I have just read the uncorrected transcript of the Information Commissioner’s (IC) evidence to MPs last week. There are several other important points which have been largely unreported; hence this blog.
As well as the custodial section 55 offence (see last week’s blog), the IC wants a strengthened offence in the Freedom of Information Act (FOIA). He also has serious doubts as to whether the changes in the Freedoms Bill (e.g. to CCTV, DNA, criminal record disclosure) will actually deliver enhanced privacy benefits. Finally, the ICO wants more independence and a more flexible approach to the funding his office.
The IC would like to see attention given to section 77 offence in FOIA. This section creates an offence if anyone tampers with information that is subject to a request under the Act (or obstructs that request). The section also extends the offence to include tampering with personal data that has been requested via subject access procedures. (Note: this offence only applies to data controllers that are also public authorities).
The problem is that the s.77 offence is triable only in the Magistrate's Court. However, under section 127(1) of the Magistrates Court Act 1980, proceedings for all such offences must be brought within 6 months of the offence occurring. Given that before the Commissioner considers the offence, there has to be a request to a public authority, a refusal and an internal review, then by the time the ICO looks at the matter in detail, the six-month deadline is often well passed.
In practice therefore, this offence is not an offence. That is why the IC told MPs: “instead of being an offence that is prosecuted in the Magistrate’s Court, it ought to be an offence that is prosecutable either way in the Magistrate’s Court or the Crown Court”.
Criminalising those who deliberately set out to evade FOI responsibilities and ignore FOI requests will get nowhere; especially if the idea is mooted with emailing Ministers such as Mr. Gove, Secretary of State for Education.
In relation to the Protection of Freedoms Bill, the IC points out that the initial enthusiasm of Government to curb the intrusion into privacy has faltered somewhat. He says:
• “We have concerns over the DNA regime where it relates to innocent people or people who are no longer of interest to the police, where it is proving very difficult to get a solution that ensures that the record on the police national computer also gets deleted.”
• “I have concerns around CCTV and automatic number plate recognition, where the consistency and comprehensiveness of the approach are concerns. I don’t see how it runs alongside the Information Commissioner’s code for CCTV. It is a regime that will apply not to every sector in England and Wales and so on”.
• “I am concerned that the proposals on criminal records disclosure don’t really seem to be taking into account the recommendations of the expert adviser who produced the report “A Balanced Approach”. The approach seems to be anything but balanced.”
The IC added that he was “still hoping that we will get a better solution for filtering out old and minor convictions from employer vetting checks” and that “it was absolutely vital that we get progress on what we call enforced subject access”. This latter offence in the Police Act 1997 has been available to be commenced by Home Secretaries for over a decade.
The IC is also concerned about “spamming texts” when they say something like “Our records show that you are in line for a compensation payment of £4,750 for that accident you had. Text CLAIM or STOP". The problem is, the IC said, was that “if you text either, you are confirming that you are there and providing a marketing lead, because these are randomly generated texts”.
The IC added that “We are working very hard with OFCOM and the telecom companies to try to get to the source of these spam texts, but it is a bit like looking for the launch sites of V2 bombers in the Second World War”. I don’t buy this explanation at all: telecom companies that do not know who is using their network. Come off it – they charge for texts don't they?
The IC stated that the illegal trade in personal data was a practice “that could apply to insurance companies, garages, car hire companies and towing companies” because “all appear to be sources of information, usually paid for by the claims management companies who collect the information”.
Then the IC ironically added that “We are trying to find out from the Association of British Insurers what they have to say about that, and frankly they are not being very helpful at the moment”. In addition “We have invited a number of insurance companies to undergo voluntary auditing and, surprise, surprise, they are not interested”. My take on this is as follows: if the IC cannot “invite” data controllers in the insurance sector to discuss this issue, the only option open will be to enforce the Act as soon as there are any reasonable grounds of suspicion. So don't be surprised if that happens.
The IC wants more independence from Government. He said that “my problem, if it is a problem, is, if I am not seen as an officer of Parliament, reporting directly to Parliament, I have to negotiate my way through with many other Departments of State. ... I have to get a tick on anything I propose to do”. The Government is expected to publish a document about the independence of the IC in the very near future.
The IC also highlighted “the unsatisfactory nature of the hybrid funding that funds the IC with three quarters of the money coming from notification fees for data protection and a quarter coming from grant in aid for freedom of information”. He complained that his office “spending far too much of my time trying to work out apportionment of costs between FOI and DPA in order to keep the National Audit Office happy” and he “cannot treat information rights as the seamless project that it is”.
Another way of seeing this is that he wants private sector data controllers fund his role as a public sector FOI regulator. I can’t see this happening. However, having a separate and larger registration fee for public authorities (i.e. above the current £500 maximum) could work.
Finally, the IC was asked:”what was at the top of his wish list”. The IC responded that it was “implementation of sections 77 and 78 of the 2008 Criminal Justice and Immigration Act” and the custodial section 55 offences. That was discussed in spades in the last week’s blog.
References
Read the ICO’s evidence (uncorrected): http://www.publications.parliament.uk/pa/cm201012/cmselect/cmjust/uc1473-i/uc147301.htm
Update and courses
This autumn, we have data protection courses in Leeds, London and Edinburgh. full details on the Amberhawk website
Next Update is October 17th 2011 in London. The guest speaker is Kuan Ho: "Every Cloud has a Data Protection Lining"; Rosemary Jay, from Hunton and Williams will be analysing the data protection fallout of the hacking affair. Sue Cullen and myself will be delivering updates on the usual "what's new" matters (e.g. enforcement, undertakings, FOI/DP interface and news roundup). £195+VAT per place: full details on the Amberhawk website (www.amberhawk.com).
In that Select Committee session, the IC mentioned the new Framework Agreement with MOJ. He thought it might ease some of the problems to do with advertising spend etc. It may be useful to note in the comments that the new FA has just been published:
http://www.parliament.uk/deposits/depositedpapers/2011/DEP2011-1486.pdf
It would seem the FA allows the IC just to "have regard to" such government programmes. But the FA isn't providing as much freedom as the recent FA signed between MOJ and the new HMCTS:
http://www.official-documents.gov.uk/document/cm80/8043/8043.pdf
Also, the Home Office also stamps on the idea of a combined commissioner dealing with surveillance, interception, data protection in its recent response to HASC:
http://www.official-documents.gov.uk/document/cm81/8182/8182.asp
Posted by: Bob Wyllie | 23/09/2011 at 12:00 PM