[Mr Gary Streeter in the Chair]
Written evidence to be reported to the House
PF 24 Federation of Private Residents’ Associations
PF 25 The Northern Ireland Human Rights Commission
PF 26 The Association of Residential Managing Agents
PF 27 Sir Paul Kennedy, Interception of Communications Commissioner
PF 28 Home Office (Public Reading Stage Report)
PF 29 Royal College of Surgeons
PF 30 NSPCC
PF 31 Automobile Association
You are most welcome, and we are grateful to you for coming. We have a lot to get through in one hour, so I encourage colleagues to be succinct with their questions, and if you could be relatively succinct with your answers we will make a lot of progress.
Christopher Graham: As the Information Commissioner, I have responsibility for the data protection aspects of CCTV, but I suspect that there are more issues around it that we do not have responsibility for. The trick will be to get the two regimes to synch. It is notable that the proposals in the Bill concern only England and Wales; of course, we have responsibility for the UK enforcement of the Data Protection Act. The proposals also focus particularly on local government and the police, but there is a wider issue, many citizens would feel, about the use of CCTV cameras in the private sector, or by private contractors working for public authorities. We can do so much in enforcing the Data Protection Act in respect of the personal information captured on CCTV, but we do not claim to do the whole thing, so we need to work very closely with that new regime to make sure that it is effective.
Is there a risk that the new role of surveillance camera commissioner might overlap with your role or would you give a similar answer to that you have just given, which is that there are some differences?
Christopher Graham: Lots of things overlap. Data protection and freedom of information overlap. Information rights have a privacy dimension and a transparency dimension: the contrast between the individual’s rights and society’s rights. We obviously have to make the system work. What we really want is clarity in the proposals. I wish that we had had the opportunity of more detailed engagement with the Home Office in drawing up the CCTV proposals, because some of the things are not absolutely clear to us, but we will make things work as best we can. It is important for the various commissioners who are appointed under the Bill to work closely together, and to liaise and co-operate.
David Smith: There will be implications for us because the proposed surveillance camera commissioner does not have a complaints handling function or an enforcement function. Those who have complaints about the use of CCTV, particularly about personal information, will continue to complain to our office. Indeed, the existence of the code may generate more complaints to our office. Equally, if there are questions of enforcement, it is possible that the surveillance camera commissioner will turn to our office and ask us to use our powers to help enforce the provisions of the code that he or she will oversee. There are boundary issues that will have to be dealt with but, as we do with other regulators, we will work closely to ensure that things are as seamless as possible for the individuals who have complaints and problems.
Good morning. Mr Graham, can you expand on the point that you wished you had had more liaison and discussion with the Home Office before the provisions in the Bill were introduced? Some of us are very concerned about the overlap between the Information Commissioner and the new surveillance camera commissioner. Indeed, would it not be better for there to be an extension to your functions to include that point so that the problem of duplication can be avoided?
Christopher Graham: There are two parts to that question. First, I make no complaint; we have been closely engaged with the Home Office, but on a very broad front. The transparency and accountability agenda pops up with different Departments all over Whitehall, and I cannot say that we have been idle since the election. We have been involved on very, many fronts. I had a useful discussion with the Minister shortly after his appointment, and there is more detail to be worked through. I value this opportunity of talking to the Committee about it.
In terms of the overlap between commissioners, we need to be very clear that the Information Commissioner is established by Parliament with two primary pieces of legislation to enforce: the Data Protection Act and the Freedom of Information Act 2000. I know there are voices saying, “We need to have a privacy advocate or a privacy tsar.” My problem with that is that privacy is at one end of the spectrum while accountability and transparency is at the other end, and someone has to make the judgment. You can make that judgment if you are charged with upholding information rights in the public interest, but if you are specifically identified as Mr Privacy and expected to come down on the privacy side all the time, it is difficult to make judgments about the release of official information or the extent of granularity of crime mapping, or something like that. It has to be a balanced responsibility. I do not mind a number of specific commissioners dealing with specific approvals for different things, as long as we co-ordinate, as long as we talk and as long as we have memorandums of understanding and we all stick to our individual knitting, but make sure that the knitting does not get muddled up.
Good morning. Can you comment on your existing relationship with the interim CCTV regulator in that role? Presumably, you have ongoing discussions.
David Smith: Andrew Rennison is the current interim CCTV regulator. We have worked closely with him, both in his capacity as CCTV regulator and in his capacity as forensic science regulator, which I suppose is his full-time permanent role. We have seen with him a division of responsibilities, in that he is really interested in the standards of operation of CCTV systems, particularly things such as the quality of the images that are produced. At the end of the day, are they good enough to apprehend offenders if they come into the hands of the police? Our direction is more about protecting the privacy of the individuals whose images appear. Those are two different roles. We have developed a very good working relationship, and I am confident that if he was the surveillance camera commissioner, we would develop a good working relationship as well, but as the Information Commissioner says, we would need to develop memorandums of understanding. What is key is that it is clear not just to us but to individuals—to the public we are intending to protect.
I was shuffling papers when Scotland was mentioned and I am wondering exactly where you come in with regard to Scotland and data etc. Also, if you think that there is something missing from the Bill, what is it?
Christopher Graham: I am the UK Information Commissioner in respect of data protection. My very good friend the Scottish Information Commissioner is responsible for freedom of information for devolved bodies in Scotland, which is, frankly, most of the public authorities that come under the Freedom of Information Act. I have responsibility for northern lighthouses, which I am very proud about. I have not been asked to do anything about it, but when I am asked, I will. Everything else on the freedom of information side in Scotland is down to the Scottish Information Commissioner, Kevin Dunion. Again, we liaise and make sure we are in step with each other, but it is essentially a Scottish matter.
However, data protection is a UK responsibility. I have responsibility for data protection in England and Wales but also Scotland and Northern Ireland. That is why it is very important not to confuse that with the CCTV provisions in the Bill, which, as I understand it, apply simply to England and Wales.
Christopher Graham: It is a very complicated Bill, which has obviously involved a lot of engineering. I do not think it is for the Information Commissioner to say whether it should apply beyond England and Wales, but the regime that the Bill puts in place for CCTV applies, as I understand it, in England and Wales, and I have wider responsibilities than that.
Christopher Graham: The prime objective of CCTV regulation as far as the Information Commissioner is concerned is to make sure that there is no abuse of people’s rights to the protection of their personal information under the Data Protection Act. As David said, we are not directly involved in making sure that the CCTV cameras work and that the images are useful for the detection of crime. There are lots of other interests that people have in CCTV. But it is not what the Information Commissioner is there to do.
I hope that does not come across as an over-bureaucratic response. It is just that I am a commissioner appointed under statute to enforce a couple of pieces of legislation. If I stray beyond that and say it would be a jolly good thing if CCTV did this or that, I am going beyond what I have powers to enforce. It is much better if I stick to applying the Data Protection Act in the CCTV world, which is difficult enough given that CCTV is now very much involved not just in looking after public space on behalf of local authorities or central Government, but in parking control at Tesco. It is about automatic number plate recognition. It is about all sorts of other private activities, which technology is making us more and more able to deal with. The Information Commissioner will not be able to tackle every aspect of it, but looking at the data protection side of it, there is a lot we can do.
David Smith: To take it to an extreme position, if the cameras do not work, we are not concerned, because cameras that do not work cannot intrude on someone’s privacy and that is what our driver is. If they do not work very well, there may be an issue, because you identify the wrong person and that intrudes on privacy. But the police and law enforcement agencies and the wider private sector have a very clear interest in cameras that are efficient, can detect crime and can be used as evidence to bring people to court. That is not really the interest under the legislation that we are given to pursue. That is what we see as the difference between our job and the role of the current interim commissioner and the proposed new commissioner.
Mr Graham, we heard some highly entertaining evidence on Tuesday from the interception commissioner about the Regulation of Investigatory Powers Act 2000. His view was that there was not a problem with the Act, or at least if there was, it was that not enough local authorities were using the powers. Do you echo that view?
Christopher Graham: I do not really have a view on RIPA because it is not something that I am charged with enforcing. I think I have an opportunity coming up to meet some of the commissioners to take this forward. Perhaps there needs to be better co-ordination; certainly where there has been a lot of controversy lately about the behaviour of the press. We have been concerned with the activity known as blagging, where you get information from a database by pretending to be someone else, or by tricking staff at the call centre, bank or, unfortunately, the local doctors’ surgery. That definitely breaches the Data Protection Act, and we deal with it. But the whole row about phone hacking comes under the Regulation of Investigatory Powers Act, and we have to leave that to the police. So I do not have a view about RIPA.
David Smith: Maybe we should mention that we have powers under RIPA ourselves at the Information Commissioner’s Office, which we use. In some of our big cases, such as the construction industry database and the industry blacklist, we used our powers to obtain access to telephone records—not interception of the communications, but the traffic data—to track down who was running the illicit database. We recognise that there are wide concerns about RIPA powers and how they are used, but I suppose we would say, “Please don’t go too far”, because they are actually useful and valuable powers, which we need to prosecute offences that come under data protection.
Moving to private entities and their use of surveillance, you have expressed concerns about that. Should the Bill try to address those issues, and is it doing so?
Christopher Graham: Our major concern regards section 55 of the Data Protection Act, where there is unlawful release of private information, often without the knowledge of the data controller, by rogue members of staff. It is important that that is effectively enforced. The Minister of State at the Ministry of Justice, who was at our data protection officers’ conference in Manchester the week before last, was quite strong about the need for the courts to take effective action to enforce section 55. He talked about pursuing actions for the restitution of the profits of crime. Some of the scams and operations are extraordinarily profitable. We are waiting to hear the sentencing in one case where we were told that members of staff were making £70,000 a year over and above their basic salary by selling customer information to rival companies. It is very important that we see effective action by the courts. It is often seen as a victimless crime, but it is not. It is not pinching the office stationery or making long-distance phone calls from the office, but selling people’s personal information, very often in nasty circumstances.
Christopher Graham: Enforcement is the issue. There is legislation on the statute book. There is, in suspense, the power to introduce a custodial sentence. I am prepared to wait and see how the new drive works before I renew the ICO’s call for a custodial sentence to be imposed. I recognise that custodial sentences are somewhat out of fashion at the moment. Let us see how we go with this latest drive.
David Smith: It is a view we have always taken that there should be proper safeguards for RIPA powers, and a proper process of authorisation. We have in the past, certainly, said that we prefer the judicial route—that there should be judicial authorisation. That is our preferred route, from a human rights view, as well as being an independent approach.
There is a role for Government in balancing the proportionality—it is resource-intensive—and which types of RIPA-based activity are appropriate for judicial authorisation and which for more administrative authorisation. We ourselves have access to traffic data, essentially, and that is not a judicial authorisation process. We would be more than happy to go through a judicial authorisation process, but I wonder whether it is necessary. We are subject to supervision by the interception of communications commissioner, and we are inspected by another commissioner, so there is that sort of approach. From a purist view, yes, judicial supervision is the better way.
