The Freedom of Information Act isn’t popular in Whitehall, but information commissioner Christopher Graham tells Joshua Chambers that the criticisms are misplaced: the real problem is poor info security and data losses
Arriving at the Information Commissioner’s Office (ICO), CSW finds that the photographer has already been commandeered by the interviewee, and taken most of the pictures. Information commissioner Christopher Graham clearly understands the importance of visual imagery; perhaps it’s his background as a former director general of the Advertising Standards Agency.
“I’m interested in the communications side of things, because it’s very important to get our message across,” he says. Indeed, a press officer has even erected a large advertising banner in the interview room itself, ensuring that the ICO logo appears in almost every picture.
Graham’s desire to get his message across is understandable: the ICO isn’t always popular in government. Its role is to uphold the Freedom of Information (FOI) Act, and enforce privacy and data protection rules. The first role often garners public criticism, both from FOI’s sceptics and advocates.
Tony Blair described FOI as “dangerous” and his “greatest mistake.” David Cameron said it furs up the arteries of government, while former cabinet secretary Lord O’Donnell has been equally critical of impact on decision-making processes. On the other side, journalists are often irritated when Graham doesn’t agree that information should be released. “It’s all about being the guy at the centre of the seesaw,” he says. “You’re balancing where you think the public interest lies.”
Graham is a vocal defender of the Freedom of Information Act, and of his organisation’s decisions. But he’s also keen to ensure greater privacy for citizens, especially when it comes to the big corporations and public sector agencies hoovering up – and sometimes misplacing – people’s personal data.
Freedom of Information rulings come to the ICO when someone appeals against a public body’s decision not to publish requested information. Graham’s team investigates, and then publishes its own verdict. If either side disagrees, they can appeal to the Information Tribunal.
Recently, the ICO had to decide whether to force the health department to publish its NHS risk register. “I think the Department of Health would now admit that, if they had their time over again, it would be much easier to publish the thing and say: ‘Tell you what, it’s a risk register, and it identifies that there are some risks and… we’re managing them and mitigating them’.” The risk register became a national news story because of “the fuss that was created by the [department],” he believes: “The story itself didn’t amount to very much, it was the fight for information that was so exciting.”
One of the issues that arose in that case was whether FOI has deprived policymakers of a “safe space” to debate policy risks. However, Graham claims that “we’re actually very good at respecting the space that enables policy makers to do their stuff,” and that “we’ve been doing it now for getting on ten years, so I’m a little bit despairing of the horror stories [about FOI], which I think are grossly overdone.”
In particular, there’s O’Donnell’s suggestion that FOI prevents policymakers from writing things down, for fear that their confidential advice will be published. “Comments like that are actually making the situation much more difficult, because more junior members of staff think: ‘Oh good heavens, I’m not supposed to write anything down because I might be outed under the Freedom of Information Act’,” Graham responds. “The ‘sky is falling’ talk encouraged a lot of bad behaviour. It drove people to write things down on little bits of paper, post-it notes, and not keep a proper record. The Cabinet Manual is quite clear that information must be properly recorded and retained to show the audit trail.”
Indeed, Graham thinks that “all this talk of how terrible the Freedom of Information Act is has simply driven people to do silly things, like using your Gmail accounts on government business.” This happened in the education department, where secretary of state Michael Gove was using a private account for some of his political correspondence. “I think everything has calmed down now,” Graham says.
Some also argue that FOI can be expensive, diverting valuable staff time from delivering policies to answering FOI requests. Is it worth the cost? “Gosh, isn’t it terrible, democracy is terribly expensive,” he says with heavy sarcasm. “And transparency and accountability are terribly expensive, and we’d save an awful lot of money if we closed it all down. Come on!” he responds. “Freedom of Information is actually saving billions of taxpayer pounds because it’s driving out bad practices. The ‘blush test’ is saving a lot of money and it’s also enabling policymakers, civil servants and citizens to get the best deal: it’s driving down costs. In records management it’s obviously quite costly, but I think the net effect is a saving.”
