Richard Thomas took up the position of Information Commissioner in December. He is now responsible for enforcing and overseeing the Data Protection Act and the Freedom of Information Act.

Previously Thomas was director of public policy at law firm Clifford Chance. He has also worked at the National Consumer Council and served as a director of consumer affairs at the Office of Fair Trading.

Just weeks into his new role, Thomas spoke to Computing about his plans for future and his attitudes to data.

What are your main priorities as Information Commissioner?

Having been here for five weeks, I've had the opportunity to see that we have a wide range of issues to deal with. We have a mature data protection body, and a brand new freedom of information role to deal with. I think that should keep me busy!

My early priorities are getting the message across about the importance of openness for the public, and the respect needed when dealing with personal information.

How will your appointment change the Information Commission?

At times in the past we have been too reactive. I'd like to see us as a more proactive organisation. Part of this has to do with getting our message across. We've often got good stories to tell, but sometimes we tend to bury them in our annual reports.

I also want to promote good practice in data protection and freedom of information. And this is about taking a common sense approach. There are good business reasons why this is in everybody's interest. Take, say, the banking world. If you're sloppy with personal data, you're going to lose out in the marketplace. I'm keen to make sure that people understand why there is a need for data protection.

What do you see as the biggest data protection problems?

Firstly, let me say that I don't believe that the legislation is one of them. We have good data protection legislation. I recognise that some people see the Data Protection Act as bureaucratic. If need be, we will try to make it simpler. There are always ways of tightening things up, but the Act is fundamentally sound.

Some of the problems I see are about information sharing. Quite a lot of public bodies are not good at granting access to information they hold. But there are also issues about who the data is shared with. The NHS has a huge amount of patient information, and they are generally very good at respecting patient confidentiality. Issues arise when it comes to sharing the information between hospitals, GPs and external bodies.

Direct marketing and credit reference agencies are a concern. I'd like to end the practice of sending out unsolicited faxes, under the guise of quizzes or opinion polls, with the purpose of getting people to fax back on a premium line. The reputable businesses have been working hard at getting themselves compliant, but there are problems to iron out.

Where I have a real worry is over information theft. This is where people are using deception to get someone else's personal information. They get maybe a National Insurance number, then use that to get bank records. This is a serious criminal matter, and I will crack down hard on it.

I like to see my approach as one of talking constructively, but with a stick in my hand. If I can persuade people I will. I'll keep the full range of sanctions available to me to deal with those that are ill intentioned from the outset.

What is your view of the government's ID card proposals?

We've recently had a conference about the proposals with David Blunkett. In a nutshell, it is a question of whether the benefits outweigh the risks to privacy and to human rights. As much as I hate to use the term, it needs some sort of cost-benefit analysis.

Lets be clear, I understand the rationale behind it, but we have to see whether that justifies the costs. It will be one of the largest IT projects ever undertaken. And I also understand why a monolithic database containing iris scans causes some people alarm. Whether the demand is there, when the costs are examined, we will have to see.

Whatever political decisions are taken about the cards, it will have to be compliant with the Data Protection Act.

So I have two questions I need answers on. What levels of data quality are regarded as acceptable? How do you ensure that people cannot forge cards, or that cards do not have mistakes. The idea of using the driving licence database on the basis of the information would make me anxious, because the data is not of the same quality as that of the passport database.

Secondly, what safeguards will be introduced to prevent function creep? We would not want to see the cards gradually start to include information on race or political views, nor powers given to the police to arrest those without a card.

But these are points that we will be making to the Home Office as part of the on-going consultations about the cards. I intend to make sure we play an active role in those negotiations.

When can we expect the guidelines on workplace email monitoring?

I don't want to say too much on this at present. I am working on this, and hope to be in a position to make further comments soon.

The final version arrived on my desk in the middle of January. There didn't seem to be any point reviewing it until I could see the final version. I intend to review this fully, and don't want to comment too much before I have read the finished version.

One thing is clear to me: we will need to have a small business version, one tailored for small and medium sized enterprises. They won't welcome having 50 to 60 pages to wade through.