The Minister for Media and Data
(Mr John Whittingdale)
I beg to move, That the Committee has considered the motion: That, from 1 November 2021—
(1) the Information Commissioner shall be paid a salary of £200,000 per annum and pension benefits in accordance with the standard award for the civil service pension scheme;
(2) all previous resolutions relating to the salary and pension of the Information Commissioner shall cease to have effect.
It is a pleasure to serve under your chairmanship, Mr Hosie. The Information Commissioner’s Office is now one of the most important regulators in the United Kingdom. It is responsible for supervising almost every organisation in the country. We want to invest in its future success and to sustain its world-leading reputation.
The Information Commissioner must play an active role to keep the ICO at the forefront of regulatory best practice, continuing to develop governance, key decision making and other processes to reflect the ICO’s evolving role. There is an opportunity for the UK’s ICO to take a lead internationally, at a time when the establishment and development of, typically, governance structures for data, artificial intelligence and other new technologies are critical. The Information Commissioner therefore has a key role to play to drive the responsible use of data across the economy, to build trust and confidence, and to communicate the wider benefits of data sharing for our society in competition, innovation and growth.
This Government’s ambition is to make the UK the data destination across the world, and to use data to drive growth and innovation and to deliver our levelling-up agenda. Our national data strategy, published recently, sets out that ambition for the UK’s pro-growth and trusted data regime. We want to help innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, in order to drive growth across the economy. Data is a strategic asset, and its responsible use should be seen as a huge opportunity to embrace. Getting that right is critical to jobs and growth as the UK economy becomes increasingly digitised and data-enabled.
We want the public to be active agents in the thriving digital economy and to have confidence and trust in how data, including personal data, is used. That will mean maintaining high standards of data protection without creating unnecessary barriers to data use. The opportunity to create a new and independent data regime is one of the key benefits of the UK’s departure from the European Union. We have no intention of dismantling our high standards of data protection, but we are no longer required necessarily to follow every dot and comma of the General Data Protection Regulation. We will be looking to see how we may better utilise data and enable it to flow more freely, while at the same time maintaining those high standards.
We need to attract world-class individuals who have the skills necessary to balance protecting individual data rights while simultaneously ensuring that data enables digital growth and innovation. We also need to attract people who can represent the UK on the international data stage. The Information Commissioner’s responsibilities have increased since we left the European Union; they now include overseeing existing EU adequacy decisions by 2024, as well as strategic engagement with European and international competent authorities. The UK now has a huge opportunity to use data responsibly as a strategic asset that can drive growth.
One of the other opportunities arising from our no longer being a member state is the ability to apply the framework of transfer tools inherited from GDPR in a more flexible way. As the ICO has now left the European Data Protection Board, we are able to be more agile than was possible when we were within the EU. The ICO has a strong international reputation and an influential position in key global regulatory forums. It engages effectively with foreign partners and EU adequacy. Therefore, the next Information Commissioner will not only focus on privacy, but ensure in part that people can use data to achieve economic and social goals. The next commissioner will need to have a deep understanding of how businesses use data in a cutting-edge way.
Data has many societal benefits and, as we emerge from the covid pandemic, the UK has an opportunity to be at the forefront of global data-driven growth. The next Information Commissioner will play a critical role in delivering that agenda. We need to attract an outstanding individual to take the ICO forward. They will have a key role to play. They need to build trust and confidence in responsible data use, while also being able to communicate the wider benefits of data sharing.
Since 2018, the salary of the Information Commissioner has fallen below the market averages for comparative roles. Salaries of heads of data protection regulators internationally range up to £270,000. In Italy, the Data Protection Authority chairman and chief executive officer both receive €240,000. We have received some outstanding applicants for this role, but they would potentially need to take a cut of up to 50% of their current salaries if they were to accept even the £200,000 salary that we are debating. Without the motion, the salary of the Information Commissioner would remain at £164,000, and we would risk losing the outstanding candidates we so badly need.
The introduction of GDPR and the rapidly developing data protection landscape have vastly increased the responsibilities of the Information Commissioner. They have increased still further since our exit from the EU. The global position of the ICO, the increased workload after leaving the European Union and the rapidly increasing demands on the sector and the statutory requirements of the organisation mean that it has grown by two thirds to more than 850 employees since 2018.
The ICO has had an increased enforcement role since the introduction of heavier fines and penalties. That is in addition to the commissioner’s increasing role in the regulation of the privacy and electronic communications regulations. In particular, the ICO continues to tackle nuisance telephone calls and texts, which I suspect every Member of this House knows can cause huge distress to the public. In the fourth quarter of 2020-21 alone, the ICO issued fines amounting to more than £1.1 million under PECR to companies that have been sending out nuisance calls and texts.
