Google Data Protection Audit Report Published

Have you ever seen the the ICO auditers? If your company was to receive a call from them, how well do think you would fare?

This week the UK Information Commissioner’s Office (ICO) has published an Executive Summary of its Data Protection Audit Report on Google, following the revelation that Google were inadvertently collecting wi-fi signals while mapping the country. According to their website, the ICO carries out consensual audits with data controllers to assess their processing of personal information.

Last year the ICO became aware that that Google Street View vehicles, which had been adapted to collect publicly available wi-fi radio signals, had mistakenly collected a limited amount of payload data, likely to include a very limited quantity of emails, URLs and passwords. Google agreed to facilitate a consensual audit by the ICO.

The framework that was included in the audit scope is as follows:

Framework: Google will conduct an internal assessment and provide a confidential written report (“Privacy Report”) to the Commissioner. This Privacy Report will analyze Google’s implementation of the privacy process changes it outlined on October 22, 2010 as it applies to Google’s UK operations. The Information Commissioner’s Office may then validate the Privacy Report’s accuracy and findings via an in-person meeting to review the Privacy Report at Google’s U.S. headquarters or at the offices of Google’s UK subsidiary. Google shall provide the Privacy Report to the Commissioner before such meeting.

Google has responded to the ICO report citing that the findings provided “reasonable assurance that Google have implemented the privacy process changes outlined in the Undertaking.” This was posted on the European Public policy Blog by Alma Whitten, Director of Privacy, Product and Engineering, whose appointment was announced on 22 October 2010.

While there are a few areas for improvement noted in the executive summary, there are none that would warrant the description of Earth shattering proportions. We would consider that any company that had been subject to a consensual audit by the Information Commissioner’s Office would be quite satisfied with the report. Knowing how good Google are at marketing, they will probably want to make capital out of it too.

Before we leap to judge Google, it is worth pointing out that in UK, the Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify the ICO, unless they are exempt. Failure to notify is a criminal offense, and entries have to be renewed annually. If you are required to notify but don’t renew your registration, you are committing a criminal offense. Do you need to register?

If your company was to receive a visit from the Information Commissioner’s auditors, even with nine months notice like Google, how well do think you would fare? How many pieces of personal data has your company inadvertently collected over the years, and are still retaining for no legitimate purpose? Perhaps it would be worth a visit to the ICO website to find out if you need to do something now?

For more on the story: