Google gets better at privacy, but room for improvement

As the debate over privacy and the Cloud continues unabated, the Information Commissioner reckons that Google has taken what it calls "reasonable steps" to improve its policies in this area - but the firm isn't off the hook just yet.

Last year the US firm was at the heart of a massive media-led storm (with the Daily Mail particularly enraged) over the unlawful capture of data by its Street View mapping cars. Google agreed to improve its procedures for handling personal data last year, after it admitted unlawfully collecting data from household WiFi networks, including email addresses and passwords.

Now the Information Commissioner's Office (ICO) has given the firm a nod of approval for its actions since then, but still won't "rubber stamp" its policies. The ICO audited Google's UK operations last month, and while broadly positive about progress made, warned that there is still a way to go.

Information Commissioner Christopher Graham said:

“I’m satisfied that Google has made good progress in improving its privacy procedures following the undertaking they signed with me last year. All of the commitments they gave us have been progressed and the company have also accepted the findings of our audit report where we’ve asked them to go even further. The ICO’s Google audit is not a rubber stamp for the company’s data protection policies. The company needs to ensure its work in this area continues to evolve alongside new products and technologies. ”

Improvements noted by the ICO include:

The introduction of a cross-departmental privacy function, which includes a privacy engineering team, a privacy legal team and a first level review team.
Enhanced staff training has been enhanced, using training videos for engineers and mandatory online training courses for all employees.
New 'privacy design documents', which are used to assess the privacy implications of any project.

But areas for improvement include:

All existing products need to have a Privacy Story – an explanation of how data will be managed in a new product. This should be used to provide users proactively with information about the privacy features of products.
Google needs to ensure that all projects have a Privacy Design Document, and that processes to check them for accuracy and completeness continue to be enhanced.
Core training for engineers needs to be developed to include specific engineering disciplines, taking account of the outcomes of the Privacy Design Document (PDD).
The Google Code of Conduct and the related training should be updated to include specific reference to Google’s five privacy principles. The tracking of core training participation and attendance should be improved to ensure all relevant employees receive the appropriate privacy training.
All projects with a Tech Lead need to have a PDD and workflow tools should continue to be developed to track PDD submissions, maintenance and review to ensure they are completed for all relevant projects and are being kept up to date.
Google needs to conduct random checks across all PDDs to ensure completeness and accuracy, including undertaking Privacy Code Audits on a spot check basis. The results should be recorded and followed up where appropriate.

In a post on Google's European public policy blog on Tuesday, Alma Whitten, the company's director of privacy, said it had "significantly enhanced" core training for engineers over the past year:

“The report verifies the improvements we've made to our internal privacy structures, training programmes and internal reviews, and identifies some scope for continued work. We welcome their feedback on our progress, and we look forward to working with them to ensure we continue to develop products that reflect strong privacy standards and practices…We have worked hard on these new privacy controls, which are designed to improve our internal practices without getting in the way of the innovation that has powered Google since its inception. We know there is no perfect solution, so we will continue to improve our current processes and develop new ones so that privacy awareness grows and evolves alongside Google. ”

The consequences of not doing so would be grave, warned Information Commissioner Graham who warned:

“Google will not be filed and forgotten by the ICO. ”