Privacy Advisor

Regulator Chat

March 1, 2007

The Privacy Advisor Interviews Richard Thomas, the UK's Information Commissioner and a Keynote Speaker at the IAPP Privacy Summit 07, about his Priorities and Accomplishments

The Privacy Advisor (TPA): What are your responsibilities in the UK?

Thomas: As Information Commissioner my role is to promote people's access to official information and protect people's privacy.

On the privacy side my Office enforces the Data Protection Act and the Privacy and Electronic Communication Regulations. These implement for the United Kingdom two European Union Directives which provide a broadly harmonized approach across all 27 EU countries. The Data Protection Act safeguards the handling of personal information and provides important rights. In most situations, individuals can find out what information the state and other organizations hold about them and get it corrected if that information is wrong. Some 22,000 people contact my Office each year because they feel their privacy and other rights may have been infringed.

My Office also enforces the UK Freedom of Information Act. This is relatively new legislation, but we have already played a major role in ensuring more and more official information is in the public domain, from farm subsidies to travel expenses for Members of Parliament.

Your Office recently published a well-publicized report on a Surveillance Society. Can you describe the report?

In November I was delighted to host the 28th International Data Protection and Privacy Commissioners' Conference in London. I called for a public debate on the implications of living in a surveillance society and I gave a serious warning that we are waking up to a surveillance society. The theme struck a chord within the UK and worldwide.

To coincide with the conference, we published 'A Surveillance Society' - a detailed report on surveillance now and projections for what our society might be like in 2016. It describes a surveillance society as one where technology is extensively and routinely used to track and record our activities and movements. This includes systematic tracking and recording of travel and use of public services, automated use of CCTV, analysis of buying habits and financial transactions, and the workplace monitoring of telephone calls, email and Internet use. This can often be in ways which are invisible or not obvious to ordinary individuals as they are watched and monitored, and the report shows how pervasive surveillance looks set to accelerate in the years to come.

As ever-more information is collected, shared and used, it intrudes into our private space and leads to decisions which directly influence people's lives. Mistakes can also easily be made with serious consequences - false matches and other cases of mistaken identity, inaccurate facts or inferences, suspicions taken as reality, and breaches of security.

At the conference, Data Protection and Privacy Commissioners from around the world agreed on a communiqué that set out how we will ensure privacy is effectively protected in the surveillance society. My Office will shortly publish a follow-up report to identify the next steps we will take as a regulator in this important area.

One of your priorities has centered on 'pre-texting' or 'blagging.' Can you tell us more?

Yes - in the UK we use the term blagging. Personal information is usually obtained by making payments to staff or impersonating the target individual or another official. Some victims are in the public eye; others are entirely private citizens.

Last year, I urged the UK Government to amend the Data Protection Act and introduce a jail term for those convicted of obtaining and selling personal information.

We uncovered an existence of a widespread industry devoted to illegally buying and selling people's personal information. I issued a special report to the UK Parliament, 'What Price Privacy?' which explained how some individuals trade people's personal information, such as current addresses, details of car ownership, ex-directory telephone numbers or records of calls made, criminal records and bank account details. Private investigators, tracing agents and their operatives - often working loosely through several intermediaries - are the main suppliers.

The ultimate buyers of illegally obtained personal information include journalists, financial institutions and local authorities wishing to trace debtors; estranged spouses seeking details of their ex-partner's whereabouts or finances; and criminals intent on fraud or witness or juror intimidation.

The report arises from investigations carried out by my Office, sometimes using search warrant powers. Documents seized during one raid revealed evidence of a large scale market in the trading of personal information. However, the existing penalties are low and do not have a deterrent effect. One major case resulted in conditional discharges for the perpetrators.

To highlight the extent of this illegal trade, I also recently published a league table of media publications showing which are the most prolific buyers of unlawfully obtained personal information. The list is based on evidence found in just a single raid that my Office carried out at the premises of a private investigator.

Recently the government confirmed that it will amend the UK Data Protection Act. I am delighted the Government has now decided to adopt my proposals to introduce tougher penalties to deter people from engaging in the deliberate misuse of personal information.

What are you doing to help the British people look after their personal information?
Thomas: New figures we released in January revealed Britons are leaving themselves vulnerable to identity theft by not taking enough care to protect their personal information. In fact, a fifth believe they have been a victim of identity crime. We conducted a nationwide survey uncovering how easy Britons make it for criminals to steal their identity. A third of those surveyed admitted to throwing away personal documents such as bank statements and receipts without shredding or destroying them, a quarter of people do not routinely check bank statements for unfamiliar transactions and almost half of those surveyed use the same PIN and password across different accounts.

The research was published to coincide with the launch of a personal information toolkit, aimed at helping individuals protect their personal information more easily. We are encouraging people to use the personal information toolkit which provides individuals with advice and tips on protecting their information.

TPA: And what is the UK government doing?

Privacy issues are now high on the news agenda in the UK. I used my annual report last year to highlight that data protection provides a valuable framework for sharing personal information across the public sector, and should not be seen as a barrier. This issue is now central to many high profile UK government initiatives, such as identity management, health and education.

There are clear benefits to sharing more information - safeguarding the public, improving services and reducing costs. However, I have stressed that government and other public bodies must retain public trust and confidence, and will only achieve this if they share personal information in a secure, lawful and responsible way. I do not want data protection to be wrongly blamed for preventing sensible information sharing, for example to detect crime, protect children at risk or prevent fraud. Electronic government initiatives which improve public services, such as online car tax renewal, show that information can be shared in entirely acceptable ways.

But as more and more information is passed from one database to another, it is important to get the basics right. Trust and confidence will be lost if information is inaccurate or out of date, if there are mistakes of identification, if information is not kept securely or if reasonable expectations of privacy are not met. There must be clarity of purpose - not just sharing because technology allows it. And people must be told how their information is being shared and given choices wherever possible.

Data protection should be seen as part of the solution, not as the problem. The eight core principles that underpin the Data Protection Act provide a widely supported framework to make sure personal information is collected in ways which are necessary, justified and proportionate. Getting it right - at both design and operational levels - is vital to ensure the public trust and confidence which is needed to deliver the benefits of information sharing.

My Office intends to contribute constructively to government thinking and feed in data protection expertise. It is our job to promote good practice and we will be exploring ways - for example through information-sharing guidelines and promoting statutory codes of practice - to bring greater certainty and clarity to help government achieve the right balance.

TPA: And what about Freedom of Information - is it working?

Since I have been Commissioner, we have seen the introduction of the Freedom of Information Act. The public has a right to know what is done in their name with their taxes. This is a hugely important piece of legislation and is opening up more and more information to public scrutiny.

My Office has published some powerful rulings on a wide range of issues including the cost of identity cards, Legionnaires disease, academic standards and salaries of senior officials. It is extremely encouraging to see the positive impact the Freedom of Information act is having on individuals. A great deal of information has been released since the introduction of the act, which would not otherwise have been in the public domain. I was delighted that Parliament's Constitutional Affairs Select Committee concluded that freedom of information was proving to be a significant success.

Since the Act came into force, the ICO has received some 5,000 complaints and closed around three quarters of these cases.

What are some of the privacy issues on the horizon from your perspective?

There is no doubt that privacy issues continue to rise fast up the agenda - politically and commercially - in the United States and worldwide. People want their privacy and personal information properly respected. Businesses and governments want to get it right. Computing power gets ever-stronger. There can be very difficult balances to draw, especially where there may be tensions with the battles against terrorism and serious crime.

My Office's overall approach is to take a practical and down-to-earth approach - simplifying and making it easier for the majority of organizations that seek to handle personal information well, but tougher for the minority who do not.

One of the major hot topics is the current lack of synergy between privacy laws around the world. As pressures build for a clearer legal framework within the U.S., I want to remind everyone of the benefits of maximum global harmonization. Equally, I recognize that the EU Data Protection Directive is widely seen as excessively bureaucratic and prescriptive, not always concentrating on the priority real risks to individuals. There are current initiatives in Europe to make data protection more effective and better communicated in practice. We may not yet meet in the middle, but how much scope is there to move closer?