On 21st March 2013 the House of Commons Justice Committee published a report (HC 962) on the functions, powers and resources of the Information Commissioner. It is essential reading for anyone interested in understanding the current role and future prospects of the Information Commissioner’s Office (ICO).
The Committee monitors the Ministry of Justice’s associated public bodies, and as part of this remit it maintains a close interest in the ICO. On 5th February 2013 the Committee held an oral evidence session with the Commissioner and his two deputies; it also received written evidence and supplementary information from the ICO. The report reflects this oral and written evidence.
The report begins by looking at the finances of the ICO in an era of public sector austerity. The ICO performs two separate areas of work, differently funded. Freedom of information (FOI) work is paid for by grant-in-aid from the Ministry of Justice, while data protection work is financed by the notification fee payable by data controllers under the Data Protection Act 1998 (DPA). The Commissioner is restricted in terms of “virement” – i.e. in general he cannot use DPA resources to fund FOI work, or vice versa.
As one would expect, freedom of information funding has been affected by the general pressures on public expenditure: the income for this work has been cut from £5.5 million in 2011-12 to £4.25 million in 2012-13, with the ICO planning for further cuts in 2013-14. Despite these cuts, the ICO has increased the amount of FOI casework completed, and reduced its backlog in this area. The Committee is impressed by the ICO’s success in this regard, while warning that further budget cuts would risk adversely affecting performance. The Committee suggests that the rules about virement should be relaxed.
The suggestion that DPA income might be used to subsidise FOI work seems a sensible one. There is considerable overlap – FOI cases about personal data are a very important source of DPA case law. However, it is disappointing that the Committee did not tackle more directly the question of whether FOI budget cuts make sense. An effective FOI regime is a weapon against waste and fraud, and can help keep public expenditure under control. The sums involved are modest, in the overall expenditure context – even the 2011-12 figure represents less than 10p per head of UK population. It is, at the very least, worth considering whether cutting FOI funding is a false economy.
At first sight the funding position for DPA work seems significantly better. The notification fee generates an annual income of some £15 million, over three times the FOI grant-in-aid. The problem is that the EU’s proposed Data Protection Regulation would abolish the notification fee, while at the same time imposing a wide range of additional functions on the ICO. The Committee suggests that the combined effect of these proposals would leave the ICO with a DPA funding shortfall of over £42 million. The position is made yet more difficult by the recommendations in the Leveson Report as to the future role of the ICO in relation to the press, which are a further source of potential demands on the ICO’s budget. The Committee suggests that the Government needs to find a way of retaining a fee-based self-financing system for ICO work, despite the current EU proposals.
Turning to the structure of the ICO, the Committee discusses the suggestion in the Leveson report that there should be an Information Commission led by a Board of Commissioners, rather than a single Information Commissioner. The Committee disagrees: it prefers the current model, with a single Commissioner taking personal accountability for the ICO’s work. The Committee also addresses the independence of the ICO. It recommends that the ICO should become directly responsible to and funded by Parliament, so as to guarantee its independence from the Executive. However, the Committee does not suggest that the ICO’s independence has in fact been compromised in the past by its institutional relationship with the Ministry of Justice.
As to the ICO’s statutory powers under the DPA, the Committee makes recommendations in two areas.
In relation to the criminal offence under DPA section 55, the Committee suggests that this should be made recordable – that is, convictions should be recorded on the Police National Computer and hence included in any future checks relating to the individual’s criminal record. The Committee also calls on the Government to bring into force section 77 of the Criminal Justice and Immigration Act 2008, so as to allow custodial sentences to be imposed for breach of DPA section 55. The Committee sets out – at §43 of its report – a list of other offences carrying custodial penalties for which those who breach DPA section 55 might be convicted: for instance, there is the offence of unauthorised access to computer material, under the Computer Misuse Act 1990. The Committee does not, however, regard the existence of these other offences as an adequate substitute for custodial penalties under DPA section 55.
In relation to the Commissioner’s audit powers, the Committee considers that as a general rule public sector organisations should accept an offer of a free DPA audit from the Commissioner. It recommends that the Commissioner’s power of compulsory audit under DPA section 41A should be extended to NHS Trusts and local authorities.
Timothy Pitt-Payne QC