Privacy groups lambast ICO after BT decision
Privacy groups believe BT has been let off the hook by the ICO, which has come under heavy fire from certain corners.
Privacy groups have poured scorn on the Information Commissioner's Office (ICO) after it ended an investigation into BT over sending customer information to the law firm ACS:Law.
BT reportedly sent details on 500 of its PlusNet customers to ACS:Law in plain text attached to an email.
The email was then leaked after the law firm was hacked.
ACS:Law has hit the headlines in the past few months for sending letters to people it believed had committed illegal filesharing.
The ICO indicated it had left the investigation in BT's hands.
"We have regular contact with a range of organisations regarding allegations of staff inappropriately accessing or disclosing personal information," an ICO spokesperson said.
"Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer. However, where that employee is accessing records for personal gain, such as selling the data on to third parties, the ICO may open a criminal investigation."
Privacy International said it was an "incredibly dangerous decision" as it effectively dissolved "any pretence that a company is responsible for the actions of their employees at work."
"What makes this latest decision by the ICO worse than their usual incompetence, is that the ICO have decided BT Group PLC are not responsible for the breach of the Data Protection Act because it was one of their employees who sent the unencrypted data," the organisation's Alex Hanff said in a blog post.
"Christopher Graham has, in essence, now created a Data Protection regime where companies will not be held responsible for the actions of their staff."
Privacy International said it was going to push for a judicial review of the ICO's decision and seek a wider review of the watchdog as a whole.
The Big Brother Watch described the ruling as "puzzling."
"It appears to suggest that the information commissioner believes having a data protection policy in place is sufficient grounds to protect companies from prosecutions for breaking the law even when their employees disregard that said policy - and break the law," the body said in its own blog.
Responding to the criticisms, an ICO spokesperson said the watchdog was fully aware of its powers and was not afraid to use them.
"Enforcing and defending the rights of the UK public under the Data Protection Act has always been - and remains - central to the work of the ICO," the spokesperson said.
"Our workforce of data protection experts deal with thousands of complaints and complex investigations every year."
BT stated it had nothing to add outside of what the ICO said.
Four strategies for building a hybrid workplace that works
All indications are that the future of work is hybrid, if it's not here alreadyFree webinar
The digital marketer’s guide to contextual insights and trends
How to use contextual intelligence to uncover new insights and inform strategiesFree Download
Ransomware and Microsoft 365 for business
What you need to know about reducing ransomware riskFree Download
Building a modern strategy for analytics and machine learning success
Turning into business valueFree Download