What attracted you to this job?
I think it's one of the most challenging jobs in the country. I think both freedom of information (FOI) and data protection are fundamentally important issues and I think the recent reorganisation with the new Department of Constitutional Affairs which has policy responsibility for both FOI and data protection confirms that they're both very firmly on the map as part of the constitutional transformation which this country is going through. I think they're both intellectually challenging, very important to the lives of ordinary people and, in terms of job satisfaction, hard to beat.
What would you consider to be your short-term goals?
One of my central challenges really is to transform this organisation from what I see as a mature data protection authority to a fully engaged information regulator balancing freedom of information and data protection responsibilities. Inevitably that means giving a higher priority to freedom of information—making sure that both we as the enforcing organisation and the whole of the public sector are going to be fully prepared when the Freedom of Information Act comes fully into force in 2005.
Do you expect many data controllers to flout the rules?
I've been surprised actually at how seriously the vast majority of data controllers take compliance responsibilities. I'm not saying that everybody's 100% compliant, but what I have been surprised at is how much effort is going into making sure they are broadly compliant and taking data protection principles really quite seriously.
I see my job primarily as being one of promoting and ensuring good practice and a message I've been putting out at conferences and in things I've written is that both data protection and FOI are and largely should be seen as matters of enlightened self interest and I think that this has coincided with my experience that most reputable organisations are saying that they don't, for example, want to have out of date mailing lists, they don't want to have inaccurate information about their customers or their staff or their suppliers. They don't want to be accused of not holding data with proper regard to confidentiality.
You told the Select Committee on privacy and media intrusion you were not advocating the creation of a statutory right of privacy. What did you mean?
What I was saying was in the context of that particular enquiry I was not advocating regulation of the media; and I was not advocating that there should be legislation to regulate the media on privacy issues. I was saying that, if the Government and the Parliament so decided then I would be happy to take on that responsibility. I was putting down a clear marker against creating a separate privacy ombudsman as was being canvassed back at the early part of the year, but I was expressing neutrality on privacy legislation.
Do you have a firm view on the need for a right of privacy being written into statute?
No, we're quite a long way there already, with Article 8 and the Data Protection Act, but I accept it's not a full blown right of privacy. But I'm not expressing a view on that one way or the other at the moment.
Do you have any opinion about the comments made in the Michael Douglas, Catherine Zeta-Jones case that the courts were moving towards a privacy right?
Well, I picked up on that point and indeed I reproduced that very sentence in my evidence to the Select Committee and said that I think this is a matter of inevitability. The exact shape of that and the boundary between that and the laws of confidentiality and indeed data protection are to be properly delineated. But I think that the courts are moving towards recognition of a common law right.
What feedback have you had to your recent Code on monitoring employees?
I think we've probably got it right, actually, in terms of the substance of the code, in terms of the messages we're delivering that seems to have been very well received. The CBI put out a very mildly critical press release but I actually take issue with them on what they were saying. They say that we failed to define monitoring but that was quite deliberate because I think that if you ended up with a definition you'd have legal gobbledygook and I was much keener to put in examples of monitoring so that it actually meant something to most employers in the marketplace.
If an employer was intercepting private emails between staff, where the content of the emails was unsavoury but not criminal, and the interception was technically unlawful, would you intervene?
Any employer who has a need to monitor, whether it's internet or email traffic or to and fro from the outside world, should inform staff of what they're doing. So if staff know that their employer is liable to review the emails then that should be spelt out. Now, on top of that, I'm saying that covert monitoring—monitoring without knowledge—should only be done as a matter of exception where there is a suspicion of criminal activity or equivalent malpractice. You may say it [the Code] goes slightly further than the Act itself, but I believe it's right that the employer should be able in certain situations which may not amount to criminal activity to undertake covert monitoring. I give examples of racial or sexual harassment in the workplace, forms of bullying which don't amount to criminal activity, some aspects of financial regulation and the example you gave may be one of those. Now, in the context one has to adopt a bit of a case by case constructively and only use the stick when it needs to be used, but at the same time making sure that everyone knows that it's there.
There has been much talk about the Government's proposals for retention of and access to communications data. Do you feel that the proposals strike the right balance between the needs of authorities to access communications data and the rights of individuals?
Well, it's hard to talk in general terms. I think what I would say is that the balance is broadly acceptable—although I think it's very important that where information is retained for a longer period than is needed for commercial reasons—or where it is accessed for law enforcement purposes—then it is confined very much to the situations for which the authority is given.
So I don't want to see a slippery slope here. If there are suspicions of terrorism or serious criminal activity then, of course, I have no problems. But if it goes into lesser matters and not properly authorised by the parliamentary measures, then I may step in and take action. approach. If people were passing on details of paedophile sites then I think the employer would be wholly justified—if he had suspicions that someone was doing that—in monitoring to find out what was going on.
But supposing it's simply unsavoury?
If it's what I'd call perhaps undesirable, not criminal, then normally I would expect the employer to make sure that the employees knew what was going on so that, if you like, they were doing it at their own risk.
If the employer were not following best practice on this, is that somewhere that you'd take a pragmatic view and look at the case?
I would normally—if a case came to our attention—take it up with the employer. In 9 out of 10 cases, I think we'd find that the employer would see the error of their ways and put it right on a voluntary basis without formal action being taken. So I see formal enforcement action really as a very last resort where somebody either who is very misguided or very recalcitrant or where there's some point of principle that needs to be tested.
Is the enforcement action generally where there's a lack of cooperation from the employer?
Well, I can't imagine—unless we took it as a test case, if you like—that we would take enforcement action in this environment unless we're faced with an uncooperative employer. But I've been a regulator in the past. I was almost seven years with the Office of Fair Trading and the approach I took then I'm taking now, which is that everyone should be aware that I've got a big stick—and the stick is in the cupboard. I prefer to negotiate and talk constructively and only use stick when it needs to be used, but at the same time making sure that everyone knows that it's there.
There has been much talk about the Government's proposals for retention of and access to communications data. Do you feel that the proposals strike the right balance between the need of authorities to access communications data and the rights of individuals?
Well. it's hard to talk in general terms. I think what I would say is that the balance is broadly acceptable—although I think it's very important that where information is retained for a longer period of time than is needed for commercial reasons—or where it is accessed for law enforcement purposes—then it is confined very much to the situations for which the authority is given.
So I don't want to see a slippery slope here. If there are suspicions of terrorism or serious criminal activity then, of course, I have no problems. But if it goes into lesser matters and not properly authorised by the parliamentary measures, then I may step in and take action.
See: Information Commissioner's Office
Contact: Struan Robertson/ 0141 249 5422