Here is the transcript of that interview.
What are your short term and long term goals in your new post?
There are two Deputy Commissioners here, one principally responsible for Freedom of Information and one principally responsible for Data Protection. Data Protection is my area and, in terms of the priorities we are looking at, there is a particular emphasis on providing clear, straightforward guidance to people on how to deal with data protection issues.
There has been a lot of concern about Data Protection being sort of clouded in mystery, being used as an excuse that people hide behind for not co-operating. So we are taking forward our programme to get over guidance which really helps people and addresses their problems.
Is your plan to produce more guidance or is the focus to make it clearer – or both?
It's to get it clearer. So, if you like, the volume of guidance isn't what the drive is. Clearly there will be some additional material available, but there is lots of it that we will also be improving on, stuff that we published in the past, and indeed there is some guidance which goes back to the old 1984 Act which we haven't updated to take into account the current law.
But we are not just working through a list for the sake of it; we want to be guided by what people are looking to us for help on.
Now quite a lot of that we pick up through calls to our information line, with the sorts of enquiries that come in. But if organisations or trade bodies have areas in which there is particular difficulty, with which they would like some guidance, then we would be very pleased to hear from them. What's most important to us is that it is relevant and useful for businesses and members of the public
You take up the post next Monday…
Well I have really taken it up now.
…So is there any guidance that you are working on at the moment that you can tell us about?
Some examples include notes on data protection issues for pension trustees; for those selling databases commercially; professional opinions – such as those of doctors and social workers; and the automatic renewals of credit card.
What do you make of the way the Government is addressing privacy concerns? Has it taken a responsible approach to issues like the Children Act, ID Cards and Data Retention?
We certainly have some concerns about the number of different initiatives that there are taking place which have an impact, intrude on people's privacy.
With the children's database there is a real problem that needs to be addressed. It has come out of all sorts of enquiries into the harm that children have suffered and there clearly is a need for services to work better together, much of which they can do within the Data Protection Act as it stands. But we wonder whether setting up a comprehensive children's database of all the children in the UK with all the privacy implications that has; because that could follow you for the rest of your life. We wonder if that is a step too far.
So I think what we are saying to the Government is, firstly, we want to work with you. Privacy and data protection are important aspects of any project of this nature that should be sorted out at the early stages. Whatever proposals are designed should be designed both to achieve whatever aim it is – protection of children, protection of vulnerable people – and also as far as possible to protect privacy.
I think we have some doubts as to whether the protection privacy is always given the attention it deserves. It's sometimes an afterthought, rather than a part of the initial planning. And, indeed, that's one of the things that's going on my agenda, certainly for the medium term, to try and work with Government to get the concerns of privacy and data protection built in at the early stages of any development of that nature
Some of these concerns were made public by the Commissioner's office; but the response from the Government doesn't seem wholly satisfactory, does it?
I am not sure what particular areas you refer to.
I mean, for example, on ID cards: the Commissioner expressed the view that there was a lack of safeguards for privacy at the time that the bill was first published. It seems to me that the Government hasn't really taken any notice of that. The Government seems to be pressing on regardless. Is that something that is a concern, or is that something that you just accept as the Government's prerogative?
No, we still have some concerns about the ID cards project. There is no doubt that some of them have been addressed, but not all of them. I don't have at my fingertips the exact issues that are outstanding but you are absolutely right, not all our concerns have been addressed. A lot of them go towards not so much the card itself but the database that sits behind the card. In particular the footprint of your life which will be there – because when you use your card, that will be recorded on the database. So there will be a record of when and where you have used your card. It's how that information would be used, access to that information, which is of particular concern to us.
One of the recent Good Practice Notes that came out was on employment references (2-page / 28KB PDF). Do you think there is a case for saying that all employee records should become subject to the Data Protection Act? It seems to me that we have an artificial distinction, particularly in light of Durant, between highly-structured manual filing systems and other types of filing system. That seems like a loophole there to be exploited by unscrupulous employers wanting to keep certain information away from employees: just keep anything that might be regarded as dodgy material in an unstructured manual file, in a way that's never going to come to light.
Yes, I mean that's certainly got to be a possibility. There is also the question of our desire, if you like, to make life as simple as possible for businesses.
And a simple rule that either the information is covered by the Data Protection Act or its not is certainly simpler... There are arguments for clarifying the law in this area, yes. But whether the Government is likely to be moved in that direction I would have some doubts at the moment, given that the emphasis is not on further regulation but on the reduction in regulation or simplification of regulation. If anything, bringing more records within the scope of the Act could only be termed as further regulation.
