Information commissioner: Speaking constructively, carrying a big stick

Richard Thomas, the new information commissioner, hopes to use persuasion rather than prosecution to get organisations to comply...

Richard Thomas, the new information commissioner, hopes to use persuasion rather than prosecution to get organisations to comply with data protection legislation. He talks to Bill Goodwin on how he is going to overcome ignorance and complacency, and pick his way through contradictory legal requirements.

What will your main priorities in your new post?
I have been in this job five weeks, so I am still the new boy. I am starting to work out what the overall priorities will be.

I put out a press release last week on the importance of respecting information and promoting openness in the public sector.

If you are the IT director of a public sector organisation, I am putting out a wake-up call (for) the Freedom of Information Act. Already every public body has to draw up a publication scheme, setting out how they are going to make more information available on a regular basis.

As from January 2005, only two years away now, they will have to have in place the infrastructure for dealing with requests from members of the public, journalists, pressure groups, commercial organisations and from a wide range of people putting in requests for information about their activities.

Do you expect that to have much of an impact on their IT systems?
It may. For both data protection and IT systems that you would need to take into account the requirements of the law. I would hope that by now all IT directors are familiar with data protection. In the past there have been systems designed which were not adequately compliant with the Data Protection Act from the outset.

And my office, in the past, has taken action to get that put right. It is far more expensive in terms of time and money if you have to bolt it on later. And to write data protection safeguards and compliance systems into your data structure from the outset is absolutely essential.

That is one of my ambitions - to get these matters treated as a natural working discipline.

So people take on data protection as they design their systems rather than afterwards?
Complying with data protection principles is good for the organisation. Which organisation, public or private, wants to have information, which is inaccurate, which is out of date, which has been improperly obtained, which leaks out of the organisation in inappropriate circumstances? All that is very bad for your reputation.

What is your reaction to the Inland Revenue case (where staff accessed and sold information from tax records)?
I am glad the Inland Revenue is taking this seriously. I hope that all organisations that are maintaining confidential information are aware of the risks involved here.

It is a very serious criminal offence to obtain or to disclose personal information without the consent of the person who is controlling the information, which would normally be the organisation. And if they come across hard evidence that this is happening - whether by people impersonating others to get access to the system, or because of some sort of corruption inside the system - if they have the evidence we will prosecute. It is an unlimited fine in the crown court.

People have said of the Office of the Information Commissioner that it has been a bit of a soft touch towards companies that breach the Data Protection Act. Do you have any plans to take a tougher line?
I don't think talking hard or soft is the right approach. I am concerned with achieving the objective - getting proper respect for data protection and compliance with the data protection principles. If we can achieve that by pointing to self-interest, by persuasion and by constructive engagement, that is the best way forward.

Equally, if I have to take enforcement action against those who are unwilling or unable to change their ways, I wouldn't hesitate to do so. It is speaking constructively with a big stick.

There has been concern that the sanctions and powers you have access to are not really adequate.
I am not a law maker. I use the law as I find it. I mentioned the criminal sanctions, which are unlimited fines. The enforcement procedure for changing behaviour seems the best way forward. Ours is not a regime of punishment. It is a regime for getting things right for the future.

How many prosecutions has the information commissioner brought?
I am not doing facts and figures today I am afraid. Just general introductory stuff.

But it isn't very many - is it?
It is in the annual report. I am not looking for convictions or prosecutions or enforcements as a measure of success. I am looking for a compliant society where organisations do these things naturally.

There has been a lot of concern about the security of data held on websites. Over the past year we have reported in CW quite a number of sites where our readers have logged on and discovered they are able to view other people's confidential data. Will you be doing anything to tackle that?
I hope that any organisation that would be target or victim of that sort of activity would put that right. If it requires my intervention then it's a pretty poor show. If I have to intervene, I will.

How would you answer the lobby groups who criticised you this week for not taking a tough enough line on the issue of entitlement cards?
We had expected there to be a great deal more public debate and controversy about entitlement cards. There hasn't been. We launched our own conference to help me, as the new commissioner, put together a response from the data protection perspective to the Home Office proposals.

It was very successful in airing to a very wide range of views, the practicalities, the overseas experience and a very full analysis from a privacy perspective. A quite passionate analysis from a privacy perspective. A passionate argument both for and against the principle of ID cards. Plenty of food for thought.

Fundamentally, (the issue of ID cards is) a question of whether the benefits outweigh the costs and the risks to privacy and social values. At the very least it's going to be necessary to put in place a very robust safeguard to ensure compliance with data protection principles and I will be coming forward with my considered response in the next few weeks.

One of your main concerns is the idea of function creep
I have a number of questions that I am asking and want to be confident that the quality of the information is going to be sufficiently accurate. These cards will have a spurious authority. They will have a very official standing. It is obviously important to safeguard against forgery and counterfeiting and fraudulent application and issue of these cards.

Equally there is the question of mistakes. So I have to ask searching questions of the quality of the data. I also ask questions about how we can put in place safeguards against function creep. The risk that we go down a slippery slope, where something may be innocuous at one level. If it then grows over the years and people are required to carry a card that would be an example of function creep.

For example, the home secretary said yesterday, emphatically, that racial and religious and political information would not be held on the card. We need to ensure that remains the case.

A lot of our readers are very confused about the issue of monitoring communications at work and the code of conduct, which they view as long, complex and difficult to understand. Are you considering using a simpler, more understandable code?
That's not quite right. Part III of the code, dealing with monitoring at work, has survived through the months before I took office and was being completed before I arrived. I said I did not want to see dribs and drabs. I wanted to see the code as a whole before I formed my own views on that. That will be high on my agenda over the next week or so.

I have made it clear that whatever comes out of that process, there will need to be a version for small businesses. There needs to be version of part III as well as, in due course, a small business version of the entire code.

Would the smaller code run alongside the longer version of the code, and which version would businesses follow?
You will have to wait and see how that comes out. But the objective at this stage is to provide a user-friendly version for small businesses.

When are we likely to see part III of the code coming out?
I can't say yet.

Another issue is the question of the Regulation of Investigatory Powers Act and the Terrorism Act, how the two mesh together and the concern that together they breach human rights. How do you see that being resolved?
Well, there is a complex set of issues there. The next stage would be for (the home secretary) to bring forward the proposals as to who might be able to access communications traffic information, for what purposes and in what situations. And, I think, until we see that, we can't go further.

There is also a lot of concern about private investigators and others obtaining information by deception.
I made it a high priority to make sure people were fully aware of what the Data Protection Act said. It's a very serious criminal matter. It is the one part of the act where there are unlimited fines in the crown court. I have an investigation team. If we come across evidence that information is being obtained by deception, or it leaks out by deception or on a corrupt basis, then we will play our part to crack down on this by prosecuting those concerned. I find it quite unacceptable.

Is there any other message you would like to give to our readers?
Be aware that the Freedom of Information Act is not very far away now. (Public sector organisations) are going to be legally obliged to deal with access requests for information as from January 2005. It is only two years away. I am not going to be tolerant of organisations that tell me they are not going to respond to requests because they have not had time to prepare.

Employees beware as staff database theft increases
Read article >>

Read more on IT legislation and regulation