Examination of Witnesses (Questions 40-51)
MRS ELIZABETH FRANCE CBE, MR GRAHAM SMITH AND MR DAVID SMITH
THURSDAY 11 JULY 2002
40. Out of the 12,500 how many had genuine grievances?
(Mrs France) Well, genuine grievances
41. Did you feel had genuine grievances.
(Mrs France) I do not think I can answer whether they had genuine grievances but I can say what proportion we decide on the papers rather than investigating. Now that does not mean they were not genuine grievances but sometimes we can simply explain to people what the situation is. Of the cases that we looked at we simply gave advice in about 60 per cent of the cases. We refused to look at just seven per cent but that will be because they really were not areas within our competence. Then we break down what we did in other ways in our annual report. The split is usually about that, advice given in two thirds of the cases.
42. Was there any one body that you felt compelled to go and talk to and say "Now there is obviously a fundamental problem ..." just pluck figures out of the air "... 600 people have come to us to complain about you"? Have you been in touch with an organisation to say "Look, come on, you have got to improve"?
(Mrs France) We are in touch with organisations all the time.
43. Is there one that you think
(Mrs France) My staff are in constant dialogue with a range of data controllers. The difficulty I suppose in picking companies is it depends on the nature of their business. Year after year since 1987 I have to tell you that credit reference agencies would come top of the list but that is because they are dealing with credit information coming from all lenders. There are only three credit reference agencies in the United Kingdom holding that information. I would want to say to you there that we have had a very, very constructive year in our discussions with the credit industry, with the credit reference agencies and lenders, in changing their approach to how they keep information. That has been something that I really think we should trumpet because it is an example of our working with industry and achieving a change in process which they have put in place and we have not had to go to the stage of full enforcement. This is an issue you will be aware of I am sure. It is an issue that takes us back a very long time when in my predecessor's day credit reference information was filed by name or address and where he took enforcement action. So since the early 1990s credit reference agencies have filed by same name, same address but not by address only. Even that was causing problems, it was not what my predecessor had looked for and the problems have got worse and worse because we get more and more complaints, particularly when you have adult children living at home, where there is an assumption of a financial connection but no financial connection exists. Now to get them to change their procedures was going to be a massive investment for them. They have had to change the way they approach the filing of information. But, taking it constructively with them, giving a reasonable amount of time for change, engaging parts of the industry and working with them, they have now agreed that filing will be, to put it at its simplest, it is more complicated than this, only bringing together names where there is evidence of a financial connection. They are working towards that. I think that is a very good example of where we have always had most of our complaints, if I can call it that, but where industry has now responded and responded positively to the need to recognise the environment in which they operate.
44. The data protection issue, you said in your annual report that a major project for you has been the Employment Practices, Data Protection Code. The Committee has been lobbied by the Chartered Institute of Personnel and Development, the CIPD, an authoritative and respected organisation. You say in your annual report that your purpose in putting the code of practice together was to seek to provide the clear practical advice for which there is clearly a need. The CIPD, if I try to capture their thoughts in a sentence, say "I wonder whether the Commissioner has considered whether or not the code is a proportionate response to the issue it is designed to address". That has a feel of another organisation which, in Mr Smith's words, think that you may have gone over the top. Why have you thought it necessary to go over the top?
(Mrs France) We have thought very carefully about whether it is a proportionate response. I have to say I am surprised the CIPD have come to you because I had understood that the CIPDI do not know when they lobbied you...?
45. I can tell you, 3 July.
(Mrs France) They had been constructively involved in our restructuring of the advice and I had hoped we had met any concerns that they had expressed. Indeed, we have been having very positive feedback from a number of lawyers and those involved within large corporations with compliance issues on those parts of the code we have now published on our website. Let me start from the beginning very briefly.
Chairman: It will have to be very brief. We are going to be interrupted shortly by some bells. We had hoped to finish before the bells but we may have to go through the bells. There will be two lots of bells.
46. Can I try to help Chairman. I am particularly interested really in how you make the decisions as an organisation between the need to be thorough and comprehensive and fall into a trap of being over-prescriptive, that is the purpose of my question.
(Mrs France) We had for the first time in the1998 Act the ability to create codes of practice ourselves rather than agree other people's codes of practice. The first one we issued was on CCTV. The reason we looked at the employment code next was because we were getting very, very many questions from human resources departments, human resources staff, managers of companies asking us what the Data Protection Act meant for them. Instead of dealing with those piecemeal we decided the easiest thing for them and for us was to set it all down in a code of practice.
47. Two hundred pages.
(Mrs France) It has been a mammoth task because employment law and data protection law and where they interface is a complex issue. Now it is, I think, somewhat shooting the messenger to accuse us of making things over-complex. What we are trying to do is explain what is a complex set of law. The number of pages you have just mentioned, I think you will find our approach now is rather different from when we started out. We have had a lot of people asking for more. We have had a lot of people write in and say "You have not covered this" or "You have not covered that" and "Why can you not say more about this" and we have others saying there is too much and it is too complex. What we have tried to do is set out some guidance with a set of checklists at the back. We have changed the structure completely. We have sent it out to technical writers to try and make it more accessible and we are inviting the Small Businesses Council to write for us a version for small businesses so it is simpler. This is not meant for small businesses, it is meant for organisations which have a human resources department and have in-house compliance advice. Clearly we have to get the balance right. I would like people to take time to look at how useful this turns out to be. The response we are getting currently from practitioners now that we have got several parts on our websitewe have actually got two parts out there, two parts of a four part code available on our website for them to look atthe feedback that we are getting is that the checklists are particularly helpful. Now although the checklist adds to the number of pages in terms of density of script they are meant to be easy to use. It is much easier to navigate than our initial drafts. We have been delighted with the response from people like CIPD and we have tried to take account of their comments. I hope they agree that it is a far better document than the document we set out with. All I can say is that as a regulator I will be obliged to look at allegations of breach of the data protection law in relation to employment issues. Employment issues are ones which are going to come up time and time again. Trades unions are very interested in employee rights. Is it not better for me as a regulator to set out, in anticipation of those, my interpretation of the Data Protection Act as it interfaces with employment law rather than to announce what my interpretation of the high principles set out in the Data Protection Act are at the point at which I am faced with a particular decision to take? My intention is to be a modern regulator and to be out there giving you my interpretation of high level law in advance of decisions. We will listen to criticism. This is not set in concrete because it is guidance. It is there on our website. It will clearly be amended in the light of individual cases. At the end of the day it is up to individuals to decide how far they want to use this guidance within their organisation. They have three choices. They can pay heed to the guidance. They can lobby for changes in the law. Thirdly they can decide that this is simply the Commissioner's guidance and interpretation and take a risk management approach to how much notice they want to take of it, but not then cry should I have to take enforcement action in the light for example, of an individual case.
48. There is not a lot of mileage in pursuing this specific case. The CIPD do say their ". . . employers will regard compliance with the code as necessary to follow the law . . . the Commissioner's aim is to promote good practice, rather than simply legal compliance . . . It would be of interest to know whether or not she has considered issuing a guide on employee data, rather than code of practice"?
(Mrs France) We have considered it. We have looked at the whole remit of our responsibilities. We are satisfied that we have not added any gold plating in the code. It is our view that indeed people need to comply with the code to comply with the law. If they want to lobby for a change in the law that is a different matter.
49. Is this then an example, which I recognise happens, of business organisations, employers, trying to squirm out of necessary controls by pleading they are over-prescriptive and lobbying about wishing to be free from regulations? Is there an example of that here?
(Mrs France) I repeat, I am confident, and unless anybody would like to show me examples where I am wrong, that I am not adding to the regulatory burden, I am not adding to the law, I am explaining it. It is not for me to make or change the law. I am, however, under a statutory duty to raise awareness of the legal issues in this area and to enforce if breaches are brought to my attention. If what is actually being said is that the regulatory framework is burdensome then the proper place for lobbying is Parliament and not my office.
50. Thank you for that. I think that brings us probably to the end. All I would ask you, we are not going to see you again, I wonder if you have any parting shot for Parliament as you finish this period?
(Mrs France) I think the interest of this Committee in our work has been helpful. Helpful to us and I hope helpful in making what we do more visible and transparent, and I welcome that. I am sure my successor would want to keep a relationship with this Committee which I would see as one which is developing at the moment. I think that this whole area of work is one that has become more centre stage and will become even more centre stage because information in the hands not just of Government but of businesses everywhere is one of the key assets and is increasingly one which will create difficult situations and will perhaps sometimes be one where we are bound to point out to people what their obligations are in a way which they might not feel is comfortable and where it is valuable to have the opportunity to explain why we have done it. So your continuing interest will be welcome.
51. Thank you for that. You have been a most distinguished Data Protection Commissioner and a most distinguished Information Commissioner. I think we are all in your debt for that. I think there is genuine regretas I said at the beginningthat you are not going to be seeing the new statutory information regime into operation. I think we would feel more confident and secure if you were going to be. We thank you for the past and we wish you well for the future.
(Mrs France) Thank you. I would just like to say that I am confident that there is a strong team in the office who will carry things forward. I am sure once we know who my successor is you will have confidence in that situation.
Mr Heyes: Probably called Smith.
Chairman: Thank you very much.