Richard Thomas, the new information commissioner, hopes to use
persuasion rather than prosecution to get organisations to comply
with data protection legislation. He talks to Bill Goodwin on how
he is going to overcome ignorance and complacency, and pick his way
through contradictory legal requirements.
What will your main priorities in your new
post?
I have been in this job five weeks, so I am
still the new boy. I am starting to work out what the overall
priorities will be.
I put out a press release last week on the importance of respecting
information and promoting openness in the public sector.
If you are the IT director of a public sector organisation, I am
putting out a wake-up call (for) the Freedom of Information Act.
Already every public body has to draw up a publication scheme,
setting out how they are going to make more information available
on a regular basis.
As from January 2005, only two years away now, they will have to
have in place the infrastructure for dealing with requests from
members of the public, journalists, pressure groups, commercial
organisations and from a wide range of people putting in requests
for information about their activities.
Do you expect that to have much of an impact on their IT
systems?
It may. For both data protection and IT
systems that you would need to take into account the requirements
of the law. I would hope that by now all IT directors are familiar
with data protection. In the past there have been systems designed
which were not adequately compliant with the Data Protection Act
from the outset.
And my office, in the past, has taken action to get that put right.
It is far more expensive in terms of time and money if you have to
bolt it on later. And to write data protection safeguards and
compliance systems into your data structure from the outset is
absolutely essential.
That is one of my ambitions - to get these matters treated as a
natural working discipline.
So people take on data protection as they design their
systems rather than afterwards?
Complying with data protection principles is good for the
organisation. Which organisation, public or private, wants to have
information, which is inaccurate, which is out of date, which has
been improperly obtained, which leaks out of the organisation in
inappropriate circumstances? All that is very bad for your
reputation.
What is your reaction to the Inland Revenue case (where
staff accessed and sold information from tax
records)?
I am glad the Inland Revenue is taking this
seriously. I hope that all organisations that are maintaining
confidential information are aware of the risks involved
here.
It is a very serious criminal offence to obtain or to disclose
personal information without the consent of the person who is
controlling the information, which would normally be the
organisation. And if they come across hard evidence that this is
happening - whether by people impersonating others to get access to
the system, or because of some sort of corruption inside the system
- if they have the evidence we will prosecute. It is an unlimited
fine in the crown court.
People have said of the Office of the Information
Commissioner that it has been a bit of a soft touch towards
companies that breach the Data Protection Act. Do you have any
plans to take a tougher line?
I don't think talking
hard or soft is the right approach. I am concerned with achieving
the objective - getting proper respect for data protection and
compliance with the data protection principles. If we can achieve
that by pointing to self-interest, by persuasion and by
constructive engagement, that is the best way forward.
Equally, if I have to take enforcement action against those who are
unwilling or unable to change their ways, I wouldn't hesitate to do
so. It is speaking constructively with a big stick.
There has been concern that the sanctions and powers you
have access to are not really adequate.
I am not a
law maker. I use the law as I find it. I mentioned the criminal
sanctions, which are unlimited fines. The enforcement procedure for
changing behaviour seems the best way forward. Ours is not a regime
of punishment. It is a regime for getting things right for the
future.
How many prosecutions has the information commissioner
brought?
I am not doing facts and figures today I am
afraid. Just general introductory stuff.
But it isn't very many - is it?
It is in the
annual report. I am not looking for convictions or prosecutions or
enforcements as a measure of success. I am looking for a compliant
society where organisations do these things naturally.
There has been a lot of concern about the security of data
held on websites. Over the past year we have reported in CW quite a
number of sites where our readers have logged on and discovered
they are able to view other people's confidential data. Will you be
doing anything to tackle that?
I hope that any
organisation that would be target or victim of that sort of
activity would put that right. If it requires my intervention then
it's a pretty poor show. If I have to intervene, I will.
How would you answer the lobby groups who criticised you
this week for not taking a tough enough line on the issue of
entitlement cards?
We had expected there to be a
great deal more public debate and controversy about entitlement
cards. There hasn't been. We launched our own conference to help
me, as the new commissioner, put together a response from the data
protection perspective to the Home Office proposals.
It was very successful in airing to a very wide range of views, the
practicalities, the overseas experience and a very full analysis
from a privacy perspective. A quite passionate analysis from a
privacy perspective. A passionate argument both for and against the
principle of ID cards. Plenty of food for thought.
Fundamentally, (the issue of ID cards is) a question of whether the
benefits outweigh the costs and the risks to privacy and social
values. At the very least it's going to be necessary to put in
place a very robust safeguard to ensure compliance with data
protection principles and I will be coming forward with my
considered response in the next few weeks.
One of your main concerns is the idea of function
creep
I have a number of questions that I am asking and want to be
confident that the quality of the information is going to be
sufficiently accurate. These cards will have a spurious authority.
They will have a very official standing. It is obviously important
to safeguard against forgery and counterfeiting and fraudulent
application and issue of these cards.
Equally there is the question of mistakes. So I have to ask
searching questions of the quality of the data. I also ask
questions about how we can put in place safeguards against function
creep. The risk that we go down a slippery slope, where something
may be innocuous at one level. If it then grows over the years and
people are required to carry a card that would be an example of
function creep.
For example, the home secretary said yesterday, emphatically, that
racial and religious and political information would not be held on
the card. We need to ensure that remains the case.
A lot of our readers are very confused about the issue of
monitoring communications at work and the code of conduct, which
they view as long, complex and difficult to understand. Are you
considering using a simpler, more understandable
code?
That's not quite right. Part III of the code,
dealing with monitoring at work, has survived through the months
before I took office and was being completed before I arrived. I
said I did not want to see dribs and drabs. I wanted to see the
code as a whole before I formed my own views on that. That will be
high on my agenda over the next week or so.
I have made it clear that whatever comes out of that process, there
will need to be a version for small businesses. There needs to be
version of part III as well as, in due course, a small business
version of the entire code.
Would the smaller code run alongside the longer version of
the code, and which version would businesses
follow?
You will have to wait and see how that comes
out. But the objective at this stage is to provide a user-friendly
version for small businesses.
When are we likely to see part III of the code coming
out?
I can't say yet.
Another issue is the question of the Regulation of
Investigatory Powers Act and the Terrorism Act, how the two mesh
together and the concern that together they breach human rights.
How do you see that being resolved?
Well, there is a
complex set of issues there. The next stage would be for (the home
secretary) to bring forward the proposals as to who might be able
to access communications traffic information, for what purposes and
in what situations. And, I think, until we see that, we can't go
further.
There is also a lot of concern about private investigators
and others obtaining information by deception.
I made
it a high priority to make sure people were fully aware of what the
Data Protection Act said. It's a very serious criminal matter. It
is the one part of the act where there are unlimited fines in the
crown court. I have an investigation team. If we come across
evidence that information is being obtained by deception, or it
leaks out by deception or on a corrupt basis, then we will play our
part to crack down on this by prosecuting those concerned. I find
it quite unacceptable.
Is there any other message you would like to give to our
readers?
Be aware that the Freedom of Information Act is not very far away
now. (Public sector organisations) are going to be legally obliged
to deal with access requests for information as from January 2005.
It is only two years away. I am not going to be tolerant of
organisations that tell me they are not going to respond to
requests because they have not had time to prepare.
Employees beware as staff database theft
increases
Read article >>