That leads to the argument about the perception of the wider public, and there is wide concern. There is the concept of justice not just being done, but seeing to be done. If you have gone through that checks and balances route, you will then give the fair and proportionate way forward. Are we right in saying that?
Can you say something about the changing definitions of “publicly owned company”? What problems have there been with the current definition? How will the change to the definition included in the Bill help? What sort of things will be brought into your remit? Some examples would be helpful.
Christopher Graham: It is very encouraging that the Bill recognises the fact that more and more services are being delivered by alternative delivery mechanisms, and not only by public authorities, but by companies acting on behalf of public authorities. So it is welcome, for example, if a company owned by more than one local authority is brought within freedom of information, because at the moment a company owned by a single local authority falls under the Act, while a company owned by a number of them does not. The whole logic of back-office shared services is that a number of authorities will be using a particular vehicle.
I think I am right in saying that our local airport, Manchester airport—we are based in Wilmslow—is owned by a consortium of local authorities, and so is outside the Freedom of Information Act. If it was owned only by Manchester city council—was it ever owned only by the Greater Manchester council?
For my part, the change is welcome, in terms of what is included in the Bill, for the reasons you state.
I have a couple of other questions. Obviously, some changes in respect of the appointment and tenure of the Information Commissioner are included in the Bill. We can always argue, but why do you think that the Bill needs to include something that says the Information Commissioner will be appointed on merit?
I am not trying to be rude; I apologise. I am just making the obvious point that I do not understand why the Bill needs to include that the person appointed to the job will be the best person for the job.
Christopher Graham: The legislation needed to be updated because there is a lot of guidance now about public appointments, to make sure that things are done properly. To reassure you, I had to go through a public hearing with the Justice Committee before my appointment was confirmed.
The key thing is not just modernisation but also the independence of the Information Commissioner. The Information Commissioner must be in a position sometimes to tell truth to power—to say difficult things to very senior people. It is an independent position; it is an appointment under royal prerogative and I can be sacked on joint resolution of both Houses of Parliament, but at the moment there is nothing in the legislation to say what the crimes would be. There is a very clear understanding that if I or one of my successors should fall down on the job in a number of specific ways those would be grounds for that resolution.
Regarding the independence of the Information Commissioner, it is an important part of the back end of the Bill that I have reassurance that that independence is being strengthened. The independence arises from an appointment that is a one-shot; you do not have to spend your time worrying about whether you are going to be reappointed. The Minister has made it clear that the Justice Committee will effectively have a power of veto over the appointment. The appointment will be made in the normal way, with advertising, selection interviews and so on, but then the Committee of the House of Commons will have the final say.
Personally I think that the term of office, as specified in the Bill, could be put slightly differently. At the moment, it says five years. I think that no less than five and no more than seven would be a slightly better arrangement. It so happens that my three predecessors had seven years, because they had a five-year appointment and then an extension. I do not speak for myself. I know absolutely that it is a five-year appointment and that is fine. It suits me well. However, I think that the next commissioner in particular, who will come in at a time when the next data protection directive is being implemented, would probably benefit from having up to seven years, which might make it more attractive to some candidates. I think that my predecessor, Richard Thomas, has put in a submission to the Committee on that point. There might be some people who have a look at the job and say, “Oh, I’ll have to make myself very unpopular to very senior people over five years and that’s it. I tell you what—I won’t apply.” I think that it would be cleverer if what was on offer was up to seven years.
That is interesting. I will ask another question now, but I was going to ask a question about the term of office, because I agree with that comment. I think that seven years offers the flexibility that is needed.
You can charge for certain things at the moment, but as I understand it you have to get the agreement of the Secretary of State to do so. The Bill removes that requirement, and it allows you to charge for certain services and to employ the number of staff that you want. Again, that is trying to strengthen the role and the independence of the commissioner. Can you give us some indication of the sort of things that you might charge for that you currently do not charge for? Also, what sort of control will there be on that process? Will there be a market force control? Given that people have to comply with the law, what check will there be on the charges that you make or who you make them to?
Christopher Graham: The general point to make is that at the moment I am circumscribed by all sorts of controls and I have to ask permission of the Secretary of State for most things that I do. Luckily, that is being stripped away under the Bill. As far as charging is concerned, we are simply talking about cost recovery.
Christopher Graham: No. There is going to be a framework agreement and a financial memorandum, and I don’t expect the financial memorandum to allow me any more leeway than I get at the moment as an accounting officer working within a structure in which the permanent secretary is also an accounting officer. So it will not be “let it rip” time.
As far as charging is concerned, I propose that we ought to be able to recover the costs, for example, of attendance at some of our big conferences. We had 500 data protection officers attending a conference at the Manchester conference centre the week before last. That is a very expensive operation. It is a very good value day, but I think that a modest charge that recovered some of the costs would be a good idea and the delegates in their response packs said that they would be very willing to pay.
Some of our more expensively produced publications—such as “The Information Commissioner’s Office Guide to Data Protection,” which is a really useful, hard-copy, ring-bound reference publication—are available online for free and we will provide single copies for free. However, if a company says, “We’ll have 200 of those, please,” I think that it would be reasonable for a company to pay a fee that covered the cost of those. That is all it is about. It is an illustration of the way that the office was originally set up that you cannot move without asking permission from the Secretary of State. If you do get permission, you have to give all the money back to the Consolidated Fund at the end of the day, because you should not have had it in the first place. It is a more grown-up relationship, but it is not about the commercialisation of the ICO.
