It decided that the telco was not responsible for emailing unencrypted customer details to controversial solicitors ACS:Law. Instead it has handed the ball back to the company claiming that as the incident concerned the failure of staff within the company, BT should deal with it internally.
The ICO said in a statement: “We have regular contact with a range of organisations regarding allegations of staff inappropriately accessing or disclosing personal information.”
“Where it is found that the data controller has adequate policies and safeguards in place, the usual and most appropriate outcome is disciplinary action taken by the employer.”
However, BT might not be out of the ICO’s beady eyes just yet – with the statement hinting that if it was found that an employee had accessed records for personal gain, such as selling it to a third party, the ICO could open a criminal investigation.
The ICO began looking into the case late last year after BT emailed details about more than 500 of its customers to solicitors at ACS:Law. ACS:Law had obtained the customers’ details from BT and others through a court order and had intended to sue them over alleged copyright infringement. However these were leaked following a DDoS attack.
The ruling by the ICO has angered rights groups. Alexander Hanff, a spokesman at Privacy International, blasted the watchdog in a blog post claiming that its decision made a farce of the Data Protection Act.
“This is an incredibly dangerous decision for the ICO to have made as it effectively dissolves any pretence that a company is responsible for the actions of its employees at work,” he said.
“Whereas we already had a very weak data protection regime due to lack of enforcement and regulatory capture, we now effectively have no data protection regime with regards to corporate breaches of the Data Protection Act,” he added.