Privacy groups lambast ICO after BT decision


Privacy groups have poured scorn on the Information Commissioner's Office (ICO) after it ended an investigation into BT over sending customer information to the law firm ACS:Law.

BT reportedly sent details on 500 of its PlusNet customers to ACS:Law in plain text attached to an email.

The email was then leaked after the law firm was hacked.

ACS:Law has hit the headlines in the past few months for sending letters to people it believed had committed illegal filesharing.

The ICO indicated it had left the investigation in BT's hands.

"We have regular contact with a range of organisations regarding allegations of staff inappropriately accessing or disclosing personal information," an ICO spokesperson said.

"Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer. However, where that employee is accessing records for personal gain, such as selling the data on to third parties, the ICO may open a criminal investigation."

Privacy International said it was an "incredibly dangerous decision" as it effectively dissolved "any pretence that a company is responsible for the actions of their employees at work."

"What makes this latest decision by the ICO worse than their usual incompetence, is that the ICO have decided BT Group PLC are not responsible for the breach of the Data Protection Act because it was one of their employees who sent the unencrypted data," the organisation's Alex Hanff said in a blog post.

"Christopher Graham has, in essence, now created a Data Protection regime where companies will not be held responsible for the actions of their staff."

Privacy International said it was going to push for a judicial review of the ICO's decision and seek a wider review of the watchdog as a whole.

The Big Brother Watch described the ruling as "puzzling."

"It appears to suggest that the information commissioner believes having a data protection policy in place is sufficient grounds to protect companies from prosecutions for breaking the law even when their employees disregard that said policy - and break the law," the body said in its own blog.

Responding to the criticisms, an ICO spokesperson said the watchdog was fully aware of its powers and was not afraid to use them.

"Enforcing and defending the rights of the UK public under the Data Protection Act has always been - and remains - central to the work of the ICO," the spokesperson said.

"Our workforce of data protection experts deal with thousands of complaints and complex investigations every year."

BT stated it had nothing to add outside of what the ICO said.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.