Christopher Graham: There will be post-legislative scrutiny of the experience of the Freedom of Information Act conducted by the Ministry of Justice. There are a whole range of issues that we will want to discuss with the MOJ. I suspect that there will be further freedom of information legislation coming down the track after this Bill.
Christopher Graham: I have only experienced the ministerial veto once in my time. I was agin it, and I said I was agin it. I made a report to the Justice Committee saying that I thought the decision of Jack Straw to impose the veto before the matter had even been considered by the Information Tribunal, and without the exceptional circumstances that the legislation demanded or any exceptional circumstances that I could see, was a mistake. If the view is that Cabinet Committee material can never be made public because that is an affront to Cabinet collective responsibility, that is what the legislation ought to say. But the legislation does not say that; it says that it is a matter for the judgment of the Information Commissioner and the Information Tribunal.
Christopher Graham: It is more proportionate than the current regime. I will ask my colleague David Smith to comment on some of the detail. But a very important point that we would like to get across to the Committee is that deleting the DNA is one thing, but you also need to delete the associated name record on the police national computer at the same time. That is not specifically in the Bill, and we think it is an important safeguard. Proportionality is the name of the game. We like the direction of travel. I do not know whether David has particular comments to make about the proposals.
David Smith: I can only endorse that comment: that we welcome the direction of travel. The indefinite retention of DNA on people who have been arrested but not proceeded with, or charged but not convicted, is contrary to the data protection principles and good data protection practice. Protection in legislation places limits on retention, so information should only be retained as long as it has a value—not just some value, but a value that overrides the privacy intrusion that goes with lengthy retention. The indefinite retention that we have seen and that was taken up in the S and Marper case has always offended us and we have been unhappy with that.
We very much welcome the move to much shorter retention periods. We welcome the previous proposals as going in the right direction, which were 12-year periods and six-year periods. We were unhappy with those because we thought they were too long and not supported by the evidence of reoffending and the use of the information. If we have any concerns about the present arrangements, it is not that they are too long. They make sense and the value in drawing them from the Scottish model is that they appear to indicate more of an intuitive approach than an evidence-based approach. When you are talking about intruding into people’s privacy, we like that to be based on the evidence—how useful is this information in detecting crime and how does that usefulness fall away after time? We are very happy to go with the periods in the Bill, but that should not be the end of the story. There should be an ongoing process of gathering evidence about how useful this information is and a regular review of those retention periods.
I know there are issues about devolved legislation and so on, but what we suggest in the Bill is based on the Scottish model. In your experience, how effective is the regime in Scotland?
David Smith: We have not come across any repercussions from the system in Scotland. In some ways, it is difficult to comment. If you do not have the DNA, you do not know who you might have caught had you had it. We are concerned with the idea that this is all about catching criminals and there is no balance in terms of privacy. Actually, there are two public interests. There is a strong public interest in catching criminals, but there is also a public interest in protecting the privacy of individuals. Up to now it has all been on one side, and we welcome the balance. It always existed in the Scottish model. There is no doubt that any reduction in the retention periods will reduce—perhaps only marginally—our ability to catch someone. The way to have the maximum ability is to keep the DNA of everybody in the land. It is about the balance between the two, and we think that this system is better.
Christopher Graham: This is an example where the expertise of the Information Commissioner’s office is at the disposal of the Committee. We have submitted a detailed memorandum that includes 15 paragraphs on DNA alone. There are all sorts of issues that we will not have time to go into now. For example, it is not clear to us how the citizen asserts his or her right to have DNA material deleted. The whole thing seems to have been written from the point of view of the authorities who want to be sure that the advisory body referred to in the Bill is wider than just the law enforcement community. There are practical questions. Where DNA is being processed in bulk or in sets, what is the mechanism for deleting individual DNA records when they may be part of a set? There is a lot of detail to work through.
My first question is not the one that I was going to ask, but you have just said that there is evidence to support three years and the Scottish arrangements. I do not expect you to go through that evidence now because we do not have time, but could you send it to me? I cannot find it.
We are dealing with the Crime and Security Act 2010 that will introduce six years, although it has not yet come into force, and the Bill before us. Do you say that the evidence supports the Bill or the 2010 Act?
Mr Graham, may I clarify a point with you? You said that the police national computer records should be amended if DNA profiles are removed from the DNA database. Is that in relation only to people who are unlawfully arrested or mistakenly arrested as in clause 1, or does it involve anybody who has been arrested in relation to a crime but not charged or convicted?
Christopher Graham: If the DNA trace is deleted, we should also delete the entry on the name database. It is absolutely routine and understandable for the police to access the police national computer to see who they are dealing with. We do not want a situation where the DNA has been deleted but there is something on the name database, so the policeman or woman immediately treats the individual concerned, who is innocent of the previous offence, as “probably” or “likely to have.” It is that sort of thing. If it is logical to get rid of the DNA trace, it is also logical to amend the main database. You do not have to then get rid of a lot of intelligence information surrounding it; it is just that routine entry on the computer, which is what the police officer consults at the point of questioning or detaining.
That is what I want to clarify. My understanding of the current practice—setting aside DNA—is that an arrest would be recorded by the police, so if the same person were arrested on a future occasion, that would be on the database. If no action was taken against them on that previous arrest, are you suggesting that that information should not be there?
