So...
So as long as they suggest they might tell the employee off they get away Scott free?
That's as bad as "The dog ate my homework", no it is worse, surely companies are responsible for the actions of there staff.
The Information Commissioner's Office has ended an investigation against BT for handing over customer information to file-sharing-chaser law firm ACS:Law, which then leaked online. ACS:Law's speciality is sending letters to suspected file-sharers threatening them with expensive legal action unless they send the law firm money …
John Oats says:
"...leaked online after ACS:Law was hacked."
However, everyone in the IT world (including el reg) recognises that ACS:Law was not hacked, it was just completely incompetent and knew nothing about IT when it put it's website back together after suffering from very high load (DDoS).
As for the title of my post; it insisted that I needed one, so what better than the byline for the story I am comenting on?
How the hell did you get...
"In other words - it was a member of staff who sent the unencrypted data, and therefore it's not BT's responsibility"
...from....
"Where it is found that the data controller has adequate policies ..., the usual ... outcome ... is disciplinary action taken by the employer."
????
Any corporate confronted by the ICO with a complete failure to protect acutely sensitive personal information from the world at large - even in defiance of a court Order no less - can now simply say... "its a disciplinary matter".
No more penalties for reckless and gross mismanagement of acutely sensitive personal information.
In particular, ACS:Law would be able to claim (on the same basis as BT/Plusnet) that Jonathan Miller was responsible for the disclosures of Sky data, and therefore, "its a disciplinary matter".
Cue the collapse of the ICO investigation into ACS:Law.
Cue the collapse of the Data Protection Act.
Or sack the ICO and replace them with competent trustworthy people who are not lazy or stupid.
-- a crap cliche I know, but the most appropriate I can come up with.
All my dealings with the ICO have convinced me that they exist rather like the Advertising Standards Authority and the Press Complaints Commission, to give the impression there's some proper regulation going on, while allowing companies to flout the law and what everybody else would consider ethical behaviour.
I've made numerous complaints to the ICO about UK companies spamming me. Even when they've investigated the complaint and concluded that I WAS illegally spammed, the all that happened was "we told them to stop, but we can't do anything about it if they don't".
Even when companies like Think Pink Cartridges didn't bother replying to the ICO's enquiries about their activities, they've been left to it with no action taken against them.
Looks like one law for big companies, and another for everybody else.
The ICO has used it's fining powers, but these have been with organisations with significantly smaller legal departments than BT.
If the ICO wants credibilty, it needs to tackle the hard cases, not the easy wins (this is also why CPS is frequently ridiculed e.g. being refered to as the Criminal Protection Service)
Maybe we should just give enforcement of the DPA to the FSA (£1.4m fine for losing 30k details)
The ICO must go, they are a worthless organisation who do not even understand the meaning of the phrase "Data Protection".
Its amazing how many large companies now lauch at the customer, when the customer warns to take the matter to the ICO. They know the ICO will do bugger all and i for one have now even given up doing this.
I am suprised the Information Commissioner himself can still go to work each day with all the shame that surrounds him.
I agree with another poster, this role needs to go to someone with balls - At least the FSA has done a much better job so for of enforcing Data Protection issues.
SHAME ON YOU ICO!