In summary, we believe that the proposed increase in the commissioner’s salary appropriately reflects the increased importance, challenge and responsibilities of the role. Finding the right candidate to fill that position will be a critical component of delivering our ambition to make the UK the most technologically innovative and growth-driven economy in the world.
(Newcastle upon Tyne Central) (Lab)
It is a great pleasure to serve under your chairship, Mr Hosie. I start by thanking Elizabeth Denham, who has served as Information Commissioner since 2016 and is now stepping down. The ICO is charged with the critical responsibility of upholding information rights in the public interest. Last year, it issued high-profile fines of £20 million and £18 million to British Airways and Marriott for data breaches that may have affected up to 339 million people across the world. Last week, I was pleased to see the ICO issue a fine of £10,000 to the Conservative party for breaching data laws during the 2019 general election campaign.
I thank the Minister for setting out what the motion will do. It brings the Information Commissioner’s remuneration up to £200,000 per year, an increase of up to £20,000 in this year of pandemic. That pay rise will see the commissioner’s total salary, including pension, rise above that of the CEOs of Ofqual and Ofgem, by £40,000 and £50,000 respectively. Furthermore, a 10% increase is significantly higher than the 1% pay rise that the Government have offered our frontline key workers in our NHS.
Changes to the commissioner’s remuneration come around only every few years and, as the Minister has set out, the salary has been frozen for more than three years now. The Opposition agree that a review is necessary to ensure that the salary is reflective of public service uprating protocols. However, we have some key questions that arise from a significant pay rise being gifted to any public servant, even in non-pandemic times.
First, we would like to know how much of the proposed increase is justifiably related to inflation, the cost of living and what the salary would have been uprated to had it been treated like any other public sector or public service job. We need to know what proportion of the pay rise is related to that and what is related directly to the additional responsibilities that the role is expected to see over the next few years, which the Minister summarised. Last time the commissioner’s pay was increased, it was because of the expansion of responsibilities introduced under GDPR.
The most recent job advert for the role of Information Commissioner shows that the successful candidate will play a key role in supporting the roll-out of the national data strategy. As the Minister emphasised, that strategy focuses on economic growth, rather than online safety or individual data rights. We still await details of the data strategy, but that highlights three new key responsibilities that the Information Commissioner will be taking on or assisting with.
We are not arguing against the need for those additional responsibilities. Indeed, the Opposition argue more that the Government have been slow to react to the changing digital landscape over the past decade, allowing our data to be used in nefarious ways, be that targeting vulnerable people with harmful messages or undermining democracy through misinformation and lies during election cycles. So little has been done and so much still needs to be done beyond the limited scope of the forthcoming Online Safety Bill—published only in draft form so far.
The Government must recognise that if we are to put people in control of their own data, the ICO must take greater action against those who act improperly with data. Existing law does not sufficiently cover the threats that people face, as the pandemic has emphasised, and new challenges are arising.
For example, at the start of this year I called for a review of data privacy protection to outlaw digital snooping after a YouGov survey found that 16% of companies installed remote tracking software in employees’ devices. The Government have since done nothing to address that and, in response my questions, they even appear to deny that it is an issue. The Information Commissioner, although appealed to, has yet to set out a regulatory framework on worker surveillance that will protect workers. Currently, the ICO offers limited guidance to employers.
We recognise the increase in responsibilities, but we are not sure that the Minister has fully set out the responsibilities as they need to be. In addition, he described the role as benefiting from Brexit, to ensure that our data regime evolves in a way that allows data to flow more easily, while not impacting on our highly prized and essential data adequacy requirements with the European Union. The next Information Commissioner will need to be something of a magician if they are to reflect both those requirements.
I must also ask specifically how the ICO as a whole will be resourced to reflect that increase in responsibilities, because increasing the pay of the commissioner will simply not address that. The Minister said that the ICO has 850 people, but my information from the Library is that it has 720 full-time members of staff. Ofcom has 937 and its CEO earns a salary of £315,000 per year. Ofgem has 920 staff and its CEO is paid £225,000 per year. Dividing total salary with pension by the number of staff, by my calculation—I will be happy to see the Minister’s—Ofcom’s CEO has pay per employee of £336, and for Ofgem the figure is £244. The Information Commissioner will have £365, which is significantly higher. Does the Minister feel that is proportionate? Will he assure us that the ICO will be resourced to protect us online? Will that involve taking on more staff, for example? Will he commit to bringing in robust and extensive regulations to protect us from evolving threats, such as artificial intelligence or surveillance?