David Smith: That is right, but what we are saying is to put the clock back to where it was before we had indefinite retention of DNA. The only reason the arrest record is kept indefinitely is because it is the link to the DNA on the national DNA database. The principle should be that, once the DNA is not kept, the information on the police national computer should go as well. It is not immediate. We are talking about prescribed offences and there is a three-year period with a two-year extension, but the same basic principle applies to arrest records on the police national computer. If I was arrested 25 years ago for shoplifting but it was never proceeded against, come on, that should not still be on the police national computer 25 years later.
I have one very brief question. What is your understanding of the process that police follow if they want to extend the length of time that they retain someone’s DNA? I am talking about someone who is not charged but arrested for a violent or sexual crime, whose DNA is retained and, at the end of the three years, the police want to keep it. This is an innocent person whose DNA the police want to keep for an extra two years. What is your understanding of the process that they have to go through then, and do you have any concerns about it?
I want to develop one of the themes that you were both addressing in relation to the deletion of records. Will you comment on the discussions with the Association of Chief Police Officers, to which we were referred during Tuesday’s evidence session? Are you currently engaged in those discussions as part of a practical way of addressing some of the issues that have been highlighted?
Christopher Graham: We have very good relations with ACPO and meet them frequently. I attend the ACPO conference, which is an example of the effective liaison between different agencies. We do not always agree, but I am sure that, within the context of the Bill, if it becomes an Act, we will sort out whatever needs to be done.
Taking you back to the previous comments that were made in relation to the Crime and Security Act, I remember that, at the time, the Information Commissioner’s Office expressed concern that those provisions on six-year retention—as it was then—were not proportionate and did not go far enough. Presumably, from what you have said this morning, that is still your view. Will you expand on why the approach in the current Bill is more appropriate and proportionate than what existed in the previous one?
David Smith: I am trying to cast my mind back to the evidence that we talked about. The evidence showed a graph of reoffending tailing off quite quickly after an initial arrest, at least for most areas of crime. Although the period for the previous legislation was six years, we thought that the graph had tailed off, to the point where the balance was right, at three years. You have gone for three years, with an extension to two years, which seems to us to be about right and to fit in with the evidence. I emphasis, however, that the evidence continues to be developed, so let this be reviewable and not wedded in stone, as we get more evidence to base our decision making on.
Coming back briefly to the issue of DNA deletion, I wanted to be certain on what you require to have happened from a data protection point of view. Under data protection, if someone asks for something to be deleted, you want it to be deleted in its entirety. Or do you? The process starts with a sample, which may involve more than one person’s DNA. If, for instance, you do some sort of analysis and arrive at one sample at the end, which is computerised and easy to delete, and you can delete the reference on the police national computer at the same time, how far back upstream do you want the deletion to go, in terms of getting rid of anything that is held?
Christopher Graham: I suppose, if the point we were making about deleting the name and association with the incident on the police national computer is followed through, it would have to be all the DNA that related to that. This is getting into the level of detail that we would need to discuss with ACPO over the coming weeks and months to get a better fix on the mechanics of the thing. We want to be clear that it is a question of having a proportionate response. A wholly disproportionate response would be to have an Orwellian nightmare of everyone’s DNA being on the computer. Through that, you would always be able to identify who has done the crime, if you have any DNA from the crime scene, because, hey, we would all be on the computer. No one is suggesting that, thankfully.
We have to get that balance between the rights of the individual and the rights of society. We feel that the Bill, by moving that little bit further, is acting in the interests of the individual citizen and is setting the line at about the right place. There is, however, a lot of detail to work through, which I suspect will not be specified in the Bill. There may be orders to be made under it and codes to be produced and so on, but if you set the principle where you are suggesting that you will, we think that that is going in the right direction, and we would then discuss with colleagues how it ought to be implemented.
You keep mentioning the Scottish way of doing things, but Scottish law is not the same as that in England and Wales. Have you taken into consideration that we have a third verdict available in our cases? One of the reasons I have been given that the extensions have not been asked for in Scotland is simply that the process that has been put in place for the extension is too cumbersome and lengthy and, in effect, you are tipping off the person that you are trying to investigate.
But it is not evidence-based in relation to the verdicts that are given. You keep talking about the need for evidence, but that is an English way of looking at things. There is a certain amount of perception in Scottish law.
Christopher Graham: Evidence-based regulations are what we are talking about. There is evidence in a court of law and there is evidence that a regulator takes into account when deciding whether an action is proportionate. Our feeling is that the Scots have got it about right. The Bill is putting things more in the direction of where Scots practice is at the moment, and we think that is a good judgment.
Moving away from evidence, I have a couple of practical points to make. There will be a new commissioner, although the commissioner for the retention of the material will, as I understand it, work on the grounds of national security. I suppose not, but do you expect there to be any relationship between that commissioner and yourself? Secondly, a DNA strategy board will be set up to oversee what is going on. Do you see a role for yourselves, in terms of the relationship you have with that new board?
Christopher Graham: It is absolutely essential that the various officials charged with implementing different aspects of the Bill talk to each other and co-ordinate. It is also essential that the legislation itself is clear about the different regimes that are being proposed. A lot of work can be done in the Committee to tidy up grey areas, or areas of confusion. Once the Act has been passed, however, it will be up to the commissioners—and I am very happy to take the lead in getting this together—to liaise closely, have good working relationships, clear understanding, memorandums of understanding and so on. We are not all doing the same thing, but we need to synchronise our swimming, and I am sure that we will.
