Back in 2010 the Information Commissioner’s Office (ICO) ruled that Google was in breach of the Data Protection Act. Whilst sending out its cars with cameras perched atop ostensibly for the purpose of collecting images for its map software, Google Street View, it had also been collecting personal information from wi-fi networks. Along with legitimate data about the location of these hotspots, the Google Street View cars were also harvesting personal details from unsecured networks, known as payload data. Although the ICO initially dropped a probe into the affair after being told limited data had been “mistakenly collected”, it later re-opened the investigation after being made aware of reports that a Google engineer had deliberately written software to obtain a wider range of material (see Simply-docs blog entry of 14th June 2012).
Google had originally given an undertaking to destroy the data it was holding and issued a statement saying it had done so in December 2010. However, it has now emerged that the search giant recently contacted the ICO to report that some of the data it had gathered had not actually been deleted, and is still in existence, some 18 months after it should have been wiped. ICO asked Google to hand over the data immediately “so that we can subject it to forensic analysis before deciding on the necessary course of action“. A response is now being awaited.
All businesses must adhere to the principles laid down by the Data Protection Act 1998, which govern how personal data is collected, held and processed by organisations. This pair of template data protection policies sets out the data protection obligations of businesses and employers and lays down a number of organisational and procedural measures to ensure compliance with the Act.