ICO approves policy changes after Google Street View privacy issues

The ICO has approved updates to Google's Street View policies following a data compromise last year, but asserts there's room for improvement.

Google’s updated privacy policies have won approval from the Information Commissioner's Office (ICO), although the privacy regulator says the company still has room for improvement.

The announcement follows a two-day audit of the search giant’s UK operations in July, which was ordered after criticism last year of the way Google gathered information about private Wi-Fi networks.

Last November, Google reported that vehicles it uses to gather mapping data for its Google Street View service had been adapted to collect publicly available Wi-Fi radio signals, and had mistakenly collected payload data, including some emails, URLs and passwords. At the time, the company signed an undertaking with the ICO to improve its privacy procedures and to allow the ICO to carry out an audit within nine months to ensure the improvements had been implemented.

In a statement on the ICO website, Information Commissioner Christopher Graham said he was satisfied with progress so far. “The ICO’s Google audit is not a rubber stamp for the company’s data protection policies,” he said. “The company needs to ensure its work in this area continues to evolve alongside new products and technologies. Google will not be filed and forgotten by the ICO.”

New steps taken by the search giant to address Google Street View security issues (.pdf) include:

  • A privacy design document to ensure privacy is built in from the start of all new projects.
  • Extra resources to support and improve privacy awareness.
  • Advanced data protection training for all engineers.
  • Enhanced training for all staff covering privacy and the protection of user data.

The audit found that, while Google had done well to put in place new privacy initiatives, it still needed to implement a more coordinated approach. “As such, Google now has a number of privacy processes and initiatives at different stages of maturity as well as a number of functions delivering separate privacy related training,” the audit concluded. “The ownership and delivery of Google’s privacy processes and training should be reviewed to ensure they have a coordinated and targeted approach and to identify any possible synergies to reduce the risk of inconsistencies and gaps.”

The audit suggested that further improvements needed to be made, including:

  • All existing products should have what the ICO called a “privacy story,” which should provide users with information about the privacy features of Google’s products.
  • All projects should have a privacy design document, with enhanced processes to check the documents for accuracy and completeness.
  • Core training for engineers should be developed to take account of the outcomes of the privacy design document.

Alan Calder, CEO of Cambridge-based IT Governance, a consultancy and training company, was sceptical about the ICO audit having much effect on Google and the way it conducts its business.

“It will add a little to Google’s costs, and the ICO will say they are doing really great things. So it’s a good result from Google’s point of view,” Calder said. “But it won’t change what Google does in any meaningful way.”

For instance, he said that Google+, the company’s new venture into social networking, does not actively promote privacy, and that users have to change the default settings to avoid the automatic sharing of personal information.

“If you can find your way around the privacy statements, you will find that you can change the default settings if you don’t like them, but you have to know where to look,” said Calder. “Google is just doing enough to comply with the law.”

Read more on Regulatory compliance and standard requirements