IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Privacy groups lambast ICO after BT decision

Privacy groups believe BT has been let off the hook by the ICO, which has come under heavy fire from certain corners.

BT

Privacy groups have poured scorn on the Information Commissioner's Office (ICO) after it ended an investigation into BT over sending customer information to the law firm ACS:Law.

BT reportedly sent details on 500 of its PlusNet customers to ACS:Law in plain text attached to an email.

The email was then leaked after the law firm was hacked.

ACS:Law has hit the headlines in the past few months for sending letters to people it believed had committed illegal filesharing.

The ICO indicated it had left the investigation in BT's hands.

"We have regular contact with a range of organisations regarding allegations of staff inappropriately accessing or disclosing personal information," an ICO spokesperson said.

"Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer. However, where that employee is accessing records for personal gain, such as selling the data on to third parties, the ICO may open a criminal investigation."

Privacy International said it was an "incredibly dangerous decision" as it effectively dissolved "any pretence that a company is responsible for the actions of their employees at work."

"What makes this latest decision by the ICO worse than their usual incompetence, is that the ICO have decided BT Group PLC are not responsible for the breach of the Data Protection Act because it was one of their employees who sent the unencrypted data," the organisation's Alex Hanff said in a blog post.

"Christopher Graham has, in essence, now created a Data Protection regime where companies will not be held responsible for the actions of their staff."

Privacy International said it was going to push for a judicial review of the ICO's decision and seek a wider review of the watchdog as a whole.

The Big Brother Watch described the ruling as "puzzling."

"It appears to suggest that the information commissioner believes having a data protection policy in place is sufficient grounds to protect companies from prosecutions for breaking the law even when their employees disregard that said policy - and break the law," the body said in its own blog.

Responding to the criticisms, an ICO spokesperson said the watchdog was fully aware of its powers and was not afraid to use them.

"Enforcing and defending the rights of the UK public under the Data Protection Act has always been - and remains - central to the work of the ICO," the spokesperson said.

"Our workforce of data protection experts deal with thousands of complaints and complex investigations every year."

BT stated it had nothing to add outside of what the ICO said.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

BT workers claim rejected pay rise offer 'would have left them worse off'
Network & Internet

BT workers claim rejected pay rise offer 'would have left them worse off'

8 Apr 2022
MoJ faces £17.5m GDPR fine over subject access request backlog
data protection

MoJ faces £17.5m GDPR fine over subject access request backlog

20 Jan 2022
Cabinet Office fined £500,000 for New Year Honours data leak
data breaches

Cabinet Office fined £500,000 for New Year Honours data leak

3 Dec 2021
ICO publishes new data protection standards for the adtech industry
data protection

ICO publishes new data protection standards for the adtech industry

25 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Google Russia files for bankruptcy, ends operations in the country
Business operations

Google Russia files for bankruptcy, ends operations in the country

19 May 2022