ICO considers action over IoT data protection

Image: chombosan via iStock

The Information Commissioner’s Office (ICO) has said it will look to take action against any device or service connected to the Internet of Things (IoT) that is found to be breaking data protection laws.

It comes as an international study has found that six in ten IoT devices don’t fully explain to customers how their personal information is being used.

The study, conducted by 25 data protection regulators around the world, looked at more than 300 devices including internet-connected thermostats and smart meters, both of which affect small businesses.

Researchers focused on how well the companies responsible for them communicate privacy matters to their customers.

It found that 59 per cent of devices failed to adequately explain to customers how their personal information was collected, used and disclosed and that 68 per cent failed to properly explain how information was stored.

A further 72 per cent of devices failed to explain how customers could delete their information off the device, and 38 per cent failed to include easily identifiable contact details if customers had privacy concerns, according to the study.

Concerns were also raised around medical devices that sent reports back to GPs via unencrypted email.

The ICO said that authorities will now consider taking action against any firm thought to be breaking data protection laws.

ICO head of enforcement Steve Eckersley said: “Companies making these devices need to be clear how they’re protecting customers. We would encourage companies to properly consider the privacy impact on individuals before they go to market with their product and services.”

He added: “By looking at this internationally, we’ve been able to get an excellent overview on this topic. We’ll now be building on that, working with the industry and looking specifically at companies who might not have done enough to comply with the law.”