" is the wrong word.
(Mrs France) It is an item on the menu from which companies can pick in order to satisfy the requirements of the Directive.
36. What is your relationship with the European Commission? You went out and spoke to the Council of Europe on data protection, was that part of an ongoing programme?
(Mrs France) Yes, we do that. The Council of Europe is rather different. I think what I should say to start with is to make clear, which I know you do understand, we are independent of Government, do not represent Government when we go to these meetings. The meetings of the Article 29 are meetings of experts. When we meet in the Article 29 Committee we are meeting with fellow independent commissioners to advise the Commission. So we are there as expert advisers and in that role we have been looking at various aspects of the Directive. We spent an enormous amount of the time we have had looking at trans border data flows but we are moving on now to other issues. We are looking at European Codes of Practice, for example. Direct marketers have been one of the first to produce one, FEDMA is the European Direct Marketing Organisation. We have been looking atinterestinglyemployment issues and whether there should be a common employment code across Europe. There are all sorts of other areas in which we have joined together but we are acting as experts, making recommendations to the Commission. It is then a matter for another group, imaginatively named the Article 31 as opposed to the Article 29 group. That comprises Government Members where the Lord Chancellor's Department is represented. They take the decisions on the issues of that kind.
37. Bringing you closer to home, you have opened offices now in Edinburgh, Cardiff and Belfast.
(Mrs France) We have not yet done so.
38. You have not yet done so. Right. Is one of the reasons that you are doing thatand I am thinking more about Cardiff and Edinburgh as opposed to Belfastto be able to keep a weather eye on the Assembly and the Parliament?
(Mrs France) I would not call it "keep a weather eye" I would say have a productive dialogue. We do feel that as a response to devolution we should make sure that we are visible in the devolved areas and have an opportunitygoing back to earlier questionsto be seen and to be there, to be involved in policy discussions where that is appropriate. We have decided that we need a representational role in all these areas and we have taken a policy decision that we will appoint Assistant Commissioners in each of those areas. What we are discussing in-house is what other work will be done. Clearly they will have that representational role but we are trying to decide what other work from our office could be conducted in those areas. We have put on our website now a statement to allow people to express interest in these roles. In fact, we are working towards taking this further. In Scotland there is another reason for doing it, of course, in that my FOI role is rather different in Scotland. In Scotland my office is responsible for freedom of information issues as they relate to UK bodies operating in Scotland. Therefore, we need to be there I think to have a close personal relationship with the Scottish Information Commissioner in the interests of the citizen so that if there are any concerns about who should be dealing with a problem we can solve it without bouncing the citizen between our offices.
39. The question I was going to ask was is the Scottish law situation slightly different and of course it is. That is one of the main reasons you are doing this. I noticed actually the amount of people coming to you now is from 8,000 to 12,000 in a year. Is this because more people are beginning to, shall we say, fall foul of data protection?
(Mrs France) I think it is the fact that there has been an increase in people's awareness of the issues, an increase in the awareness of their rights and a willingness to take people to task where they think that is appropriate. We have tried to set out clearly on our website what our procedures are and to try to manage expectations so that people know what we can do. We are a rather odd body, we are not an ombudsman and our enforcement powers are more those of a regulator. Although 12,500 people have come to us with individual requests for assessment, we can assess whether there is likely to have been a breach of the Data Protection Act. We can try to make sure that the individual things are put right but our powers are designed to deal with systemic breaches, to get organisations to put their procedures right rather than to provide compensation for the individual who the Data Protection Act requires still to go to the courts if that is what they are seeking.