ICO calls for overhaul of ministers using WhatsApp

The Information Commissioner’s Office is demanding an official review into the systemic threats Government ministers and officials are risking by using private correspondence channels, following a year-long investigation which has exposed potential data security failings and has triggered a “reprimand”.

The ICO report – Behind the screens: maintaining government transparency and data security in the age of messaging apps – details the investigation, launched in 2021 by Commissioner Elizabeth Denham, into the use of private email, WhatsApp and other similar messaging apps by ministers and officials at the Department of Health & Social Care (DHSC) during the pandemic.

The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies had the potential to lead to important information around the Government’s response to the pandemic being lost or insecurely handled.

An example of this included some protectively marked information being located in non-corporate or private accounts outside of DHSC’s official systems. This information, which had been stored on outside servers, shows an oversight in the consideration of storage and retention of this information and the associated risks this could bring, the ICO insists.

The ICO concluded that there were real risks to transparency and accountability within Government and has now called for a review of practices, as well as action to be taken to ensure improvements are made in relation to how officials and ministers use private correspondence channels moving forward.

Information Commissioner John Edwards said: “I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials were forced to make quick decisions and work to meet varying demands. However, the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security.

“Public officials should be able to show their workings, for both record keeping purposes and to maintain public confidence. That is how trust in those decisions is secured and lessons are learnt for the future.

“The broader point is making sure the Freedom of Information Act keeps working to ensure public authorities remain accountable to the people they serve. Understanding the changing role of technology is part of that picture. I’ll be setting out more details on how my office will approach FOI differently later this week when I launch ICO25 – the ICO’s new three-year plan.”

The report includes details of extensive use of private correspondence channels by ministers, and staff employed by DHSC. Evidence more widely available in the public domain also suggests this practice is commonly seen across much of the rest of Government and predates the pandemic.

While there is clear evidence that ministers were regularly copying information to Government accounts to maintain a record of events, there was a risk that these arrangements were not always followed by all ministers and needs to be improved, the ICO said.

DHSC did not have appropriate organisational or technical controls in place to ensure effective security and risk management of private correspondence channels being used. For example, the department did not hold information about where personal data on third-party accounts were hosted as DHSC does not manage third-party servers.

The regulator maintains that DHSC’s policies and procedures were inconsistent with Cabinet Office policy on the use of private email (June 2013) and had some significant gaps based on how key individuals were working in practice. This, the ICO reckons, presented a risk to the effective handling of requests for information in line with the relevant codes of practice under FOI.

The use of such channels in this way also presented risks to the confidentiality, integrity and accessibility of the data exchanged, the regulator reports.

The ICO has now issued DHSC with a practice recommendation (included in the report) ordering the department to improve its management of FOI requests and address inconsistencies in its existing FOI guidance. It claims this will ensure FOI requests are better managed, particularly in relation to any material created or contained in personal accounts.

A reprimand has also been issued under UK GDPR, requiring DHSC to improve its processes and procedures around the handling of personal information through private correspondence channels and ensure information is kept secure.

Only last week, the ICO said it was reigning in fines for public sector bodies, although it is not known whether the DHSC failings would have commanded a monetary penalty in the first place.