Google set to change privacy policy in wake of ICO investigation

Google has been under the watchful eye of the Information Commissioner's Office

Google has been under the watchful eye of the Information Commissioner’s Office

The Information Commissioner’s Office (ICO) has required Google to sign a formal undertaking that will improve the information it provides to individuals about how it collects personal data in the UK after concerns were raised around changes to the company’s privacy policy.

The ICO found that the search engine was “too vague” when describing how it uses personal data gathered from its web services and products.

Google introduced a new privacy policy in March 2012 combining around 70 existing policies for various services, but the ICO ruled that the new policy did not include sufficient information for service users as to how and why their personal data was being collected.

Google has now signed an undertaking committing to make further changes to the privacy policy and ensure that it meets the requirements of the Data Protection Act and take steps to make certain that future changes to its privacy policy comply (including user testing).

While conducting its own investigation, the ICO has worked alongside other European Data Protection authorities as part of the Article 29 Working Party.

Steve Eckersley, head of enforcement at the ICO, said: “This undertaking marks a significant step forward following a long investigation and extensive dialogue. Google’s commitment to make these necessary changes will improve the information UK consumers receive when using their online services and products.”

Eckersley continued: “While our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it’s still important for organisations to properly understand the impact of their actions and the requirement to comply with the data protection laws. Ensuring that personal data is processed fairly and transparently is a key requirement of the Data Protection Act.”

According to Eckersley, this investigation has identified some important learning points not only for Google but also all those organisations operating online, particularly when they seek to combine and use data across numerous services.

“It’s vital,” urged Eckersley, “that there’s clear and effective information available such that users can understand the implications of their data being combined. The detailed agreement Google has signed setting out its commitments will ensure that’s the case.”

The ICO has already worked with Google to ensure a significant number of changes to the policy. The search engine must now make the agreed further alterations by 30 June 2015 and then take further steps across the next two years.

The ICO plans to update its Privacy Notices Code of Practice later on in 2015 to provide organisations with further guidance about how to offer effective privacy information, and particularly so in both the online and mobile environments.

ICO afforded new powers to audit NHS

Meanwhile, Information Commissioner Christopher Graham has welcomed a change in the law that will give his office the right to force NHS authorities to be audited for compliance with the Data Protection Act.

From 1 February, the ICO is now able to subject public sector healthcare organisations to a compulsory audit. Previously, these compulsory audits have only applied to central Government departments.

Christopher Graham: the Information Commissioner

Christopher Graham: the Information Commissioner

The audits review how the NHS handles patients’ personal information and can assess areas including the security of data, records management, staff training and data sharing.

For its part, the ICO will now be able to assess data protection by England’s NHS foundation trusts, GP surgeries, NHS Trusts and Community Healthcare Councils (and their equivalent bodies in Scotland, Wales and Northern Ireland) under Section 41A of the Data Protection Act. However, the new legislation will not apply to any private sector companies providing services within public healthcare.

Christopher Graham explained: “The National Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information the NHS is one of the worst performers. This is a major cause for concern. Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.”

Graham concluded: “We fine these organisations when they make mistakes, but this new power to force our way into the worst performing parts of the health sector will really give us a chance to act before a breach can happen. It’s a reassuring step forward for NHS patients.”

To date, the ICO has issued fines totalling £1.3 million to NHS organisations.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts