Home News Google set to change privacy policy in wake of ICO investigation

Google set to change privacy policy in wake of ICO investigation

by Brian Sims
Google has been under the watchful eye of the Information Commissioner's Office

Google has been under the watchful eye of the Information Commissioner’s Office

The Information Commissioner’s Office (ICO) has required Google to sign a formal undertaking that will improve the information it provides to individuals about how it collects personal data in the UK after concerns were raised around changes to the company’s privacy policy.

The ICO found that the search engine was “too vague” when describing how it uses personal data gathered from its web services and products.

Google introduced a new privacy policy in March 2012 combining around 70 existing policies for various services, but the ICO ruled that the new policy did not include sufficient information for service users as to how and why their personal data was being collected.

Google has now signed an undertaking committing to make further changes to the privacy policy and ensure that it meets the requirements of the Data Protection Act and take steps to make certain that future changes to its privacy policy comply (including user testing).

While conducting its own investigation, the ICO has worked alongside other European Data Protection authorities as part of the Article 29 Working Party.

Steve Eckersley, head of enforcement at the ICO, said: “This undertaking marks a significant step forward following a long investigation and extensive dialogue. Google’s commitment to make these necessary changes will improve the information UK consumers receive when using their online services and products.”

Eckersley continued: “While our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it’s still important for organisations to properly understand the impact of their actions and the requirement to comply with the data protection laws. Ensuring that personal data is processed fairly and transparently is a key requirement of the Data Protection Act.”

According to Eckersley, this investigation has identified some important learning points not only for Google but also all those organisations operating online, particularly when they seek to combine and use data across numerous services.

“It’s vital,” urged Eckersley, “that there’s clear and effective information available such that users can understand the implications of their data being combined. The detailed agreement Google has signed setting out its commitments will ensure that’s the case.”

The ICO has already worked with Google to ensure a significant number of changes to the policy. The search engine must now make the agreed further alterations by 30 June 2015 and then take further steps across the next two years.

The ICO plans to update its Privacy Notices Code of Practice later on in 2015 to provide organisations with further guidance about how to offer effective privacy information, and particularly so in both the online and mobile environments.

ICO afforded new powers to audit NHS

Meanwhile, Information Commissioner Christopher Graham has welcomed a change in the law that will give his office the right to force NHS authorities to be audited for compliance with the Data Protection Act.

From 1 February, the ICO is now able to subject public sector healthcare organisations to a compulsory audit. Previously, these compulsory audits have only applied to central Government departments.

Christopher Graham: the Information Commissioner

Christopher Graham: the Information Commissioner

The audits review how the NHS handles patients’ personal information and can assess areas including the security of data, records management, staff training and data sharing.

For its part, the ICO will now be able to assess data protection by England’s NHS foundation trusts, GP surgeries, NHS Trusts and Community Healthcare Councils (and their equivalent bodies in Scotland, Wales and Northern Ireland) under Section 41A of the Data Protection Act. However, the new legislation will not apply to any private sector companies providing services within public healthcare.

Christopher Graham explained: “The National Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information the NHS is one of the worst performers. This is a major cause for concern. Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.”

Graham concluded: “We fine these organisations when they make mistakes, but this new power to force our way into the worst performing parts of the health sector will really give us a chance to act before a breach can happen. It’s a reassuring step forward for NHS patients.”

To date, the ICO has issued fines totalling £1.3 million to NHS organisations.

You may also like