In September ACS:Law – a firm which specialises in taking action against illegal downloaders – received details of 500 PlusNet customers in a plain text attachment to an email. This was later leaked online after the law firm was hacked.
But the ICO concluded that as it was a rogue member of staff from PlusNet – a BT-owned company – who sent the file, it would not face action.
A spokesman said: “Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer. However, where that employee is accessing records for personal gain, such as selling the data on to third parties, the ICO may open a criminal investigation.”
But Privacy International, which is promising to push for a judicial review of the ruling, said the decision was worse than the ICO’s “usual incompetence”.
A spokesman said: “This is an incredibly dangerous decision for the ICO to have made as it effectively dissolves any pretence that a company is responsible for the actions of their employees at work.
“Commissioner Christopher Graham (pictured) has, in essence, now created a data protection regime where companies will not be held responsible for the actions of their staff.”
To leave a comment please register – it takes less than a minute and is free of charge. You will also get our weekly email update The DM Report (to opt out contact email@example.com). If you are an existing user, please log in. If you have forgotten your log-in details please email firstname.lastname@example.org to get them reset!