But would that not be of greater protection to the employee's privacy?
Yes, there can be no doubt that it would improve the protection for individuals. If any employment records were covered by data protection provisions, that's right.
The Good Practice Note that came out says that if you hold the reference in a way that is covered by the Act, you must consider a request for a copy under the normal rules of access. Well that suggests that if I am going to write a reference about an employee, it is in my interests to send that by letter rather than by email because it makes it less likely that it gets covered by the Act. Would that be right?
I would say that would be right, yes.
It seems a slightly artificial distinction. So do you think there is a need to change that, even if we didn't go so far as to say that all employee records were covered by the Act?
What would be needed would be a change in the law. Now, if there are to be changes in the law, there are a number of areas where the Act could be improved or made simpler, or both, and that area is certainly one of them.
What I am a bit reluctant to do is base our approach in the short and medium term on there being changes in the law. I don't know that it is very likely that there will be significant changes in the law and those are in the hands of the Government. In our hands [is the task of] clarifying the requirements. So long as we can [provide] simple guidance explaining what the current law is.
But presumably you are in a good position to lobby the Government? You would have the Government's ear if you were wanting to make the point that the current position is needing amending.
There is no doubt that we have the Government's ear; but they are aware of a number of areas where not only ourselves but the Government as well would like to see some improvements in the law. But the parliamentary timetable, as you know, is very busy.
I am not trying to put you off and say we are not interested. I am just trying to say is, if we set our stall out on the basis of changing the law, it's going to be some time if ever before we make real progress. We are concentrating our efforts on working with what we've got but at the same time bearing in mind that, yes, there could be improvements, and whenever the opportunities arise, to promote that by pushing those forward.
Can I give you a practical example of a question we were asked by somebody?
…An employee suspected he had been subjected to covert monitoring by private investigators who were being instructed by his employers. He sought access to the records of the surveillance and this was denied on the grounds that it's not personal data to which the Act is applying. Presumably if there was monitoring going on, the information was not being held in a format to which the Act applied.
Do you find that there are a large number of cases where you receive complaints and you simply have to say that you can't help because this was an unstructured manual file or is that a rare thing?
No, its not rare and, again, I wouldn't have the exact numbers to hand, but that happens. We receive complaints about information which it turns out is in paper records which are not covered by the Act – that's right. I mean, I can only agree with you that additional protection will be provided for individuals, particularly in the employment area were all records to be covered. And don't interpret me as saying in any way we would be against that, but what I am saying is that just sort of lobbying Government to achieve that is not number one on our list of current issues.
Obviously we are trying to get the existing law to work well first before we look at extending it.
So I guess in the short term we shouldn't be expecting to see any further guidance on that kind of point, is that fair to say?
No, I mean one of the areas we are looking to provide further guidance on is what is covered by the Act. I mean, [our recent guidance] deals with references, but you are aware of the Durant judgment, and it is a question of what is personal data and what isn't; and we produce and still have available guidance on the implications of the Durant judgement. But what we are going to produce is, if you like, new guidance on what is covered by the Act. The Durant judgment was more about what is not covered, if you see what I mean, so [we're] starting not from a court judgment but from simple guides on what's in and what's out on the basis of the Act.
We do have some concerns that in some quarters, people seem to have interpreted the Durant judgment more restrictively than we think it should be – although that is more on the question of what is personal data rather than the relevant filing system question, if that makes sense to you.
You published guidance after Durant (11-page / 98KB PDF). Perhaps you could confirm: did the European Commission threaten proceedings for non-compliance with the Data Protection Directive if the Commissioner doesn't change that guidance?
No, I mean that's not quite the position. The European Commission has threatened action against the UK Government for non-compliance in implementing the Directive. They've focused on a number of areas and that is one of them, the question of what is personal data, that's right. I understand discussions are still going on between the Government and the Commission on that.
A colleague of mine made a FOIA request for letters from the Commission in relation to that and the request was refused by your predecessor, Francis Auldhouse. Is that position going to change?
No, I can't see that that position will change and I think our position on letters has largely been that this is correspondence essentially between the European Commission and the UK Government which we have been copied in on. So the place to seek access to it from is either the Government or from the Commission.
Have you any opinion on whether the UK Act is properly implemented?
We have some doubts ourselves which we have expressed to the Government and particularly in some of the areas concerning our powers. As you may know, we don't at the moment have a statutory audit power, a power to go into a business and check their compliance. Now that's a power that most, if not all, our European equivalents have – and we have expressed doubts as to whether the way in which the UK has implemented the directive in that area does comply with the requirements of the Directive.
