The UK Information Commissioner’s Office (ICO) published on Monday, July 11, a report about the government use of private correspondence channels like WhatsApp, private emails and messaging apps to conduct official business. As a result of the risks identified in the report, the ICO is urging the government to review its policies regarding the use of these channels.
The 57-page report explains how the lack of controls and rapid increase in the use of these private channels by the Department of Health and Social Care (DHSC) had the potential to lead to important information about the government’s response to the pandemic being lost or poorly handled.
The investigation was launched in 2021 and for one year, the data protection regulator looked into the use of WhatsApp, private emails and other messaging apps by Ministers and officials at the DHSC.
The investigation includes examples of how highly sensitive information, properly marked as such, was transferred and stored in private accounts outside the DHSC’s official systems.
“I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials were forced to make quick decisions and work to meet varying demands. However, the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security,” said John Edwards, U.K. Information Commissioner.
The report shows that there was extensive use of private channels by ministers and staff employed by DHSC. The ICO also suggests that this practice was not limited to the DHSC, but that this was commonly seen across much of the rest of government.
The regulator raised concerns about this practice because it presented two risks: first, an obvious risk to the confidentiality, integrity and accessibility of the data exchanged. According to the report, DHSC did not have the appropriate controls in place to ensure effective security and risk management to use this type of private communication channel. This could have ended up with personal data on third-party servers without any assurance about its confidentiality. Second, a risk to the effective handling of requests for information under the Freedom of Information Act. The report noted that despite some Ministers copying information from private channels to the official government account to maintain a record of events, there was a risk that this wasn’t sufficient and it could have affected the transparency of the government.
“Public officials should be able to show their workings, for both record-keeping purposes and to maintain public confidence. The broader point is making sure the Freedom of Information Act keeps working to ensure public authorities remain accountable to the people they serve,” said Edwards.
The ICO concludes the report with a few recommendations to the DHSC on how to improve the handling of sensitive information when using private communication channels. The regulator could have taken formal regulatory actions to impose changes on how the government agency handles the information, but for the moment it just issued a “reprimand,” which could be changed if the DHSC doesn’t do anything to improve its data practices.
But in addition to these recommendations, and to “make sure wider lessons are learnt,” said the ICO, the regulator is calling for the government to set up a separate review into the use of these private channels, making sure that data protection and transparency requirements are met.
However, the timing for this call is far from ideal. The ICO is an independent regulator with most of its staff being civil servants, ensuring the regulator is fully functional despite changes in the government. However, the U.K. government is in the middle of a reshuffle, which could conclude in September, and this may complicate the launch of any formal review any time soon.