Information Commissioner bottles it. Again.

Ico Regular visitors to the Big Brother Watch blog will remember the scandal surrounding the discovery that BT had sent personal details about its customers to the law firm ACS:Law in a plain text, unencrypted format which could have been accessed by anyone.

Back in September, an investigation was launched by the Information Commissioner into how the information was able to be transmitted without due care for data protection procedures. While many had hopes BT would face action for its infringement of data protection laws, a report from Josh Halliday in today's Guardian reveals that the ICO has ruled that BT "cannot be held responsible for the action" as, by BT's "own rules it should have been encrypted". 

This is a puzzling ruling. It appears to suggest that the Information Commissioner believes having a data protection policy in place is sufficient grounds to protect companies from prosecutions for breaking the law even when their employees disregard that said policy – and break the law!

The fact the employee responsible was acting in violation of company policy shouldn't matter.  BT is clearly guilty of rank incompetence in its handling of customers' personal data and should be punished accordingly.

Once again people are asking the question: if the Information Commissioner is unwilling to take action on an issue as important as this, how can the public be expected have any faith in him?

Posted by on Feb 2, 2011 in Home | 4 Comments


  1. ohno
    2nd February 2011

    Another example of the totally inadequate upholding of data protection that we have in this country.

  2. Richard Craven
    2nd February 2011

    I haven’t lived in London since the introduction of Oyster Cards, and so have little idea of how they work. I’d like to know whether it is feasible to obtain one using a false name and address – purely as a matter of principle, let it be understood; I have no intention whatsoever of paying less than I should.

  3. ohno
    3rd February 2011

    As far as I understand you can buy one in person and there is no requirement to register it although I suspect they will encourage you to do so. I recall a guy saying that he did not buy an Oyster card because they can track your journey from place to place and know where you are going. I would not use a card that required me to register it. When in London I buy a travelcard for the time I am there that does not require me to give any details.

  4. alastair
    3rd February 2011

    It is awful that more people aren’t using S/MIME encrypted e-mails (an open standard that just works once you have an appropriate digital certificate), as that would have prevented this problem from occurring in the first place. You can get a FREE digital certificate for this purpose from many Certificate Authorities; there is a list here:
    and installing these is typically not very difficult. They allow signing of e-mails to prevent unauthorised alteration, and if you have the other party’s public key they also allow encryption (typically you will get the other party’s public key if they send you a signed e-mail). They’re very easy to use and everyone should really be using them.
    One of the nicest properties of these S/MIME certificates is that they result in mail stored on your mail server remaining encrypted, so that even if the mail server is hacked, the hacker won’t be able to access your e-mail.