The ICO’s audit – which took place in London in July – was agreed as part of the terms of an undertaking that Google signed in November 2010 after the company reported that its Street View cars had collected Wi-Fi payload data alongside the location mapping information that was the stated aim of the project. The audit found that Google has taken action in all of the agreed improvement areas. The ICO has now asked the company to go further to enhance privacy, including ensuring that users are given more information about the privacy aspects of Google products.
Information Commissioner, Christopher Graham, said:
‘I’m satisfied that Google has made good progress in improving its privacy procedures following the undertaking they signed with me last year. All of the commitments they gave us have been progressed and the company have also accepted the findings of our audit report where we’ve asked them to go even further. The ICO’s Google audit is not a rubber stamp for the company’s data protection policies. The company needs to ensure its work in this area continues to evolve alongside new products and technologies. Google will not be filed and forgotten by the ICO.’
The audit highlighted specific areas of good practice that Google has developed, including:
A Privacy Design Document, meaning that all new projects undergo an in-depth assessment to ensure that privacy is built in from the start.
An internal privacy structure has been developed across all functions of the business, meaning that the resource dedicated to privacy has been enhanced – as well as its visibility across the office.
Advanced data protection training for all engineers.
Enhanced training for all staff covering privacy and the protection of user data.
The audit recommends that Google still needs to make improvements in some areas, including:
All existing products to have a Privacy Story – an explanation of how data will be managed in a new product. This should be used to provide users proactively with information about the privacy features of products.
Google should ensure that all projects have a Privacy Design Document, and that processes to check them for accuracy and completeness continue to be enhanced.
The core training for engineers should be developed to include specific engineering disciplines, taking account of the outcomes of the Privacy Design Document.
The ICO’s audit was conducted in accordance with the Information Commissioner’s data protection audit methodology. The key elements of this are a desk-based review of relevant documentation, an on-site visit including interviews with staff and an inspection of selected records.