The Minister talked about how the ICO handled nuisance call. I have to say that that seems a significant overestimate. When I raised the issue of online scams and fraud with the commissioner, she told me that the ICO “are working closely with our partners, like Trading Standards and law enforcement, to continue to protect people, raise awareness and stop criminals during this challenging period.” By no means is it taking on sole responsibility for online scams and fraud, and very few people believe that enough is being done. Which?, the Money and Mental Health Policy Institute, UK Finance and the Carnegie Trust have all called on the Government to do more to prevent online scams and the data leaks that contribute to them. When my parliamentary account was targeted with sexually explicit spam emails, I contacted the ICO directly, but again there seemed to be confusion over where responsibility lay. There is also confusion about how to respond to scams, nuisance emails and calls. Will the Minister say in one sentence what a citizen who is so targeted should do? He is nodding at me, so I hope that means we will get the clarity that I have been looking for.
Over the past decade—I should declare an interest, as I previously worked for Ofcom—Ofcom has taken on significant new responsibilities: the BBC, the Post Office, national security for the entire telecoms network, and now the confused and contradictory online safety duties. I am concerned that new responsibilities plus the absence of a joined-up approach by Government to data breaches, data rights and scams might lead to the Information Commissioner being similarly overburdened. Apart from the salary increase, what plans does the Minister have to address that challenge? Furthermore, will he tell me whether he plans to raise the already extremely high salary of £315,000 per year for Ofcom’s CEO in line with its continued expansion of duties?
The Minister mentioned the job advert, and we agree that we want to attract the brightest and the best. In 2018, when the commissioner’s renumeration was last re-evaluated, the Government were clear that the wage rise was in part designed to increase competitiveness in the market and to attract world-class candidates. He said that it had fallen behind comparable roles. However, as he is well aware, that depends what roles we compare it with. For example, Canada’s information commissioner is paid £182,000 per year, and Ireland’s is paid £177,000 per year, as research by the House of Commons Library has indicated to me. I would expect that the Minister has access to comparable research, so can he give a bit more detail on what assessment has been done of the current jobs market for this role?
The advert closed on 28 March, and the Minister said that they had an excellent candidate. Can he tell us when we can expect an announcement of a successful candidate? I will also raise the point that in 2018 the Government cited an increase in freedom of information requests as another justification for the increase in salary. We recognised that as a valid concern back in 2018. However, the Government’s figures show that freedom of information requests across all monitored bodies have since fallen by 10%. Has the Minister taken that into account when considering the pay rise?
The ICO and its commissioner work to uphold information rights. We have seen the significant impact that the pandemic has had on our working lives and social lives over the past 15 months, and the role that our personal data plays in everything from global trade to local service provision is only going to increase. Personal data drives the business models of the digital economy and, increasingly, the artificial intelligence algorithms that take important decisions about how we live, study and work. We need to put people back in control of their data, and I hope the Minister would agree with that.
Finally, I will just note that we must be careful and take stock when discussing very high rates of pay in the public sector. Many of our constituents are angry at the way the Government have treated the NHS and public sector key workers throughout the pandemic, compounded by a decade of cuts to public services and real-terms salary cuts to frontline staff. These are difficult times for families across the country, many of whom do not know whether they are going to have a job to return to once pandemic support is withdrawn.
However, we appreciate that the commissioner’s renumeration has been increased only once since 2008 and, as the Minister has stated, that it is vitally important that we attract the best candidate to the role. As such, I will not be asking my hon. Friends to vote against this increase, but I will be very interested to hear the Minister’s answers to the questions I have asked, and I hope that the Government will meet the calls for a pay rise for frontline public sector key workers with the same enthusiasm they have demonstrated today.
I thank the hon. Member for Newcastle upon Tyne Central for the helpful way in which she has raised some perfectly valid questions, which I will do my best to address. I will begin by joining her in thanking the outgoing Information Commissioner, Elizabeth Denham, who I think I appointed in my previous capacity a few years ago.
It is worth reminding the Committee, which I did not do in my opening address, that Elizabeth Denham’s salary is £180,000, which was a single supplement at the time of her appointment. Without today’s motion, the salary of the incoming commissioner would fall back from £180,000 to £164,000. The hon. Lady’s questions about how it compares with the rate of inflation and with the pay of public sector workers are valid, but we need to set this in context. The proposed increase would take the current salary from £180,000 to £200,000, but without the motion it would come back down again.