Tony Blair wrote in his autobiography that FOI is used primarily as a weapon by critics of the government to cause difficulties, rather than by genuinely interested citizens who want to find out more about public service delivery. “It’s almost as if he’s simply writing about the relationship between government and journalists. And no doubt, when you’re in the hot seat, that’s what it feels like, but actually the important relationship is between government and citizen, and that’s what [FOI’s] there for. Of course it’s a nuisance – the ICO’s a public authority too, and very often I get caught out with requests for information which I’d like to think I don’t have to make public. But hey-ho, I’ll get on and do it and the sky doesn’t fall.”
Public sector officials claims that small campaign groups can bombard organisations with speculative FOI requests, but Graham isn’t impressed: “It was a small campaigning group that abolished slavery and got votes for women. I have very little patience with this sort of attitude, which I do hear sometimes in the higher ranks of the senior civil service, and sometimes with some of our leading politicians, that all this is trivial and we shouldn’t possibly tolerate it. ‘We’re getting on with the serious business of government and all these people are snapping at our heels’ – I think that just displays a dismissive approach towards the democratic process. I don’t have any time for it.”
Graham also doesn’t agree with the suggestion that people should be charged for putting in FOIs, to prevent obsessives from repeatedly asking very similar questions. He notes that “you can deal with obsessives under Section 14 of the Act and declare their request to be vexatious. We don’t think people use that nearly enough, and we’ve published guidance to make it clear that you can refuse a request if it’s manifestly vexatious.”
Private sector perils
Graham is concerned that, as private sector contractors increasingly take responsibility for public service delivery, the scope of FOI will not keep up: currently few private companies delivering public services are required to meet all of the Act’s requirements. “I think it can probably be dealt with through good contracts, but the contracts should make it clear that a contractor has obligations, even if it’s just an obligation to assist the department,” he explains.
Contractors might argue that assisting with FOI is an unnecessary burden, especially for smaller businesses, but Graham responds: “I don’t notice them not queuing up for the work. All these companies are desperate for a slice of the public service action. I don’t think they’re going to be deterred by having some obligations to account for the public pound. I think that accountability should follow public money.” Further, the smaller companies – he argues – are less likely to be of interest to people than the big suppliers, just as parish councils receive fewer requests than government departments.
If departments don’t comply, the ICO does have some sanctions at its disposal. It monitors the performance of organisations that fail to answer enough requests within 20 days – the Home Office is currently being monitored for a three month period – and if they fail to turn their performance around, the ICO can issue an enforcement notice ordering an organisation to follow specific instructions. In his four years as commissioner, Graham has never issued one, he says, because he understands that the public sector is going through “very lean times” and so wants to gently win them over rather than overburden them with regulation and penalties.
That said, Graham does want more powers to prevent people from destroying information. Currently, this can only be tried in a magistrates court, “which means I’ve got to have investigated the whole thing within six months,” he complains. The Ministry of Justice has agreed to make it a criminal offence, but the provision needs to be incorporated into an upcoming criminal justice bill.
Graham also wants to see the ICO’s data protection powers beefed-up. Currently, if an individual commits a crime under the Data Protection Act they can taken to a magistrates court and there’ll be a fine of £150. “That just doesn’t send out the message that this matters. It feels like a victimless crime,” he says, “it isn’t even a recordable offence on the Police National Computer.”
In the week before this interview, the ICO had taken a probation officer to court for passing information to an alleged domestic abuser, showing the whereabouts of his alleged victim. “It’s the sort of thing that arises because of the lack of perceived seriousness of keeping information secure, and we’re seeing this again and again in local government and the health service, where there’s a carelessness over personal information.”
If an organisation commits a serious breach of the Data Protection Act or Privacy and Electronic Communications Regulations, the ICO can issue a ‘civil monetary penalty’ – a fine of up to £500,000. Over the past two years it has issued 46 penalties to public sector organisations. “The most recent one was against the National Health Service in Surrey, who had been flogging off old computer equipment, selling the hard drives still with all the medical records on them, so we hit them for £200,000.” The money goes back to the Treasury, not the ICO, but Graham thinks the damage to reputation is the bigger threat.
Currently, though, Graham doesn’t think that general public sector “management has yet clocked that personal information is a potential risk”. However, he warns that technology “drives a situation where we’re generating data all the time – everything that we do – at work, in our relationships, with our bank, with our employer”. Further, “there are too many people handling our information that don’t see that it matters. I think that organisations have to learn through hefty civil monetary penalties, and screaming headlines in the local paper.”
The ICO doesn’t get reports for all breaches of the Data Protection Act – only some public sector bodies have to report them. This puts the ICO in a position where it’s got to make a few assumptions about the overall level of data loss in the public sector. While Graham doesn’t want to generalise, he does think there’s a problem in local councils. What’s more, they often hold the most sensitive data, including that from social services, housing, and now public health.
The communities department argues that the principles of deregulation and localism preclude giving the ICO the ability to audit all local authorities, to get a better picture of the situation. Graham is sceptical: “It’s all ... ‘down with the bureaucrats’. The trouble is that, without the assistance of the bureaucrats, local government is making a complete pigs’ ear of data protection.” Graham does have the power to audit NHS trusts, however, and is currently considering how much of those audits to make public. Why not just publish all of them? “I’m more interested in getting alongside practitioners and addressing the issues, rather than shouting everything from the rooftops,” he says.
The Department of Health is looking to make more patient data available, both to different NHS agencies, and also to private companies for research purposes. The latter information is anonymised, and the ICO has been working closely with the NHS on this because “the message I am constantly giving to health service people is that: ‘If you get this wrong, you will so spook the public, you won’t be able to do anything on data, and the rest of the government won’t be able to do anything either’,” he says.
That said, “the one message I would like to get across in this interview is that the ICO isn’t just about saying ‘no’ all the time. You can do a lot more under the Data Protection Act than most people think.” As an example, he points to the analysis of ‘big data’ to improve prescriptions.
What’s more, while departments may not think that they’re able to share data across government to perform big data analysis, the ICO wants to work with the Cabinet Office to shape the rules on this and give departments more confidence. “We’ll be watching like a hawk, because this is a very sensitive area, but I don’t approach it from the traditional folded-arm bureaucrat [perspective] saying ‘You can’t do that here,’ because there’s quite a lot you can and should be doing.”
The Home Affairs Committee recently questioned whether the public realise how much personal data they have shared with government and the private sector. Graham disagrees: “I think that people are getting pretty savvy now. Perhaps four years ago that might have been true, but I think… the penny’s beginning to drop.” Indeed, companies that treat personal data with respect are likely to be found more appealing by consumers, he thinks.
The ICO has the power to impose a civil monetary penalty, but “I don’t think that half a million pounds would take Google very long to earn,” he says. They do also have enforcement powers, though, and he thinks that the damage to Google’s reputation would be a significant penalty in itself.
Over the next couple of months, Graham will be dealing with another tricky problem: whether people seconded from Prince Charles’s staff to the civil service should be exempt from the Freedom of Information Act. The Royal Family is exempt from the Act, but the ICO had to decide whether Prince Charles’s letters to ministers should be published. Graham ruled that it wasn’t in the public interest to publish the letters, but this was overruled by the Information Tribunal, forcing the attorney general to step in and block publication – a decision now being challenged in the courts.
“The simple test is whether these letters change anything. Find me the smoking gun where the intervention from Clarence House has changed a planning application, or something like that; there weren’t any.”
Graham is coy on the issue of royal secondments, but he does give an indication of the considerations he’ll have to make. There is a precedent on publishing the names of officials, and the decision is “usually about their seniority. We have debates about whether the names of civil servants should be made public, whether their pay should be made public, and it’s usually about their level within the organisation.” What level does someone have to be before their name can be made public? “It’s when they’re significant decision-makers,” he says, refusing to comment further.
Graham has a tendency towards caution on some of these more thorny ongoing issues: his communications-savvy antennae intervene to sidestep comments that could generate unhelpful headlines. But he has been strong about his desire for greater enforcement powers, and in challenging opponents of Freedom of Information.
Quiet and polite, Graham isn’t a man who you’d think would naturally court controversy. But as information commissioner, he’s in charge of two vital issues: ensuring continued Freedom of Information, and balancing that with the right to privacy. To make sure that balance is in the right place, he’s clearly ready to stand up and speak his mind.