The ICO found that the search engine was “too vague” when describing how it uses personal data gathered from its web services and products.
While conducting its own investigation, the ICO has worked alongside other European Data Protection authorities as part of the Article 29 Working Party.
Steve Eckersley, head of enforcement at the ICO, said: “This undertaking marks a significant step forward following a long investigation and extensive dialogue. Google’s commitment to make these necessary changes will improve the information UK consumers receive when using their online services and products.”
Eckersley continued: “While our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it’s still important for organisations to properly understand the impact of their actions and the requirement to comply with the data protection laws. Ensuring that personal data is processed fairly and transparently is a key requirement of the Data Protection Act.”
According to Eckersley, this investigation has identified some important learning points not only for Google but also all those organisations operating online, particularly when they seek to combine and use data across numerous services.
“It’s vital,” urged Eckersley, “that there’s clear and effective information available such that users can understand the implications of their data being combined. The detailed agreement Google has signed setting out its commitments will ensure that’s the case.”
The ICO has already worked with Google to ensure a significant number of changes to the policy. The search engine must now make the agreed further alterations by 30 June 2015 and then take further steps across the next two years.
The ICO plans to update its Privacy Notices Code of Practice later on in 2015 to provide organisations with further guidance about how to offer effective privacy information, and particularly so in both the online and mobile environments.
ICO afforded new powers to audit NHS
Meanwhile, Information Commissioner Christopher Graham has welcomed a change in the law that will give his office the right to force NHS authorities to be audited for compliance with the Data Protection Act.
From 1 February, the ICO is now able to subject public sector healthcare organisations to a compulsory audit. Previously, these compulsory audits have only applied to central Government departments.
The audits review how the NHS handles patients’ personal information and can assess areas including the security of data, records management, staff training and data sharing.
For its part, the ICO will now be able to assess data protection by England’s NHS foundation trusts, GP surgeries, NHS Trusts and Community Healthcare Councils (and their equivalent bodies in Scotland, Wales and Northern Ireland) under Section 41A of the Data Protection Act. However, the new legislation will not apply to any private sector companies providing services within public healthcare.
Christopher Graham explained: “The National Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information the NHS is one of the worst performers. This is a major cause for concern. Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.”
Graham concluded: “We fine these organisations when they make mistakes, but this new power to force our way into the worst performing parts of the health sector will really give us a chance to act before a breach can happen. It’s a reassuring step forward for NHS patients.”
To date, the ICO has issued fines totalling £1.3 million to NHS organisations.