David Smith: We have observer status on the present strategy board. We declined an offer to be a member of it, because we thought that being a member of that body would compromise our independence. However, we would very much welcome the opportunity for that observer status to continue, and for our views to be put to it.
Could I ask you about the safeguards in the Bill, relating to the need for both parents to give written consent to the use of biometric data? I am particularly interested in the child’s ability to override parental consent. I wonder about the practicalities, especially when you are dealing with very young children—a five-year-old, for example. Obviously, the definition of child in the Bill goes up to the age of 18, so there is a wide age range. How would that work?
Christopher Graham: We very much welcome the greater clarity that the Bill offers. We got a lot of stick in our interpretation—although it was a pretty obvious interpretation—of the Data Protection Act, in relation to how things stood before. People wanted the law to say something different to what it actually did. Now, Parliament is catching up, and it is passing a specific law on this issue.
It is not easy. There may be circumstances where both parents are not together or are not available. With an older child, you may get a situation where an older child is perfectly happy to be fingerprinted but the parent does not agree, or vice versa. It is tricky, but it will be better than the current situation. What would be even better would be absolute clarity about the school’s policy, because very often, the withholding of consent is based on misunderstanding, upset and suspicion. We want schools to be absolutely clear and to make it clear, we would say, in their privacy statements what their policy is. That would be a freedom of information requirement in the school’s privacy statement, saying what they are doing about fingerprinting as a security measure in school.
By the way, it would be very welcome if the Bill would also mandate public authorities to put their privacy statements online. That would get around the point that was raised in an earlier sitting of the Committee, which was that every school that is fingerprinting children should notify the Information Commissioner—I could do without that. Let us have it as the privacy statement on the website, and then everybody will be clear.
Do you think that the area of fingerprinting children is one where we have allowed ourselves to be too dazzled by the possibilities of technology? It seems to me that we risk depersonalising children from a very young age by subjecting them to technology. Do you agree, and do you think that that has profound risks?
David Smith: There is no doubt that when fingerprinting in schools first came out, it was a difficult issue for us. There was very much the feeling that using fingerprints in schools stigmatises children, that it is a police system, and that children would get used to giving their fingerprints away in schools. Does that somehow make children more willing to give their fingerprints away all over the place, as well as making them susceptible to surveillance and less questioning of policing and society? When you come down to a hard data protection analysis of rights under the Act, it is very hard to build that in. I think that is one of the reasons why our approach has come in for some criticism, so we very much welcome the measures in the Bill. It impacts on family rights as well, and it is right that Ministers and Parliament make the decisions.
Our approach drives you towards protection of the data subject. It is the child’s fingerprints that are kept, not the parent’s. That is why we say that it is the child’s right, and the parent steps in only when the child is not capable or needs help to make a reasoned decision. But there are wider considerations. We can see that they come into play. There is a balance between bringing parents into the decision making and remembering that it is still primarily the child’s choice, and the child’s information.
Christopher Graham: Technology is advancing, and a lot of the functionality that we value is driven by harvesting our personal information. The key is that we get the information to understand what is going on, and to express choices and say, “I’m opting out of that because I don’t want that service on those terms.” That is where the whole online world has to grow up and recognise that we have got beyond the wow factor, and that we are not just kids in a sweet shop who are delighted by everything we see and saying, “Let’s have more of it.” We are starting to ask questions, both as citizens and consumers, and the online providers have to factor that in, because we are going to start picking and choosing between services based on who respects our privacy and who respects us as citizens and consumers, as opposed to just factors in some digital game.
Can I return to the child having the right to override the parent? The Bill as it is currently drafted, unless I have read it wrongly, allows a five-year-old child to object. The Bill specifies up to 18. I just want clarity from the Information Commissioner’s office. Although we might say it could happen at 16 and 17, and perhaps at 15 or 14, presumably you would not expect an infant to be able to override a parent, would you?
Christopher Graham: With the way the Bill is written at the moment, yes, that could happen. The trouble is that you get some adolescents who behave very young for their age, and then some younger children who are very sophisticated for their age. It is difficult to draw a hard and fast line. The key thing is that if schools were more open about what this is all about, they would have the willing co-operation of parents and children. It would just be understood that this is the way we do things to make the school run properly and so on. I am not here to make the case for five-year-olds withholding their consent.
On criminal records, having read your written submission, would I be right in saying that you broadly support the principle whereby the individual is given access to their criminal records and information against them before they are provided to the employer?
Christopher Graham: Yes, although we are worried that unless the Bill is strengthened, the employer will find an alternative route for getting what it might not get through Criminal Records Bureau checks, which is what we call enforced subject access requests, by saying, “Do you want this job? I can’t get the information that I want. Tell you what—you exercise your subject access request and then show me what you’ve got or you don’t get the job.” There are provisions under part 5 of the Police Act 1997 that remain to be commenced. If the Bill goes through as currently drafted, it is absolutely essential that the opportunity is taken to commence those provisions to make it a criminal offence for an employer to force a prospective employee to collect their own information and share it.
I welcome the opportunity to get your views about the overall arrangements for the vetting and barring scheme, and the criminal records regime. Are they more proportionate? Is it your view that the totality of the vetting and barring scheme, and the Criminal Records Bureau regime, will improve matters?
David Smith: We are, yes. We would like to see some of the other aspects of Sunita Mason’s review of criminality taken forward as well. She has come up with a lot of recommendations and they are not all in here. We hope that is not the end of the story but, very much as the commissioner says, this is the right direction of travel.
Can I follow up that point about Mrs Mason’s recommendations? Would one of those that you would like to see implemented be the sector-specific criminal records check? Is that one of the recommendations?
When she gave evidence earlier this week, she talked about the criminal records check for employment in the children’s sector being specific to that sector, and thus involving any information that was held to do with working in the children’s sector. If you worked in the vulnerable adults sector, the information would be specific to that sector, rather than it being just a general criminal records check.
Christopher Graham: Yes, we would support that position.
May I draw the Committee’s attention very briefly to one other aspect of this? Regarding the proposal in chapter 3 of part 5 of the Bill to disregard certain convictions for offences that were illegal at the time but are not illegal now, there is a bit of misunderstanding here. We are very strongly in favour of the police disregarding and deleting references on the police national computer to those offences that would not be illegal today. It is a matter of great concern that individuals’ lives had been blighted for something that they did pre-1967, or subsequently, that then dogs their future employment prospects and so on. We are not suggesting that the deletion of those records and the Criminal Records Bureau check not showing that up means that you somehow rewrite history. This is not the Ministry of Truth and it is not attacking the National Archives, but it is stopping people’s lives from being wrecked many years after for actions that would now not be illegal.
When Mrs Mason gave evidence, she was not sure about the answer to this point. I asked her about group applications for CRB checks, which happen quite a lot when certain areas are brought into the system, such as airports. In the case of airports, there was a big rush and there were lots of complaints in the press about it. The airport authorities were paying for these checks. Where does it lie with what you were saying about the individual not needing to disclose what they have got when it is a company that is meeting the agreements in law? Why should the company not get it? It is paying for it.
David Smith: When there is a legal obligation for a check to take place, as is the case for people who work with children and in certain areas such as airports, where there is security, there is not a problem. Employers should have access, and employers should pay for it. The problem is with employers who do not have a legal right simply saying to the individual who comes to them for a job, “I want you to go and use your subject access right under the Data Protection Act to get a copy of your criminal record, and then show it to me before I offer you a job.” That is what we want outlawed.
Mr Frankel, a warm welcome to you, and thank you very much for being with us. May I remind everyone that we have to conclude at 10.25 am, so I ask for concise questions and answers?
Maurice Frankel: Yes. I think the measures on data sets—to require that they be released in a reusable form and not subject to copyright restrictions—should be extended more widely. Because of the way in which this policy has come forward—it is from the Government concentrating on measures to encourage the release and reuse of data sets—the problem that they have identified is not specific to data sets. It is that authorities release information and then assert that their copyright in it remains, and that the user must apply to them for written permission to publish the information they have received. That means, for example, that if I apply for information in order to incorporate it in my evidence to you, before I am allowed to do so, I must go back to the authority, having got the information out of it, and ask for its permission to circulate the information to Members of Parliament.
Maurice Frankel: I think the Government already have that in mind for data sets. I understand that the intention is that the existing open government licence, which was introduced in September or October last year—or a slight variant of it—will be used for these data sets. I think that is a very positive step. I am suggesting that the same approach should be used for policy documents released under the Freedom of Information Act, and information about performance statistics.
When you look at the releases, there are quite extraordinary cases of innocuous information that the authority will not allow to be released into the public domain. The authority instead insists that the information is for the requester’s personal use only, unless they get copyright permission. I am talking about an NHS trust that released information about the number of cases of chemotherapy in a year, but attached a copyright statement and warned of the risk of legal action against anyone who did not follow it. Child abuse policy is being disclosed in that way. We get information about the number of staff employed exclusively to enforce the smoking ban. The answer is zero, but then there is a copyright statement.
Official statistics are not included with the raw data, are they? Can you say a little more about the form in which you think data should be released? In terms of freedom of information, is the real issue not releasing data in such a way that people can use them, and then be able to cross-match? The easiest way to do that is if it is electronic, but there is no requirement for that.
Maurice Frankel: They express a preference, and the authority is required to comply with that so long as it is reasonably practicable to do so. There may be cases in which there is a vast amount of paper data and putting that into electronic form would be a disproportionate amount of work that the requester could just as well do themselves. I think I am in favour of wider changes to the way in which requesters can ask to have the information supplied to them. They can ask for it to be supplied electronically and in hard copy, but at they moment they cannot ask to be supplied with a photocopy of the original document in which the information was contained.
Is the implication of that, Mr Frankel, that the original documentation could be one thing, but some things could be missed out when you get the electronic version?
Would your suggestion be that the Bill could be improved by requiring somebody to ask for the original documentation on which the raw data that they were going to be given appeared?
Maurice Frankel: By permitting them to specify that they want to see copies of the original. For data sets, we are talking about information that the authority has put into a form that allows it to see a trend or to compare data from different areas. The assumption is that it already holds the information in that form, and when disclosing the data, it must make them reusable and not impose copyright restrictions on them—that is all fine. I am suggesting that a change should be made to the preference that the requester is allowed to express when asking for the information so that they can say, “I want it in that form.” There is at least one other necessary preference that is missing from the legislation at the moment, which is for someone to be able to say, “I want to see the policy documents or the internal correspondence in the form in which they existed. If something has to be blacked out because it is exempt, fine, but I want to see the document, rather than having it printed out again on a blank sheet of paper with no indication of where anything has been left out.”
Mr Frankel, do you have any examples of the way in which the original definition of a publicly owned company was, in your view, getting in the way of getting information out into the public domain?
Maurice Frankel: The fact that a publicly owned company had to be 100% owned by a single public authority was always problematic. The previous witnesses gave evidence about the Manchester airport company, which is a good example. We believe that it could be extended beyond companies wholly owned by several public authorities to companies that are wholly owned by one or more public authorities together with a private partner. There is an increasing trend towards setting up companies in such a way.
Whether for educational partnerships, regeneration partnerships, and so on, a number of local authorities plus a commercial partner may set up a company effectively to carry out a public function, or sometimes a public authority’s function. Because a private partner is involved, the body will not be subject to freedom of information, even under the extended definition that is being introduced by the Bill.
Maurice Frankel: The legislation on the royal family was changed just before the election to remove the public interest test in relation to an existing exemption. The public interest test was removed for information relating to the monarch and the next two in line to the throne. I regret that, because, although to date very little has been disclosed under that public interest test, the fact that it is there opens the door to the possibility in an appropriate case that the information would be disclosed. That possibility has been removed.
This is a general question. What do you think about the Bill’s changes to the appointment and tenure of the Information Commissioner? Do you think it will strengthen the independence of the role? Do you think it is a good step forward?
Maurice Frankel: Removing the temptation for a commissioner to apply for a second term, and removing the Government’s power to allow or withhold that extension, is a good thing. I agree with what Chris Graham and David Smith said before: five years then becomes a short period of time. You may have a period of up to a year before a new commissioner is reasonably on top of the subject matter. If the commissioner goes at the end of five years, you probably have at least six months at the end of the tenure when he or she is seen to be winding down. With a five-year fixed period, you lose a reasonably large chunk of time in which an effective commissioner is in place.
So that I am not misrepresenting you, at the moment the Bill says it is a five-year term, and your view is that there should be the possibility of a further one or two years.
Maurice Frankel: I would prefer it normally to be at least an extra year to allow for the time in which the commissioner is learning the ropes. When Chris Graham took office 18-months ago, he said that for the first six months he would not be talking to people outside or doing much by way of public appearances, but would be learning the ropes. I think that that was a perfectly reasonable thing to say. He was acknowledging that there are a lot of complex issues and he needs time before he is on top of them.
The Bill takes away quite a number of the powers of the Secretary of State with respect to the Information Commissioner. What powers do you think the Secretary of State should retain? For example, we can make somebody completely independent and almost say, “There you are”. What powers, if any, should the Secretary of State have vis-à-vis the Information Commissioner?
Maurice Frankel: I am not particularly in favour of the Secretary of State having significant powers once they have appointed the commissioner. His use of funds is subject to scrutiny and audit anyway, and his use of the powers is subject to judicial review and other controls. I hope that there is not much of a role for the Secretary of State in relation to endorsing what the commissioner does with his existing powers.
What about the charging regime? I do not know whether you were here when we talked about the ability of the commissioner now to charge for more of the functions and services that they supply. To be fair to Mr Graham, we have already said that we are not talking about commercialisation. This might not be true with him, but supposing we go down the road, and in three or five years somebody can start to make money and says, “If I make money on that, I can invest in a better computer”.
Maurice Frankel: I do not object to going to a commercial conference, sending a team and asking them to pay some of the costs, but once it becomes an income-generating arrangement, it is probably overstepping the mark. The commissioner already receives quite a lot of money in terms of data protection notifications.
What about the idea that we are starting to see a multiplicity of commissioners? In the Bill, there is a commissioner for biometric material—we will clarify this, because it is perhaps just for national security—a surveillance camera commissioner and so on. What do you think the information will be with respect to the Information Commissioner and those others?
Maurice Frankel: The commissioner has a dual role—two important roles—at the moment, which is freedom of information and data protection. It is helpful for him to combine those roles, because the area of freedom of information that has been very problematic is its overlap with the Data Protection Act and requests to see people’s names. For example, the issue of officials’ names is hotly contested. It has been helpful to have a commissioner responsible for both sides.
Maurice Frankel: Five or six additional sets of functions would not necessarily improve my area of work—freedom of information. There is a danger. What we have seen with data protection over the past two years is that as Government Departments have been found to have lost a lot of data, the commissioner’s office has devoted more and more attention to those issues. That is perfectly fair, but, possibly, sometimes those resources come from freedom of information.
Are you disappointed that the Bill does not get rid of the ministerial veto, or do you think that there are circumstances in which Ministers should be able to exercise a veto?
Maurice Frankel: I would rather not have a ministerial veto. We have been opposed to it from the outset. If there is a complaint to the Information Commissioner, and the Government do not like the commissioner’s decision, they can go to the tribunal. Thereafter, they can go to the Court of Appeal and the Supreme Court. I wonder what the role of a ministerial veto is in those circumstances, particularly as it appears that not only technically might Ministers be able to veto a decision of a tribunal, but it is an open question as to whether Ministers might be able veto a decision of the Court, which would be constitutionally extraordinary. Given how the Bill is written, a decision on public interest grounds can be vetoed by Ministers.
Maurice Frankel: Yes. There are a lot of things on freedom of information that we would like to see improved. A critical thing at the moment is measures to speed up the handling of the whole process so that the delays that sometimes happen at the hands of public authorities are removed. The commissioner has been responsible in the past for delays himself. He has done quite a lot to remove that problem, but we want to see that process encouraged and not affected by the financial constraints that the commissioner, like everyone else, is coming under.