Of course, we all understand that these are difficult times for many people. A lot of our constituents will look at these huge salaries and say, “That’s more than I could ever dream of getting; surely £164,000 is an awful lot of money.” But the truth is that we are operating in an incredibly globally competitive area, where the skills we need are in short supply, and where people who possess those skills can command huge salaries. We have had some very good applicants, and I suspect that whichever of them ends up getting the job will be getting a pay cut from what they are currently earning.
The hon. Lady made a number of comparisons. It is difficult to equate different regulators or international regimes, but the Italian Data Protection Authority pays its head €240,000, while the Office of the Australian Information Commissioner commands a salary of £272,000, so the amount we are paying is by no means at the top of the scale. The hon. Lady mentioned Ofcom, which pays about £330,000. Executives on the Financial Conduct Authority get between £380,000 and £550,000, and Network Rail’s chair gets £310,000. Although I fully recognise that we are asking the taxpayer to meet a considerable salary, it is by no means the highest, if we look at other regulators. It reflects the critical importance of data for our economic growth.
The hon. Lady referred to the national data strategy. We published the results of a consultation on the national data strategy at the same time the ICO published its data sharing code. We will be going on to consider what additional changes might be made to try to remove some of the barriers that I have spoken about. The ICO will play a critical part in this area. There are new responsibilities that, as I said, did not exist before Britain ceased to be a member of the European Union. The hon. Lady rightly referred to the importance of data adequacy. I hope we will very shortly reach the final agreement that the UK will maintain data adequacy with the European Union. One of the new opportunities is to look at potentially signing new data adequacy agreements with third countries. That is something that, at the moment, the EU does, but very slowly. As a third country, we now have that ability. In the consideration of whether we can reach an agreement, the ICO will play an absolutely critical role.
The hon. Lady referred to nuisance calls. One needs to differentiate to some extent between what are termed nuisance calls—people ringing somebody up and trying to persuade them to make claims or whatever that they do not need—and scams that try to persuade people to put something on their computer that will allow some criminal to access all their personal financial information. The two are obviously closely related, but one is very firmly within the remit of the ICO and the other is, to some extent, within the remit of law enforcement and the Home Office. Obviously, they all need to work together very closely, and that is happening. At the moment, scams and fraud are probably causing more distress and anxiety, whereas a few years ago it was mortgage protection policy claims and other types of nuisance calls that we all experience. As I say, they are working together very closely on that. The Home Office, which leads on that, intends to say more about that very shortly.
I thank the Minister for his comments. I just want it to be clear that although he is right to say that it is possible, and indeed important, to distinguish between nuisance calls and scams, they both share the characteristic that somebody has got hold of a person’s data, phone number and something about them, so a nuisance call can lead to a scam, depending on how much personal data they have. All the mobile networks, for example, have one text number that people can text if they get a nuisance call. There is also Action Fraud. The ICO has a relevant page on one of its websites. I want to emphasise to the Minister the point that this is very complex and individual citizens do not know what to do in response to nuisance calls—there is not a sufficiently shared understanding of that—so to say that the ICO is addressing either of these is actually an overstatement.
I completely agree that more needs to be done, and I think action is being taken now. The hon. Lady is right that there is a lot of confusion about where to go to report receipt of a nuisance or scam call—I have done that myself. Although Ofcom monitors, it does not deal with individuals. The ICO has a reporting mechanism, but an individual does not necessarily know whether anything ever happens if they do report. Action Fraud is where they should go if it is a claim of fraud.
All I will say to the hon. Lady is that I am very aware that there is a lack of public confidence and that it needs to be addressed. As I have said, discussions are going on between the ICO, the Department for Culture, Media and Sport, the Home Office and, as the hon. Lady rightly identifies, the telecoms companies. I think that there is almost certainly more that can be done there, and I believe that we will be saying more about that very shortly. This is another reason why the ICO plays a critically important role, both in supporting economic growth and technical innovation in our economy and in providing protection for citizens against the abuse of their data or, as in this case, what we recognise are highly distressing calls—either nuisance calls or, worse, scams.
I will end by repeating that the ICO is a very important office, and it is going to get more important over time. That means we need to have an outstanding person at the head of it. The hon. Lady asked when we will announce the person’s identity. I can say that we are very far advanced. I hope that we will be in a position to make that announcement very shortly. Of course, once we do, it will need to be confirmed by the relevant Select Committee. That process will already be in train. I am sure that the new Information Commissioner will also be delighted to discuss these things with the hon. Lady once he or she is in place.