The UK Information Commissioner provides a report to Parliament “Behind the screens” regarding the use of private emails and messaging apps within government & issues of data security and transparency

July 12, 2022 |

The UK Information Commissioners Office has just released a significant and detailed report titled Behind the screens: ICO calls for review into use of private email and messaging apps within government on the use messaging apps and technologies within government with the associated the issues of privacy, data security and transparency.  The flexibility that comes with using messaging apps has unwelcome consequences when used for official business.  The lack of record of important exchanges goes to proper transparency.  The use of apps and texts have real security issues.  Private exchanges for public business can be problematical.

The media release provides:

The Information Commissioner’s Office (ICO) has today called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps.

The ICO report – Behind the screens – maintaining government transparency and data security in the age of messaging apps – details a yearlong investigation, launched in 2021 by Commissioner Elizabeth Denham, into the use of these channels by Ministers and officials at the Department of Health and Social Care (DHSC) during the pandemic.

The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies – such as WhatsApp – had the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled.

An example of this included some protectively marked information being located in non-corporate or private accounts outside of DHSC’s official systems. This information, which had been stored on outside servers, shows an oversight in the consideration of storage and retention of this information and the associated risks this could bring.

The ICO concluded that there were real risks to transparency and accountability within government and has now called for a review of practices as well as action to be taken to ensure improvements are made in relation to how officials and Ministers use private correspondence channels moving forward.

John Edwards, UK Information Commissioner, said:

“I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials were forced to make quick decisions and work to meet varying demands. However, the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security.

“Public officials should be able to show their workings, for both record keeping purposes and to maintain public confidence. That is how trust in those decisions is secured and lessons are learnt for the future.

“The broader point is making sure the Freedom of Information Act keeps working to ensure public authorities remain accountable to the people they serve. Understanding the changing role of technology is part of that picture. I’ll be setting out more details on how my office will approach FOI differently later this week when I launch ICO25 – the ICO’s new three-year plan.”

The ICO’s findings

Key findings from the ICO investigation included that:

    • There was extensive use of private correspondence channels by Ministers, and staff employed by DHSC. Evidence more widely available in the public domain also suggests this practice is commonly seen across much of the rest of government and predates the pandemic.
    • While there is clear evidence that Ministers were regularly copying information to government accounts to maintain a record of events, there was a risk that these arrangements were not always followed by all Ministers and needs to be improved.
    • DHSC did not have appropriate organisational or technical controls in place to ensure effective security and risk management of private correspondence channels being used. For example, the department did not hold information about where personal data on third-party accounts were hosted as DHSC does not manage third-party servers.
    • DHSC’s policies and procedures were inconsistent with Cabinet Office policy on the use of private email (June 2013) and had some significant gaps based on how key individuals were working in practice. This presented a risk to the effective handling of requests for information in line with the relevant codes of practice under FOI.
    • The use of such channels in this way also presented risks to the confidentiality, integrity and accessibility of the data exchanged.
    • We recognise that the use of private channels brought some real operational benefits at a time in which the UK was facing exceptional pressures throughout the COVID-19 pandemic. However, it is of concern that such practices continued as BAU without any review of their appropriateness or the risks they presented, and we have made recommendations for improvement to DHSC.

Action taken by the ICO

The ICO has now issued DHSC with a practice recommendation (included in the report) ordering the department to improve its management of FOI requests and address inconsistencies in its existing FOI guidance. This will ensure FOI requests are better managed, particularly in relation to any material created or contained in personal accounts.

A reprimand has also been issued under the UK General Data Protection Regulation (UKGDPR), requiring DHSC to improve its processes and procedures around the handling of personal information through private correspondence channels and ensure information is kept secure. We have also issued a set of recommendations to further support this.

To make sure wider lessons are learnt, the ICO is also calling for the government to set up a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be realised whilst ensuring data protection and transparency requirements are met. This will help address the significant inconsistencies in approach that appear to be taking place across government and help ensure that risks are better managed.

The ICO also welcomes the decision of the UK COVID-19 Inquiry, chaired by Baroness Hallett, to accept the ICO’s recommendation to consider how information was recorded by the government during the pandemic specifically. This will further ensure lessons are learnt for the future.

The ICO has previously published guidance on how the FOI Act applies to official information held on private correspondence channels. The guidance explains that any official business should be conducted through corporate communication channels, such as departmental email accounts, wherever possible and that official information exchanged through private channels should be transferred onto official systems as soon as possible.

Given there have been reported use by Ministers and even a Prime Minister of Whatsapp while in office the issues in this report are broadly as relevant in Australia as in the United Kingdom even if the legislation differs, sometimes markedly.

Leave a Reply

Verified by MonsterInsights