I would not say that in any areas we've said categorically 'no, we don't think the UK has implemented the Directive' – but there are some areas where we have doubts as to whether the UK law fully complies.
Regarding the new powers you want…
One of them is the ability to go in and look, to make checks… the other is use of what they term the Stop Now powers, which we have some powers of at the moment and which we are actively trying to use – but there are restrictions. We have been in discussion with the Government about producing more effective powers to bring about compliance with the Act.
I think our powers are fine where you are dealing with a reputable business… We can take action against the business as necessary. They can appeal, a tribunal can hear the case, and ultimately they will comply with the decision.
It doesn't work so well with those who are deliberately trying to avoid their responsibilities. They can drag the process out over quite a long time scale, a lot of which is outside our control when you get into tribunal hearings and the like, and then sometimes they can just shut the business down, if the action is successful. Shut the business down and re-open it under a different name.
And what you would like is an equivalent power to that enjoyed by the likes of the OFT?
That's right. And we do have it in some areas, but the OFT powers are related to people in a consumer relationship… and of course a lot of the people we deal with are not consumers.
If you had that kind of power – like the OFT's Stop Now orders – would we be more likely to see action against spammers?
Yes, that would be right.
Did you come across the personal victory of Nigel Roberts, who sued a marketing company called Media Logistics?
I did I saw it over Christmas and was interested in it. I don't know any more than was in the media reports and would be very interested to know the basis on which he got compensation.
Well, in the end the compensation was an out of court settlement and in fact he won his ruling because it was a small claim and it was undefended. So the merits of his case were never argued, and although he had prepared extensive documents to argue why he should be entitled to compensation, he never had to make these arguments before a court. I think he would have struggled to show that the damage he had suffered as a result of one email really did entitle him to any sort of compensation had it gone to a contested damages hearing.
Yes that's right. Those were my thoughts when I read it: where's the damage? And I suppose, if you're in business and you've got to spend your time deleting spam messages, you can argue that there is some damage.
The difficulty is attributing the act to one spammer…
Yes, that's right.
…And I think he knew fine well that, were it ever challenged, he would be on shaky ground. But I felt that what was nice about it was that he was just standing up and having a go at it.
Yes, that's absolutely right.
Would you be happy to see more people taking actions like that?
Yes, we would. We are happy to see people taking more action. I only hesitate because I wouldn't want to be seen to be encouraging people to take action which might cost them money and not get them the results. I mean, we talked about how if it had actually gone to a proper hearing, and so on, he might not have got what he was seeking.
So where people have a genuine case, we are very keen that they should take action – and, indeed, if people want compensation, they want money, they want some sort of sanction, then it has come through them taking their own court cases. We can't get compensation in that sort of way. Our powers are to do with stopping the action taking place at all. I think the other word of caution has to be so much of [spam] comes from outside the UK, and in particular from outside Europe, and then it becomes extremely difficult to pin down who is responsible and take any action.
Are you receiving many complaints about spam?
We certainly get some. I would have to do a bit of checking to get you any exact sort of figures.
But I presume it is not, given the limited powers, a priority for action?
Not the odd spam, no, but if we got an indication, repeated complaints about a UK business, then that's the sort of thing we would look into. Where we could take action, where there are a lot of people affected, where it is clear that you knowingly were breaching the law, then yes, that's the sort of thing which would fall within our priorities of action. I mean, in terms of taking action, we look at a whole range of things now; but it's a risk essentially to individuals – so, as I say, if there are a lot of people affected, if there is a business which is clearly breaking the law and should know better, then that's something we look to take action over.
Is there any particular area where we might expect to see more enforcement action in future?
I am not sure that I can pinpoint any one area… It's also slightly false to say ‘more enforcement action’. What any business should find now is that if they are not complying with the law and there is a significant problem then we get more serious more quickly. Now, very often when we get to the stage of getting serious, businesses will concede and take the actions as necessary – when they see that we really are likely to take enforcement action...
So a lot of cases get resolved at that sort of stage. We regard those at successes, in some ways even more successful than having to go through the formal process of issuing an enforcement notice and, if necessary, a tribunal hearing. But of course they don't attract the same level of attention or publicity.
But having said that, because there are more cases going through, we are taking more cases more seriously. I think there will be more enforcement cases coming through – but … we haven’t got any one area in our sights.
