WIREDGOV

Google Inc. has taken reasonable steps to improve its privacy policies, the Information Commissioner’s Office (ICO) said today, following an audit at the company’s London office.

The ICO’s audit – which took place in London in July – was agreed as part of the terms of an undertaking that Google signed in November 2010 after the company reported that its Street View cars had collected Wi-Fi payload data alongside the location mapping information that was the stated aim of the project. The audit found that Google has taken action in all of the agreed improvement areas. The ICO has now asked the company to go further to enhance privacy, including ensuring that users are given more information about the privacy aspects of Google products.

Information Commissioner, Christopher Graham, said:

“I’m satisfied that Google has made good progress in improving its privacy procedures following the undertaking they signed with me last year. All of the commitments they gave us have been progressed and the company have also accepted the findings of our audit report where we’ve asked them to go even further. 

“The ICO’s Google audit is not a rubber stamp for the company’s data protection policies. The company needs to ensure its work in this area continues to evolve alongside new products and technologies. Google will not be filed and forgotten by the ICO.”

The audit highlighted specific areas of good practice that Google has developed, including:

• A Privacy Design Document, meaning that all new projects undergo an in-depth assessment to ensure that privacy is built in from the start.
• An internal privacy structure has been developed across all functions of the business, meaning that the resource dedicated to privacy has been enhanced – as well as its visibility across the office.
• Advanced data protection training for all engineers.
• Enhanced training for all staff covering privacy and the protection of user data.

The audit recommends that Google still needs to make improvements in some areas, including:

• All existing products to have a Privacy Story – an explanation of how data will be managed in a new product. This should be used to provide users proactively with information about the privacy features of products.
• Google should ensure that all projects have a Privacy Design Document, and that processes to check them for accuracy and completeness continue to be enhanced.
• The core training for engineers should be developed to include specific engineering disciplines, taking account of the outcomes of the Privacy Design Document.

The ICO’s audit was conducted in accordance with the Information Commissioner’s data protection audit methodology. The key elements of this are a desk-based review of relevant documentation, an on-site visit including interviews with staff and an inspection of selected records. The on-site audit field work was undertaken at Google Inc in London on 19 and 20 July 2011.

The executive summary of the Google audit can be viewed on our Conducting audits page.

View the news release about the undertaking Google signed in November 2010  

Notes to Editors

• The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
• The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
• The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.
• Contact our press office on 0303 123 9070 and at ico.gov.uk/press