Google has made some progress in improving its privacy practices but still has room for improvement, the Information Commissioner’s Office (ICO) said today.
The web giant agreed to improve its procedures for handling personal data last year, after it admitted unlawfully collecting data from household WiFi networks, including email addresses and passwords, while compiling its StreetView mapping service.
The ICO audited Google’s UK operations last month, and while broadly positive about the company’s progress so far, it also found that there are so improvments to be made.
“I’m satisfied that Google has made good progress in improving its privacy procedures following the undertaking they signed with me last year," said Information Commissioner Christopher Graham in a statement. But he added that “the ICO’s Google audit is not a rubber stamp for the company’s data protection policies.’
Google – Data Protection Audit Report from the Information Commissioner’s Office (.pdf) How GfK NOP manages privacy in the digital era The market research group’s "three lenses" for managing the privacy of its subjects
Among the improvements praised by the ICO was the introduction of a cross-departmental privacy function, which includes a privacy engineering team, a privacy legal team and a first level review team. Staff training has been enhanced, using training videos for engineers and mandatory online training courses for all employees. And the company has introduced ‘privacy design documents’, which is used to assess the privacy implications of any project.
However, the ICO also identified a number of ways the company’s privacy procedures could be improved. For example, it found that the privacy training Google offers employees is inconsistent across the organisation.
Further to the ‘privacy design documents’, Google has recently developed the idea of Privacy Story – a privacy plan for the life-cycle of a product, including significant enhancements that may be made in future, possible integrations with other products and technological innovations on the horizon.
The ICO welcomed the concept but argued that it should be extended to include all products, including those that are well established. "Google should use the information gained through the completion of PDDs and Privacy Stories to proactively provide users with information about privacy feature of products," it added.
The watchdog can only make recommendations for Google’s operations in the UK, and much of its product development takes place in the US. However. ICO spokesperson Greg Jones told Information Age that Google’s improvements so far showed that "they take privacy seriously".
"It’s encouraging that they’ve taken these steps," he said. "And there’s no reason why they shouldn’t take on our recommendations."
"We welcome [the ICO’s] feedback on our progress, and we look forward to working with them to ensure that we continue to develop products that reflect strong privacy standards and practices," wrote Alma Whitten, director of privacy at Google’s engineering division, on the company’s blog.