Out-Law Guide | 30 Mar 2005 | 4:03 pm | 6 min. read
I think it's one of the most challenging jobs in the country. I think both freedom of information (FOI) and data protection are fundamentally important issues and I think the recent reorganisation with the new Department of Constitutional Affairs which has policy responsibility for both FOI and data protection confirms that they're both very firmly on the map as part of the constitutional transformation which this country is going through. I think they're both intellectually challenging, very important to the lives of ordinary people and, in terms of job satisfaction, hard to beat.
One of my central challenges really is to transform this organisation from what I see as a mature data protection authority to a fully engaged information regulator balancing freedom of information and data protection responsibilities. Inevitably that means giving a higher priority to freedom of information—making sure that both we as the enforcing organisation and the whole of the public sector are going to be fully prepared when the Freedom of Information Act comes fully into force in 2005.
I've been surprised actually at how seriously the vast majority of data controllers take compliance responsibilities. I'm not saying that everybody's 100% compliant, but what I have been surprised at is how much effort is going into making sure they are broadly compliant and taking data protection principles really quite seriously.
I see my job primarily as being one of promoting and ensuring good practice and a message I've been putting out at conferences and in things I've written is that both data protection and FOI are and largely should be seen as matters of enlightened self interest and I think that this has coincided with my experience that most reputable organisations are saying that they don't, for example, want to have out of date mailing lists, they don't want to have inaccurate information about their customers or their staff or their suppliers. They don't want to be accused of not holding data with proper regard to confidentiality.
What I was saying was in the context of that particular enquiry I was not advocating regulation of the media; and I was not advocating that there should be legislation to regulate the media on privacy issues. I was saying that, if the Government and the Parliament so decided then I would be happy to take on that responsibility. I was putting down a clear marker against creating a separate privacy ombudsman as was being canvassed back at the early part of the year, but I was expressing neutrality on privacy legislation.
No, we're quite a long way there already, with Article 8 and the Data Protection Act, but I accept it's not a full blown right of privacy. But I'm not expressing a view on that one way or the other at the moment.
Well, I picked up on that point and indeed I reproduced that very sentence in my evidence to the Select Committee and said that I think this is a matter of inevitability. The exact shape of that and the boundary between that and the laws of confidentiality and indeed data protection are to be properly delineated. But I think that the courts are moving towards recognition of a common law right.
I think we've probably got it right, actually, in terms of the substance of the code, in terms of the messages we're delivering that seems to have been very well received. The CBI put out a very mildly critical press release but I actually take issue with them on what they were saying. They say that we failed to define monitoring but that was quite deliberate because I think that if you ended up with a definition you'd have legal gobbledygook and I was much keener to put in examples of monitoring so that it actually meant something to most employers in the marketplace.
Any employer who has a need to monitor, whether it's internet or email traffic or to and fro from the outside world, should inform staff of what they're doing. So if staff know that their employer is liable to review the emails then that should be spelt out. Now, on top of that, I'm saying that covert monitoring—monitoring without knowledge—should only be done as a matter of exception where there is a suspicion of criminal activity or equivalent malpractice. You may say it [the Code] goes slightly further than the Act itself, but I believe it's right that the employer should be able in certain situations which may not amount to criminal activity to undertake covert monitoring. I give examples of racial or sexual harassment in the workplace, forms of bullying which don't amount to criminal activity, some aspects of financial regulation and the example you gave may be one of those. Now, in the context one has to adopt a bit of a case by case constructively and only use the stick when it needs to be used, but at the same time making sure that everyone knows that it's there.
Well, it's hard to talk in general terms. I think what I would say is that the balance is broadly acceptable—although I think it's very important that where information is retained for a longer period than is needed for commercial reasons—or where it is accessed for law enforcement purposes—then it is confined very much to the situations for which the authority is given.
So I don't want to see a slippery slope here. If there are suspicions of terrorism or serious criminal activity then, of course, I have no problems. But if it goes into lesser matters and not properly authorised by the parliamentary measures, then I may step in and take action. approach. If people were passing on details of paedophile sites then I think the employer would be wholly justified—if he had suspicions that someone was doing that—in monitoring to find out what was going on.
If it's what I'd call perhaps undesirable, not criminal, then normally I would expect the employer to make sure that the employees knew what was going on so that, if you like, they were doing it at their own risk.
I would normally—if a case came to our attention—take it up with the employer. In 9 out of 10 cases, I think we'd find that the employer would see the error of their ways and put it right on a voluntary basis without formal action being taken. So I see formal enforcement action really as a very last resort where somebody either who is very misguided or very recalcitrant or where there's some point of principle that needs to be tested.
Well, I can't imagine—unless we took it as a test case, if you like—that we would take enforcement action in this environment unless we're faced with an uncooperative employer. But I've been a regulator in the past. I was almost seven years with the Office of Fair Trading and the approach I took then I'm taking now, which is that everyone should be aware that I've got a big stick—and the stick is in the cupboard. I prefer to negotiate and talk constructively and only use stick when it needs to be used, but at the same time making sure that everyone knows that it's there.
Well. it's hard to talk in general terms. I think what I would say is that the balance is broadly acceptable—although I think it's very important that where information is retained for a longer period of time than is needed for commercial reasons—or where it is accessed for law enforcement purposes—then it is confined very much to the situations for which the authority is given.
So I don't want to see a slippery slope here. If there are suspicions of terrorism or serious criminal activity then, of course, I have no problems. But if it goes into lesser matters and not properly authorised by the parliamentary measures, then I may step in and take action.
Contact: Struan Robertson/ 0141 249 5422