The Information Commissioner's Office (ICO) has issued a report (15-page / 343KB PDF) detailing its "reasonable assurance" over the way Google has addressed previous concerns over privacy. The report reflects the outcome of a follow-up "desk based" audit the ICO conducted of Google's privacy policies and practices in July this year. The ICO conducted a similar audit of the company in July 2011.
Google had been required to allow the ICO to audit it as part of undertakings the company signed in 2010. The ICO secured the undertakings after deciding not to punish Google with a fine for unlawfully collecting the personal data of UK citizens. Google gathered personal information from Wi-Fi networks when collecting data for its Street View service. The company gathered entire emails, usernames and passwords when its camera-mounted cars scanned Wi-Fi networks. The ICO had twice investigated Google in relation to the data breach before securing the undertakings.
In its July 2011 report the ICO said that Google had offered it "reasonable assurance" that it had made changes to how the company addresses privacy issues. It has now reiterated that view in its final report following the 2012 audit.
"Based on the implementation of the agreed recommendations made in the original audit report, the arrangements continue to provide a reasonable assurance that Google have implemented the privacy process changes outlined in the Undertaking and as reviewed in line with the scope of [the] audit," the report said.
A spokesperson for the ICO told Out-Law.com that the final audit report was "very separate" from the watchdog's ongoing investigation into Google's Street View data collection practices.
In June the ICO announced that it had reopened its investigation into the Street View case for a third time after details emerged about the issue in a report by a US regulator. The ICO said that the findings of the US Federal Communications Commission (FCC) meant that it was "likely" that Google had "deliberately captured" the UK 'payload' data, contrary to claims the company had previously made.
Subsequently Google wrote to the ICO to admit that it had not deleted all the information that it had unlawfully obtained from open WiFi networks in the UK. Google said that a "small portion" of the information that had been collected from its Street View cars when they had toured the UK was still "in its possession". The watchdog has since asked the US internet giant to provide it with the data it found so that it could "subject it to forensic analysis before deciding on the necessary course of action."
Under the terms of its undertakings with the ICO, Google had agreed to ensure that the personal data it collected from its Wi-Fi scanning was deleted.
Among the undertakings Google signed were commitments to ensure that all its employees were trained on the company's code of conduct, which includes sections on privacy and protection of personal data, and that specific training for engineers and "other important groups" was enhanced to "focus on the responsible collection, use and handling of data.
The ICO's final audit report said that Google has introduced a number of "good practices" around privacy. Google was complimented on new internal training and awareness-raising initiatives that it has introduced to improve privacy. In addition, the company's "internal audit reviews" will have privacy as their "theme", the ICO said.
However, Google can still improve in some areas, the watchdog said. It wants Google to use Privacy Design Documents (PDDs) for all its projects. The PDDs are supposed to be written by engineers and contain information that "clearly sets out all data collated by a project" so as to provide for "oversight and review of projects by cross functional teams drawn from engineering, legal and product."
"There are still a number of historical projects without a PDD and Google should look to ensure this is dealt with as quickly as possible," the ICO said in its final audit report. "It is recognised, however, that significant progress has been made in the coverage of the PDD programme since last year and that a risk based approach has been currently adopted to roll out of PDDs. Google should also ensure that robust procedures are in place to ensure the right projects are being escalated for review and audit."
Following its July 2011 audit, the ICO had asked Google to ensure that all of its "existing products" have an associated "Privacy Story". The 'stories' provide users with information relevant to their privacy when using a Google product. In its latest report the ICO said that Google still has more work to do to improve the way it uses the feature.
"Reviews have been undertaken to ensure the efficiency and effectiveness of the privacy processes and this has resulted in a re-launch of the Privacy Stories initiative," the watchdog's report said. "The updated Product Privacy Stories (PPS) process needs to be fully developed and embedded into the product development process, ensuring it is aligned with the PDD process and other privacy reviews. The PPS should be made mandatory for all user facing products at a minimum."
In a blog post the ICO's head of good practice, Louise Byers, said that new research had revealed that organisations view the watchdog's data protection audits and one-day advisory visits "to be of significant benefit in learning how closely they’re meeting their data responsibilities."
"We were pleased to see that the ease of working with ICO staff was highlighted, as was the impression of the audits being a consultation rather than an inspection," Byers said. "That is exactly what we’re looking to achieve: the audits are very much part of our education programme, and our aim is to work with the organisations to improve compliance with the law."