1.1 As part of an inquiry into the culture, practices and ethics of the press, the Terms of Reference extend to a consideration of the extent to which the current policy and regulatory framework has failed, including in relation to data protection. It also requires a review of the extent to which there was a failure to act on previous warnings of media misconduct which undeniably includes the performance of the data protection regime. Data protection, with its origins in European and international law, is currently contained in the Data Protection Act 1998 (DPA) and is summarised elsewhere in the Report.1
1.2 The UK data protection regime suffers from an unenviable reputation, perhaps not wholly merited, but nevertheless important to understand at the outset. To say that it is little known or understood by the public, regarded as a regulatory inconvenience in the business world, and viewed as marginal and technical among legal practitioners (including by our higher courts), might be regarded as a little unfair by the more well-informed, but is perhaps not so far from the truth. And yet the subject-matter of the data protection regime, how personal information about individuals is acquired, used and traded for business purposes, could hardly be more fundamental to issues of personal integrity, particularly in a world of ever- accelerating information technology capability, nor, on the face of it, more central to the concerns of this Inquiry.
1.3 It has the following features:
- The law identifies broad principles requiring businesses acquiring and using personal information to do so lawfully, fairly, accurately, for specific purposes and to the limited extent necessary for those purposes; the information must be kept safely and individuals have legally enforceable rights to know what information is held about them, to see it, and to ensure that it is accurate.
- There are a number of specific exceptions to those rights and principles, including exemptions designed to balance those rights with other individual rights, such as freedom of expression, and other public interests such as crime prevention.
- The regime (along with the regime for freedom of information) is the responsibility of the Information Commissioner who has statutory power to investigate and rule on breaches, and enforce compliance (including by court action and prosecution). The Commissioner also has a wide-ranging function to promote awareness, compliance, and good practice over and above the basic legal requirements, including by education, guidance, publications and reporting to Parliament.
1.4 Successive Information Commissioners have worked hard and tirelessly to raise the profile of data protection within businesses, and to support public awareness, including by tackling ‘myths’ and unnecessarily risk-averse behaviour, and promoting straightforward and common-sense business practices.
1.5 The Information Commissioner operates through an office (the ICO) and it was in the execution of these responsibilities that the ICO became involved in Operation Motorman. The public facing narrative is described as part of the history2 in this Report but the way in which the ICO considered it appropriate to discharge its functions is far more complex than that narrative reveals. Having uncovered what appeared to be extensive unlawful or unethical practices of the press in the acquisition and subsequent use of private personal information from corrupt officials and private sector employees and through the medium of unscrupulous third-party ‘blaggers’, a regulatory response was essential. How these challenges were approached, the political campaign that has followed and the extent to which insights can be learnt for the future is at the heart of this Chapter.
1.6 Also looking to the future, it is appropriate to move from a consideration of the specific to consider the way in which the ICO operates in relation to the press and, in particular, to review the relevant parts of the legal framework along with its powers and governance.
1.7 Different parts of this Report have dealt with single systems. In relation to the activities of the press, the focus has been on the operation of the criminal law and the approach of the Press Complaints Commission (PCC) to press conduct. The relationship between the press and the police has been examined through the operational decisions of the police and their interaction with the press. For politicians, the issue has been the different dynamics of the way in which they react with the press and the extent of any impact on public life. For the ICO, all these different elements are engaged. This part of the Report deals with the criminal law, the regulatory regime of the ICO and the way in which it sought to engage the PCC, other regulatory options open to the ICO, and the political sphere (in relation to the amendment to the DPA). It is thus somewhat more complex and, given the wide ranging recommendations about the operation of this statutory regulator with an extensive remit, has required a greater degree of analysis than other aspects of the Report: to that extent it is also different in approach.