We are now also stepping up our audit work. We voluntarily go out and make checks on organisations. The first area we are targeting there are NHS Trusts. For fairly obvious reasons there have been concerns about the use of patient information which is an area which features significantly in our complaints as they move to a new electronic health record.
So we are looking to go out to a sample of organisations, essentially to see what lessons can be learned; in some ways to lead to some formal sanctions against those organisations; but it is part of our enforcement process.
One thing that used to get published as part of the Commissioner's Annual Report were case studies illustrating the application of the Act to various practical situations. There seem to be less now. Is there a reason for that?
No, there is no deliberate reason. I thought we had some in our last Annual Report. One of our plans in this regulatory action area is actually to produce, from time-to-time, a bulletin with some illustrations of cases in it. The sort that things on which we don’t necessarily take enforcement action, but where we got tough with the business and they've taken steps to comply. So, yes, that's one of the things you can say is on my agenda to achieve: some better information for everybody about the sort of cases we deal with and the sorts of results which they could use, not just to show what we are going and that what we are doing is effective, but I think people can actually learn lessons from how the Act applies.
Well, I will certainly take on board your comments there.
Back in 2001, I think it was 2001, Elizabeth France published some guidance on the basic messages that need to be given on a website (11-page / 46KB PDF) and I think that still applies and ties in with what you are saying. But among those things, you would have to say who you are. That seems obvious; obviously, our brand is OUT-LAW.COM, but we are really Pinsent Masons, and so we feel we need to make that absolutely clear, not let people find that out in a link. You would agree with that I presume?
Well, yes, if people are giving information to you on the website, they ought to know up-front who they are giving it to.
And basic marketing messages? Presumably you have to be upfront: “by clicking this link you will be receiving email marketing from us”?
Even if we include, for example, third party marketing in that newsletter?
I think if primarily what you are doing is sending out a newsletter, just as any newsletter may have some marketing messages in it, then I don't think that's a problem, no.
I think you come back to this question with some honesty. You know if you can honestly, hand-on-heart say to me, ‘it’s our newsletter, of course we put a bit of advertising in it, just as we might have done on a paper newsletter – add a couple of column inches of advertising or whatever – but it is primarily our message to people, then I don't think that's a problem. If actually it's just a marketing bulletin and there's nothing about you and you are just selling space to other people and really it’s a money-making opportunity based on third-party marketing, we take a different view.
It comes down to what would a reasonable person expect.
I just had one more question – and it’s a slightly silly one, based on the CCTV Good Practice Note (2-page / 37KB PDF) that came out. One of my colleagues has interpreted that as effectively saying that if some dodgy storekeeper put a CCTV camera in the changing rooms of his shop, and only viewed that footage from home, he would fall under the Domestic Purpose Exemption – and therefore be doing so perfectly legitimately and outwith the Data Protection Act. Is that right?
I can see the line of argument, but that's clearly the sort of case where there is a significant privacy invasion in a business context and that's something we would look at very carefully to see if there was any way under the Data Protection Act that we could take action to prevent that. My inclination would be that there would be. It is a business use, it's in a business context that the information is being collected, it's not just a personal and domestic use because it's taking place in the course of business. So, again, what I would come back to is we would be driven to take that seriously and to look into it with a view to taking action because it is a clear intrusion on privacy and is at least arguable, strongly arguable, that it falls within the scope of the Data Protection Act.
What we are less bothered about is, if you like, the nitpicking – even if it is clearly within the law. It's the stuff that matters to people's privacy that we are concerned about.
[Incidentally, the Sexual Offences Act 2003 made such voyeurism activities illegal.]
One other thing: are you getting enough feedback from industry? Do you get what the information you need in order to do your job?
I think we would like more information – but I would hesitate to be critical of industry about that. Again, one of the things that we are looking at is setting up better links with industry and with our stakeholders as a whole, to make sure that we are getting feedback from them.
It depends on sections of industry. I mean, we traditionally had very strong relations with areas like the financial services industry, but less strongly in some other areas. So, yes, it is something we are looking to develop.
As I said, if there are particular areas where they think guidance is needed or will be helpful, get in touch and let us know. I would also say to them, don't just look to us to produce guidance, we're equally keen – if not more keen – to work with you to produce guidance, because the best people for producing guidance for businesses are business organisations. They know the real problems that their members face – so we are keen to work with them. Feel free to get in touch.
Don’t email job references, OUT-LAW News, 16/01/2006
Interview with Information Commissioner Richard Thomas, 24 June 2003