ICO drops investigation into BT data breach

The Information Commissioner's Office (ICO) has dropped an investigation into BT after the telco's Plusnet subsidiary sent unencrypted details of 500 of its customers to law firm ACS:Law.

The ICO will not be taking action as the incident concerned the failure of staff within BT to follow clear policies set out by the firm, making it an internal matter for BT.

"We have regular contact with a range of organisations regarding allegations of staff inappropriately accessing or disclosing personal information," said the ICO in a statement.

"Where it is found that the data controller has adequate policies and safeguards in place, the usual and most appropriate outcome is disciplinary action taken by the employer."

However, the statement warned that if an employee had accessed records for personal gain, such as selling it to a third party, the ICO could open a criminal investigation.

V3.co.uk contacted BT for comment but had received no reply at the time of publication.

Alexander Hanff, an advisor at Privacy International, said in a blog post that the decision further undermines the ICO's position and makes a mockery of the Data Protection Act.

"This is an incredibly dangerous decision for the ICO to have made as it effectively dissolves any pretence that a company is responsible for the actions of its employees at work," he said.

"Whereas we already had a very weak data protection regime due to lack of enforcement and regulatory capture, we now effectively have no data protection regime with regards to corporate breaches of the Data Protection Act."

Hanff added that Privacy International will call for a judicial review of the ICO's decision and of the organisation itself.

Jim Killock, executive director at the Open Rights Group, also rounded on the ICO, arguing that it had a responsibility to take action against BT and restore public confidence that its actions have consequences.

"BT's practices or policies regarding data transfer were clearly inadequate. Criminal intent is not the only question here: the public needs to know how BT will be changing its data transfer practices," he said.

However, Stewart Room, a lawyer at Field Fisher Waterhouse LLP, told V3.co.uk that the ICO's decision makes sense as it allows organisations to protect against sanctions if they have the correct policies in place.

"The ICO's reasoning for not taking action against BT confirms the existence of the regulatory presence for systems-based regulation; it seems that BT had the correct paperwork in place but the employees failed to comply," he said.

"It would be a perverse interpretation of the law if the ICO defaulted to sanctioning organisations when employees fall into error. The lesson here for data controllers is that, if you get your paperwork in order, you can escape regulatory action."