1.8 Having been directed by the Terms of Reference to consider the press and the data protection regime together, I have been conscious that the Report would be addressing matters relatively little noticed or debated in the public discussion of the Inquiry.3 I am also conscious that this subject matter has had relatively little scrutiny more generally. In this respect, as with many independent public inquiries, the task is to shine a light on an unfamiliar landscape. It is worth emphasising because so much of the rest of the material considered in this Report has been extremely fully ventilated, including editorially, as the Inquiry has gone along. The extent to which the relevance of data protection is and has been minimised is part of the background to this Part of the Report, as is the question of some of the reasons and motivations for it. I am also conscious that the discussion of this relatively unfamiliar territory throws aspects of it into relief in a way which may be a matter of surprise even to those more familiar with it. A fresh and independent perspective, by definition, is an opportunity for a different way of looking at things and perhaps of questioning some assumptions.
2. The ICO: structure, governance and approach
2.1 The Information Commissioner is a ‘corporation sole’ appointed by Her Majesty The Queen and independent of Government who (like the senior judiciary) can only be dismissed pursuant to an Address from both Houses of Parliament. He is funded by fees and grant-in-aid voted by Parliament and supported through the Lord Chancellor and Ministry of Justice. Operationally independent, the full functions of the Office are exercised personally though the office holder who appoints staff who work by direct delegation from him. Between 2002 and 2009, the Commissioner was Richard Thomas, a solicitor by training. He was based in offices in Wilmslow and had two deputies and the office now has over 300 staff (including lawyers and investigators). The operational investigations department reported to him via one of the Deputies. Francis Aldhouse, also a solicitor, fulfilled this Deputy role from 1984 (in the precursor organisations) until his retirement in 2006.
- As an overview, his role was “partly a regulator, partly an ombudsman, partly an educator and partly a policy adviser” the cornerstone being the duty to promote good practice including, but not limited to, compliance with the minimum legal obligations under the regime.5
- The ICO was “primarily not a prosecuting authority. That was almost on the side”.6 The main formal power in the event of non-compliance was the ‘enforcement notice’, which could specify and require compliance action subject to the back-up sanctions of court enforcement, although this was not frequently used.
- The principal power of investigation was the ability to serve an ‘information notice’ on an organisation to ascertain whether it was complying with the regime. This also was ‘very, very rarely’ used because, in most cases, asking a business to co-operate and supply information usually sufficed.
- Prosecution powers were limited to s55 of the DPA and did not extend, for example, to other offences such as phone hacking (although this might also technically involve a s55 DPA breach).
- Mr Thomas linked the application of the statutory ‘public interest’ defence provided by s55 to the core function of the ICO in freedom of information, in virtually every difficult case, in balancing public interest considerations for and against disclosure (on which it had published a great deal of guidance).7
2.3 Mr Thomas did not regard the ICO as “a regulator of the press as such” although the data protection regime applied to each media organisation which, therefore, was regulated and fee paying. He considered the exemption contained in s32 DPA (covering personal information being used for the ‘special purposes’ of journalism, literature or art) as severely circumscribing and limiting the powers of the ICO in relation to the press, disapplying most of its enforcement powers where data is used for journalistic purposes while at the same time being ‘incredibly complicated’. He had rarely had to engage with the issue (because it ‘didn’t arise’) and did not consider it particularly relevant to the Inquiry.8 He considered that any journalist seeking to rely on the ‘public interest’ provision to disapply s55 would be expected to be very scrupulous about checking and recording the aspects of the public interest on which he or she was proposing to rely, in order to be able to take any available advantage of that provision.
2.4 From this short summary, it appeared that the ICO relied, in the main, on an informal means of doing business. That is usual regulatory practice. The ‘cornerstone’ function of promoting good practice was largely discharged through co-operation with and encouragement of businesses; although little touched on in evidence, it appears that this was also the case with the ICO’s complaint resolution or ombudsman function. It was not an organisation by its own account which regularly used its principal legal powers; prosecutions, in particular, were not its main business, but neither, it would appear, was direct regulatory enforcement. The main concern was prevention of poor practice and promotion of good practice. The Inquiry explored the extent to which the ICO was familiar with the press as an industry dealing in personal information, and with the specific aspects of the data protection regime applying to the press, and how it saw its role in relation to commercial journalism.