If a Man claims that he won’t burgle a shop, and has “Safeguards” to prevent himself from doing so, but then burgles the shop anyway, can you imagine a Judge saying, “Oh that’s ok, you had ‘safeguards’ so that you wouldn’t do it, the fact you HAVE done it is irrelevant”, can you see this happening? No of course not, but in what can only be described as a “parallel universe” ruling, the Information Commissioners Office (ICO) has done just that.
BT who sent details of their Subscribers to ACS:LAW, didn’t even encrypt the Excel Documents. ACS:LAW had gone to Court with a list of IP addresses claiming that they belonged to “Copyright Infringers”, BT WITHOUT mounting ANY defence at Court to defend their Loyal subscribers, sent the documents to ACS:LAW with NO protection whatsoever.
The Documents contained the following information on over 400 Subscribers their names, Postal address, IP Address, Alleged date of infringement (Hit Date), Time (UK Date Time), and the Content Name.
Remember these were everyday BT/Plusnet customers who had been targeted by ACS:LAW, NO evidence apart from an IP address were supplied and BT did NOT defend their customers at court.
On the Plusnet Forums, angry Subscribers wanted answers, they still do. A thread on the forum has attracted 130 pages, over 2000 replies and close to 100,000 views. They have STILL not got the answers regarding ACS:LAW. True Plusnet HAVE engaged with their subscribers on the forum, but they are stuck with having to deal with this issue via the BT Legal Team.
The ICO speaking to the Guardian said, The ICO closed its investigation into the apparent data breach earlier this month after ruling that BT was not liable for the mistake, which it said was committed by one of its employees. It added “Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer”
Well we KNOW who that Employee is, his name is Prakash Mistry, he is the Senior Finance Manager at BT. Not sure about you, but I really don’t see much discipline happening there, do you? No ICO has acted shamefully in this, as the Solicitors Regulation Authority have in regards to ACS:LAW.
There seems NO justice for the man on the street in all of this and seems a classic example of a Corporation flouting the rules with impunity.
A letter from Prakash Mistry to ACS:LAW requesting a “Report”(A requirement of the NPO order RE Plusnet) into how many people had been taken to court, was met by an arrogant letter accusing those requesting the report on the forums were;
“… written by pro-piracy advocates with their own specific agenda” and “our client is taking away a method of obtaining their members copyrighted works without paying for them and that upsets those who have enjoyed free media this way”
These were outrageous slurs on their subscribers, met with SILENCE by BT.
These concerns of course can be dismissed, BT being a corporation (No soul to damn, no ass to kick) and ACS:LAW a one man band, whose Boss Andrew Crossley is now discredited in the eyes of many.
What can’t be dismissed is the LACK of protection afforded to those affected by the ICO, as with the SRA it seems they are toothless; ball-less, impotent shadows, paper tigers with all the bluster of action but with the movement and intent of a slug.
UK Information Commissioner Christopher Graham told the BBC he had new powers, to act with fines,(Regarding ACS:LAW) of up to £500,000, but much like the BT “Safeguards”, that only works IF IT IS USED! Can we really look forward to the ICO doing much better with the case against ACS:LAW? We wait and see, but not holding any breath.
So the lesson is folks, if you work for a company handling data and YOU are guilty of mishandling it, then your organisation is not responsible for your mistake. The ICO will simply state the controls are in place, so it doesn’t matter if the staff are trained or competent, in fact – probably better if they aren’t. That way the organisation can wash its hands by blaming the individual! Great precedent to set there then. I must remember to copy all the local gov’t templates for data handling and have them as our policies. But then not actually use them. That should waive all my responsibilities.
Pathetic Mr ICO is the only word I can come up with, without resorting to foul language.
An absolute failure by the ICO to carry out their job. Where do Governments find these incompetent & naive people to run their inquiries and commissions ? .. Oh yes, they find them in the Westminster bubble.
How on earth is BT not responsible for the actions of an employee who breaks their own data protection policy and safeguards ?
Too many politicians and civil servants in the UK hoping for some well paid consultancy work from big corporations & wouldn’t want to be associated with such nasty things as making these big corporations obey the law.
I wonder if I could do the same as BT ? Perhaps I should write a P2P sharing policy document for myself saying that my connection mustn’t be used to share files, then if challenged by a cowboy outfit such as ACS:Law tell them not to worry, it’s OK, I have a written anti P2P policy for my Internet connection, therefore I’m not responsible even though the policy may have been broken.
Two comments on this situation.
Firstly,the bit in the quoted Guardian report:
“It added “Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer”
As I understand and recollect the process this describes originates from a case sometime in the late 80’s or early 90’s involving Tesco and a local statutory based consumer protection officer whose name I think was Natros, or something like it.
The basic issue was that Tesco got caught selling goods at one of its outlets which were past the labelled sell by date. Tesco won the case on the argument that it could prove, with a paper trail evidence, that it had the processes in place in terms of staff training and reporting and that therefore the breach in mlaw was not the fault of the company but the individual employee or employees whose wrtitten confirmation they had that they had received the relevent training and understood the company processess and requirements.
As in all case law this defence was used in a case I think it might have been a steel company which was taken to court by the Health & Safety Executive over thge death of a contract worker on scaffolding.
The defence against the H&S prosecution argued the Tesco line, from the earlier case quoted above, that the company had written proof of processess, procedures and training which everyone concerned had undertaken and were aware of through having signed written tick in a box documents. Therefore the fault was not with the company but with a specific individual or individuals who had not followed the written processes and training.
Interestingly enough, when I first heard this in the late 80’s/early 90’s as a local NCU Health and Safety Branch and Zone Officer, the H&S Executive employee, who informed the local group of Trade Union Safety Reps in Sheffield which had gone along to the local H&SE offices, also informed us that not only did the brief for the defence argue this case but the brief representing the H%SE also agreed that the argument in the Tesco case was relevent and proper to be used in this case.
I don’t know the eventual outcome of this case but what has happened over a period of years is that companies have jumped on this as a get out clause for every asnd all responsibility for anything and everything that happens.
all they do is produce a written, and these days electronic, paper trail set of processess & procedures which they regularly get employees to read and sign they have either read them or had the relevent trainig and bingo! the responsibility for anything that goes wrong is no longer that of the company but of individual employees.
However, and secondly, there is a caveat to this. The BT Senior Finance Manager quoted in the above article does not seem to have had any discipline taken against them by BT. Which does not surprise me.
You see in any company, whether its BT or whoever, there are two classes of employee. The Senior Management and everyone else.
Now if this problem had been caused by say any employee from the lowest grade up to first line manager they would have been immediatly disciplined and out of the company like shit off a shoval.
In BT, and I say this as an emplyee of over thirty years, even experienced staff who make simple human mistakes are getting disciplined and sacked for the most spurious and stupid reasons because managers above that of first line don’t have the ability to understand context. They simply follow a simplistic algorithm process regardless of the circumstances. And even if you explain it to them they don’t care because all they are bothered about is their own individual career trajectory.
Asking these people to act like human beings and show some basic fellowship to their fellow men and women is like trying explain the offside rule, or the game of cricket, to an alien.
However, as we see in this instance, when it involves someone who is “Senior” the company closes ranks and is more lenient. No discipline case is brought against the individual even though the breach of company processess is far more serious then many off the spurious discipline cases brought against ordinary staff for simple human error.
Pingback: Home Theater: Pioneer Electronics AS-BT100 Bluetooth Adapter for Compatible Pioneer Products (Black)