Graham wrote to TalkTalk on 30th July to request more details of the service so that his office, the ICO, could ensure that it did not break the Data Protection Act or the Privacy and Electronics Communications Regulations.
"I am concerned that the trial was undertaken without first informing those affected that it was taking place," Graham said in the letter, according to documents released under freedom of information (FOI) laws.
"You will be aware that compliance with one of the underlying principles of data protection legislation relies on providing individuals with information about how and why their information will be used," he said. "You will also be aware that these principles are not suspended simply because the information is being used for the purposes of a trial."
A TalkTalk spokesman told OUT-LAW.COM that it was sure that its actions had not breached privacy laws.
"Our view is that this is our network and we are looking out from our network to URLs and websites accessed, scanning them all to see if they contain viruses and malware," said the spokesman.
A TalkTalk employee whose name has been blacked out on the FOI documents to protect their privacy wrote back to Graham, outlining the company's view that it did not have to inform users because its actions did not fall within the scope of privacy laws.
"We are confident our network testing of the service falls outside the scope of the Data Protection Act 1998, the Privacy and Electronic Communications Regulations 2003 and indeed the data protection regime in the UK," the employee said in the letter. "The important point is that it is a website URL accessed by our network, not individual customers, that is recorded. We do not look at nor record who is accessing the website as we simply look at where web traffic is routed to on our network."
The letters were published by FOI site WhatDoTheyKnow.com along with a diagram from TalkTalk that shows that the malware system sits alongside abuse, traffic management and billing systems in the TalkTalk ISP network.
TalkTalk Technology managing director Clive Dorsman explained in a blog post how the systems works.
"As requests move through the network, the anti-malware system filters and records the website URLs to which our network has been asked to connect," he said. "The system simply records the destination website URLs; it does not record who sends the request or other personal data with the URL."
"The system scans website URLs for malware and other viruses and then places each website URL in a white list (if the scan is clean – this is retained for up to 24 hours and then automatically deleted) or a black list (if the scan shows viruses, malware or other irregularities – this is retained for up to 7 days and then automatically deleted)," he said.
Graham said that he was "disappointed" that the ICO itself had not been told of the trials before they happened, and that that it would have been better able to deal with questions from the public if it had been informed.
The TalkTalk spokesman said that the company acknowledged that criticism, but that it was "not always possible" for a company preparing a commercial launch to inform outside organisations.
Kathryn Wynn, a lawyer with Pinsent Masons, the law firm behind OUT-LAW.COM, said that for any company making assessments of systems or products that could fall under privacy laws, communication with the ICO is essential.
"This highlights the importance of companies liaising with the ICO over new projects and trials which could have an impact on customers’ privacy," she said. "They should check whether the ICO concurs with their own conclusions about which compliance steps, if any, need to be taken before launching the project or trial.”
TalkTalk has said that when it comes time to launch the malware detection tool commercially later this year it will contact customers.
"Once it is launched, every website accessed from our network will still be scanned," said the spokesman. "There is no opt in or out to that – we own the network and choose to scan URLs and sites so we can protect our customers."
"As a customer you will be able to opt in to us telling you that a website you are about to go and visit is infected and giving you a choice to go or not," said the spokesman. "In our trials in less than a month customers visited 85,000 infected sites."
The ICO said that it is still examining TalkTalk's malware systems.
“The ICO is currently looking into the process by which Talk Talk collects data about websites visited on its network," said an ICO statement. "We have requested further details about how data is used and will continue to monitor this service to ensure that it complies with the Data Protection Act.”
