ICO under fire for dropping BT data breach probe
Privacy campaigners say the move means the UK 'effectively has no data protection regime'
The Information Commissioner's Office (ICO) is experiencing a backlash from privacy groups who say that its decision to drop an investigation into a BT data breach is "incredibly dangerous".
In September last year an employee of BT's Plusnet subsidiary emailed details of more than 500 of its customers to ACS:Law as unencrypted data. The data contained names, addresses and telephone numbers.
This information was later leaked onto the internet after ACS was attacked by online activists, prompting the investigation by the ICO.
The ICO said it will not be taking action as the incident concerned the failure of staff within BT to follow clear policies set out by the firm, making it an internal matter for BT.
Alex Hanff, who is affiliated with the rights group Privacy International, accused the ICO in a blog of being incompetent.
"It is not unusual for the ICO not to exercise its enforcement powers, in fact it is an issue which has been raised in the past by advocates and politicians.
"This is a dangerous decision for the ICO to have made as it effectively says that a company is not responsible for the actions of their employees at work. The ICO has, in essence, created a Data Protection regime in which companies will not be held responsible for the actions of their staff," he said.
Hanff said the decision not to press ahead with the investigation meant "we've gone from a weak data protection regime due to lack of enforcement and regulatory capture, to effectively no data protection regime with regards to corporate breaches of the Data Protection Act."
The ICO said it stands by its decision, arguing that legal action is not necessary.
"We have regular contact with a range of organisations regarding allegations of staff inappropriately accessing or disclosing personal information," said an ICO spokersperson.
"Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer.
"However, where that employee is accessing records for personal gain, such as selling the data on to third parties, the ICO may open a criminal investigation."