Information Commissioner’s foreword
Information rights matter
There has been a sea-change. Information rights have never been taken
more seriously – by politicians and the public sector, by business leaders, by
the media and, crucially, by private individuals. The two strands of our work
have repeatedly set the news agenda over the last year and featured heavily
in Parliament and in public discussion. Data protection and freedom of
information impact on almost every aspect of life. Both involve delicate balancing acts. Both make
a real difference in shaping the nature of society.
Data protection protects people – providing essential safeguards for private life and for the integrity of personal information. Freedom of information brings the transparency and accountability which any democracy demands – reminding everyone that government serves the people, not the other way round.
At the ICO, we are proud of a very successful year. We have handled unprecedented caseloads. We have exceeded our targets, with some dramatic improvements in performance. Although the current level of funding means that some cases are taking longer than we want, we have issued a steady stream of well-respected freedom of information decision notices and resolved many thousands of cases informally. Information on a huge variety of topics has come into the public domain. We have shown our regulatory teeth with successful prosecutions and enforcement action. Our hard hitting reports on the pernicious illegal trade in personal information are producing tangible results. We have started a national debate about surveillance issues and this has inspired two select committee inquiries. We hosted the two main international conferences for privacy and for freedom of information commissioners. We have launched a brand new and well-received website and created a new intranet. Individuals’ awareness of data protection rights has risen to 82% (from 76% last year) and their awareness of freedom of information rights has reached 73% - astonishingly high for a new law.
We aim to be robust and responsible in ensuring that the law is doing what it was set up to do: protecting privacy and promoting openness. It is not easy to promote openness of public bodies while respecting the privacy of individuals. There are real tensions between securing greater transparency and preserving the private space needed for good policy-making. Public security and safety demand greater access to information about our private activities. Both sets of law are based on a strong foundation of information rights. Both promote good information-handling. Both depend upon high standards of records management. Both cry out for clear rules for countless situations, often requiring difficult balancing acts. And, as the daily demands of our work demonstrate, both are now an essential part of the modern world.
Introducing freedom of information, and parallel access to environmental information, has involved a steep learning curve for all concerned. A constitutional reform of such magnitude, calling for cultural change at the heart of public administration, was bound to involve some initial discomfort. But – as in other countries - this will subside as the benefits of open government become ever more apparent. The surprise is why so much was previously kept secret. After two years, it is remarkable how much progress has been made. Over 200,000 requests for information from public authorities – most of them successful - have demonstrated the appetite for openness. With members of the public as the biggest group of users, information has been requested on topics as broad as toxic waste, speed cameras, the performance of surgeons, MPs’ travel expenses, local authority pension investments, prostitution zones and ministerial advice on angling.
Every complaint about a refused request throws up new, and often highly complex, factual and legal issues. At the ICO we have to apply the law to many different types of case, setting the boundaries for public sector transparency. Each case involves considering the competing arguments of the public authority and of the requester and (in numerous cases) identifying and weighing the competing public interest considerations. Cases where publication is ordered hit the headlines, but decisions upholding non-disclosure are just as important. With so many high profile cases, it is a source of pride that – despite the ease of going to the Tribunal – three-quarters of our decisions are accepted by both sides without appeal.
As freedom of information settles down, its cousin, data protection, has never been more necessary nor faced greater tests.
Personal information is now used in previously unimaginable ways. In the world of cheap and almost limitless processing and storage capacity, commercial and political pressures to escalate the use of the electronic footprints we leave many times a day become almost irresistible. The benefits of using personal information are undeniable. But so are the risks for individuals and society where use goes beyond reasonable expectations or where things go wrong. The purposeful, routine and systematic recording of everyone’s movements, activities and transactions in public and private spaces – a surveillance society – is fast becoming a reality. The dangers are graver still as one system is linked to another. The risks – such as mistaken identity, inaccurate or out of date information, judgmental profiling – magnify as information is shared ever-wider.
Only data protection and self-interest stand in the way. Although many of the detailed rules are too bureaucratic, the underlying principles of data protection have successfully stood the test of time. They provide a sound framework to minimise the risks and promote acceptable and beneficial handling of personal information. But legal regulation is insufficient by itself. The consequences of getting it wrong can now be seen instantly – domestically and across the globe - causing great short-term damage to political and commercial reputations and long-term damage to society. It is ministers, permanent secretaries, chairs and chief executives who must ensure their organisations guarantee safeguards and exercise the necessary self-restraint. This is simple self-interest which must come from the top.
Recent security breaches – permitting the wrong people to access confidential information - provide a powerful illustration of the need to ensure that safeguards are achieved in practice. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying. How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store card transactions fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any chief executive of a bank face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured, in non-confidential waste bags?
Security breaches are just one example. Customer, employee, stock market and voter expectations are high for all aspects of data protection. My office is committed to making it easier for those organisations who seek to handle personal information well - and tougher for those who do not. My message to those at the top of organisations is to respect the privacy of individuals and the integrity of the information held about them, to embrace data protection positively and to be sure you are not the business or political leader who failed to take information rights seriously.
To sum up, freedom of information and data protection are now inescapable features of the landscape. Secret government is unhealthy government - freedom of information brings official information into the open and gives power to the people. Equally, too much private information held by the state or by commercial organisations can be unhealthy, and is dangerous if organisations do not handle it with the utmost care.
A thriving democracy needs both freedom of information and data protection. Our intention is to ensure that the public and private sectors take them ever more seriously.
Richard Thomas, Information Commissioner