Earlier this year it was widely reported that there was evidence that Google was gathering personal and sometimes sensitive data about and/or belonging to the general public. Google were understandably shocked. If this was happening clearly it would be a breach of not only their own standards regarding data privacy and security but also national and international statutory obligations. Google made assurances that if they were found in breach that they’d address any concerns. Several states launched investigations including the UK’s own Information Commissioner Office.
The UK’s ICO found, rather quickly, nothing of real note to report. Observers were puzzled about both the ICO’s findings and the speed with which they were made. Especially considering that other states were still conducting investigations. This has most recently come back into the media spot light as one of these investigations has found that emails and passwords belonging to the public have been gathered without permission. It would seem after all that personal and sensitive data was being gathered.
Clearly this raises several questions about Googles commitment to its own privacy and security policies or the effectiveness of its internal controls to identify and manage such risks. However the observation I’d like to make is to question why the UK’s only privacy watchdog, the Information Commissioners Office, had to rely on the work of other national states to identify the problem having closed its own investigation in July this year.
My suspicion is that the depth of the original ICO investigation had much to do with resources. A problem which the ICO has had to live with since its inception. This worries me, as the ICO is the only body tasked with the protection of privacy outside of the FSA here within the UK. Unless the ICO is resourced appropriately, and if the number and scale of privacy and security breaches continues to escalate, what realitic expectations may we have regarding the privacy and security of our sensitive data? And in the future how will data security & privacy be enforced if not by a national privacy watchdog?