Regular visitors to the Big Brother Watch blog will remember the scandal surrounding the discovery that BT had sent personal details about its customers to the law firm ACS:Law in a plain text, unencrypted format which could have been accessed by anyone.
Back in September, an investigation was launched by the Information Commissioner into how the information was able to be transmitted without due care for data protection procedures. While many had hopes BT would face action for its infringement of data protection laws, a report from Josh Halliday in today's Guardian reveals that the ICO has ruled that BT "cannot be held responsible for the action" as, by BT's "own rules it should have been encrypted".
This is a puzzling ruling. It appears to suggest that the Information Commissioner believes having a data protection policy in place is sufficient grounds to protect companies from prosecutions for breaking the law even when their employees disregard that said policy – and break the law!
The fact the employee responsible was acting in violation of company policy shouldn't matter. BT is clearly guilty of rank incompetence in its handling of customers' personal data and should be punished accordingly.
Once again people are asking the question: if the Information Commissioner is unwilling to take action on an issue as important as this, how can the public be expected have any faith in him?