The Information Commissioner’s Office (ICO) has recently concluded its year-long investigation into the use of private correspondence channels (e.g. private emails, Whatsapp, and other messaging apps) by Government Ministers and officials at the Department of Health and Social Care (DHSC) during the pandemic.
The investigation found failings at DHSC in compliance with transparency and personal data protection obligations.
This has led the ICO to call for the Government to review its current practices and take necessary action to improve its processes and security procedures around handling personal information through various private correspondence channels.
Background to the “behind the screens” investigation
Following widespread media reports, the ICO received complaints in July 2021 about DHSC’s alleged use of private correspondence channels for official business, and concerns were raised about such information being lost from the public record.
The complaints led to an investigation being launched under the authority of UK GDPR and the Data Protection Act 2018.
The investigation involved firstly issuing statutory information notices to require DHSC (as a public body) to provide various pieces of information and documents within 30 working days. Notices were also issued to a number of individuals, including Matthew Hancock MP, Lord Bethell of Romford, and Helen Whately MP.
Each individual was required to answer a series of questions about their use of private messaging channels and their knowledge of the relevant policies and procedures in place at DHSC.
In light of the written responses received to the notices, voluntary interviews were held with a number of individuals, including DHSC’s Data Protection Officer and Senior Information Risk Officer.
In total, the ICO received more than 4,800 emails located in an account outside of DHSC’s official systems. There were also hundreds of pages of evidence collated which contained emails and messages with non-corporate accounts.
Key findings
- There was extensive use by DHSC of private correspondence channels. Evidence suggests this practice is commonly seen across many other Government departments and predates the pandemic.
- Whilst there is clear evidence that Ministers were regularly copying information to Government accounts to maintain a record of events, there was a risk that these arrangements were not always followed by all Ministers and need to be improved.
- DHSC did not have the appropriate controls in place to ensure effective security and risk management of the private correspondence channels being used.
- DHSC’s policies and procedures had some significant gaps which presented a risk to the effective handling of requests for information.
- The use of such channels presented risks to the confidentiality, integrity, and accessibility of the data exchanged.
- The use of private correspondence channels for official business has continued post-pandemic without a review of its appropriateness and the risks.
Of key concern is that information not recorded within official systems would not be available to help the public and official inquiries to understand decisions taken by Ministers and officials. It is also information that the public has a right to seek access to under the Freedom of Information Act (FOIA).
Implications & next steps
As a result of the above, the ICO has issued DHSC with a practice recommendation ordering the department to make improvements in its management of Freedom of Information (FOI) requests.
A reprimand has also been issued under UK GDPR requiring DHSC to improve its procedures around the handling and security of personal information through private correspondence channels.
The Information Commissioner, John Edwards, said the following:
“I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials were forced to make quick decisions and work to meet varying demands. However, the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security.
“Public officials should be able to show their workings, for both record keeping purposes and to maintain public confidence. That is how trust in those decisions is secured and lessons are learnt for the future…”
To make sure that lessons are learnt, the ICO has called for the Government to set up its own separate review into the use of these channels.
Comment
The ICO’s investigation and the subsequent recommendations made to a Government department highlight the important balancing act to be conducted by public bodies and organisations between reaping the benefits of utilising new technologies, whilst ensuring that data protection, transparency, and accountability requirements are consistently met.
The stance taken by the ICO here ties in with its broader projects, in particular the ICO’s new three-year plan, ICO25, which among other things will detail how the ICO will approach FOI differently moving forward.
How can we help?
Shrdha Kapoor is a Trainee Solicitor in our Dispute Resolution team.
If you have any questions concerning the subjects discussed in this article, please contact Shrdha or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online form.
The post ICO Calls For Government To Review Its Use Of Messaging Apps For Official Business appeared first on Nelsons.