ICO lets BT off the hook over data handling

Summary:The privacy watchdog will take no action against BT, which saw unencrypted customer details posted online, saying the company should not be held responsible for the actions of employees

The Information Commissioner's Office has dropped an investigation into inadequate data protection by BT, prompting campaigners to say the privacy watchdog will not pursue large corporations due to legal expenses.

BT escapes ICO fine

The Information Commissioner's Office has decided not to fine BT over a data breach that exposed customer information. Photo credit: ell brown on Flickr

The investigation, which was launched after the disclosure of BT customer details involved in an alleged file-sharing case, found that BT should not be held responsible for the actions of one of its employees.

"Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer," said a spokeswoman for the Information Commissioner's Office (ICO) on Wednesday.

The ICO investigation focused on BT's broadband subsidiary PlusNet, which sent unencrypted customer details to solicitors ACS:Law as part of an alleged copyright case. The customer data was leaked onto the internet following a distributed denial-of-service attack on ACS:Law. The solicitor firm has since attempted to drop the cases, and the customer information is still available online.

'Dangerous' precedent

The decision will set a precedent that will have the effect of making large corporations immune from aspects of data-protection law, according to campaign group Privacy International.

"It's an incredibly dangerous precedent," said Privacy International campaigner Alex Hanff. "If companies aren't responsible for the actions of their employees, performed when working for their employers, where does that leave us on data-protection negligence?"

If companies aren't responsible for the actions of their employees, performed when working for their employers, where does that leave us on data-protection negligence?

– Alex Hanff, Privacy International

Hanff suggested that the ICO cannot afford to take large companies to court, which effectively puts corporations beyond its reach. He noted that the watchdog, which has the power to fine organisations up to £500,000, has not attempted to impose any penalty on BT for disclosing unencrypted customer details. In addition, it did not fine Google over its collection of unsecured Wi-Fi data.

Instead, the privacy watchdog has concentrated on fining smaller, public-sector organisations with more limited means to fight cases, said Hanff. "The ICO would seriously struggle to bring a large action to court, because of the legal fees," he said.

The ICO responded that it takes each case on its merits and will pursue large companies if the need arises.

"We have a full understanding of our powers and are not afraid to use them where action is justified," said the ICO spokeswoman. "Enforcing and defending the rights of the UK public under the Data Protection Act has always been — and remains — central to the work of the Information Commissioner's Office."

A BT spokeswoman declined to comment on the ICO investigation or any legal discussions, and declined to say whether disciplinary action against any BT employees had taken place as a result of the breach.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topics: Security


Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.