Peter A Clarke

Police breaching privacy is almost a cliche. The Victorian Police had a sub specialty for years in misusing the LEAP database.  In the UK the Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police for breaches of privacy.  Those breaches related to the use of the social media app, WhatsApp, and instant-messaging service, Telegram, on personal phones to share information. The personal information was being shared in the group without appropriate safeguards in place.

This is a widespread problem.  Encrypted social media messaging havw been used by politicians and officials doing government business to do communicate, and do business, away from official means of communications.  The problem with  social media messaging apps on personal devices is that it avoids the necessary oversight supervisors and managers should have.   For example while Prime Minister Malcolm Turnbull used Wickr adn Confide outside of the federal parliament’s system when communicating with colleagues and journalists. He claimed not to have used the systems to send classified government information. But, as Mandy Rice Davies said after hearing Lord Astor had denied having sex with her “He would, wouldn’t he.” 

Regarding Dover Board the reprimand relates to the use of  WhatsApp and then Telegram.  The reprimand relevantly states:

• it is likely that personal data relating to individuals about whom intelligence was being sought would be saved on these personal devices in the form of  photographs and message content.  Officially provided devices routinely have enhanced levels of security and encryption not usually present on personal devices.
• the lack of enhanced security measures is considered to be weakness in respect of the security of personal data being processed for official purposes and data held on  personal devices would potentially be at risk of access by third parties.
• there was no evidence that a risk assessment was undertaken either upon the setting up of the WhatsApp Group or  Telegram and that no Terms of Reference for the Group had been published.
• there was no process in place for removing members from the Group who left law enforcement employment;
• those with administration duties for the Group were unclear of their role and no training was provided.
• there was a lack of appropriate records management in place for a forum designed to share personal data.
• there was no evidence that prior to the incident occurring data protection training in respect of the processing of personal data for law enforcement/policing purposes
• there was a:
  • lack of corporate awareness of the content of training and policies;
  • failure to ensure staff have received appropriate data protection training; and
  • lack of adequate awareness of data protection legislation requirements.

Regarding Kent Police the reprimand relates to an incident in February 2021 when a Kent Police officer took a photograph of an individual’s identity document using her personal mobile phone and uploaded the image onto Telegram. The Kent Police officer did not inform the individual that further processing of his personal data would take place and ; how it would be processed. Other matters arising from the reprimand are:

• the sustained use of Telegram could have gone unnoticed by supervisors, which is considered to be indicative of a lack of awareness of data protection responsibilities, both at operational and supervisory level.
• the use of personal devices is considered to represent a potential security weakness. Here the use of the Group also resulted in data potentially being uploaded to Telegram as a result of messages being stored as “cloud chats” on Telegram’s servers, which are hosted internationally. Therefore access to the personal data shared via Telegram cannot be considered to be securely held or access adequately restricted