The Information Commissioner’s Office issued the following statement:
Google Inc. has signed a commitment to improve data handling to ensure breaches like the collection of WiFi payload data by Google Street View vehicles do not occur again, the Information Commissioner said today.
Senior Vice President of Google, Alan Eustace, has signed an undertaking on behalf of Google Inc. which commits the company to putting into place improved training measures on security awareness and data protection issues for all employees. The company has also said it will require its engineers to maintain a privacy design document for every new project before it is launched. The payload data that Google inadvertently collected in the UK will also be deleted.
The Information Commissioner’s Office (ICO) will conduct a full audit of Google’s internal privacy structure, privacy training programs and its system of privacy reviews for new products. The audit will take place within nine months of the undertaking being signed.
Information Commissioner, Christopher Graham, said:
“I am very pleased to have a firm commitment from Google to work with my office to improve its handling of personal information. We don’t want another breach like the collection of payload data by Google Street View vehicles to occur again.
“It is a significant achievement to have an undertaking from a major multinational corporation like Google Inc. that extends to its global policies and not just its UK activities.
“We will be keeping a close watch on the progress Google makes and will follow up with an extensive audit. Meanwhile, I welcome the fact that the WiFi payload data that should never have been collected in the first place can, at last, be deleted.”
Most of the undertaking seems to just be Google agreeing to do what it should be doing anyway. There is a a provision for an audit, but the terms of the audit seem to be just a paper review:
Framework: Google will conduct an internal assessment and provide a confidential written report (“Privacy Report”) to the Commissioner. This Privacy Report will analyze Google’s implementation of the privacy process changes it outlined on October 22, 2010 as it applies to Google’s UK operations. The Information Commissioner’s Office may then validate the Privacy Report’s accuracy and findings via an in-person review of the Privacy Report at Google’s U.S. headquarters and at the offices of Google’s UK subsidiary. Google shall provide the Privacy Report to the Commissioner before such meeting.