Google, the ICO and why nobody cares about your personal data
You've got to wonder why the Information Commissioner's Office (ICO) bothers. Despite being responsible for the enforcement of the Data Protection Act, it seemingly does nothing to dissuade companies from pissing our personal information up the wall.
In July, the ICO investigated Google when it was revealed that their Street View Cars had captured data from unsecure WiFi networks. The ICO's conclusion?
"...we are satisfied so far that it is unlikely that Google will have captured significant amounts of personal data. There is also no evidence - as yet - that the data captured by Google has caused or could cause any individual detriment."
Skip forward just three months, and it appears that either Google were very selective about what they showed to the ICO, or the ICO weren't really paying attention, or Google's Street Cars only recorded unsecure data in all those other countries, because on Friday evening, a blog post by a senior Google VP contradicted the findings of the ICO:
"...a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded).
It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords."
So "entire emails and passwords" were recorded by the Street View cars and noticed by "a number of external regulators" - and the ICO saw nothing that "could cause any individual detriment"? Because of Google's admission, the ICO is now to re-examine its initial findings. It's possible that Google were referring to data captured in countries other than the UK, and we'll have to see whether that was the case.
In the meantime, the ICO can continue reprimanding those organisations that continue to abuse personal data, an- what's that?
In late September, avid Bitterwallet reader Adam Button made a Freedom of Information (FOI) request about the ICO (which itself is responsible for the FOI). Specifically, Adam asked about "the number of fines imposed to both Local and Central Government Authorities for data breaches under the Data Protection Act 1998 in total for 2009 and 2010 thus far".
The answer? Can you guess?
"The Information Commissioner’s Office was, in April 2010, given the power to fine organisations it finds in breach of the Data Protection Act 1998, when appropriate. To date, no fines have been issued and therefore we do not hold any recorded information which would enable us to answer your request."
The ICO was granted the powers (detailed here) to act "as both a sanction and a deterrent against non-compliance with the statutory requirements", and can impose fines of up to £500,000 on a company that either knowingly contravened the Data Protection Act or "ought to have known that there was a risk". Clearly there have been no serious breaches of the Data Protection Act in recent months. We can't think of one. Nope, not one. Not a single one. None at all.
Despite a wealth of companies and government bodies breaching the act through negligence, not a single fine has been issued by the body that polices the system.