The Information Commissioner’s Office (ICO) has today called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps.
The ICO report – Behind the screens - maintaining government transparency and data security in the age of messaging apps – details a yearlong investigation, launched in 2021 by Commissioner Elizabeth Denham, into the use of these channels by Ministers and officials at the Department of Health and Social Care (DHSC) during the pandemic.
The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies – such as WhatsApp – had the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled.
An example of this included some protectively marked information being located in non-corporate or private accounts outside of DHSC’s official systems. This information, which had been stored on outside servers, shows an oversight in the consideration of storage and retention of this information and the associated risks this could bring.
The ICO concluded that there were real risks to transparency and accountability within government and has now called for a review of practices as well as action to be taken to ensure improvements are made in relation to how officials and Ministers use private correspondence channels moving forward.
John Edwards, UK Information Commissioner, said:
“I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials were forced to make quick decisions and work to meet varying demands. However, the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security.
“Public officials should be able to show their workings, for both record keeping purposes and to maintain public confidence. That is how trust in those decisions is secured and lessons are learnt for the future.
“The broader point is making sure the Freedom of Information Act keeps working to ensure public authorities remain accountable to the people they serve. Understanding the changing role of technology is part of that picture. I’ll be setting out more details on how my office will approach FOI differently later this week when I launch ICO25 – the ICO’s new three-year plan.”
The ICO’s findings
Key findings from the ICO investigation included that:
- There was extensive use of private correspondence channels by Ministers, and staff employed by DHSC. Evidence more widely available in the public domain also suggests this practice is commonly seen across much of the rest of government and predates the pandemic.
- While there is clear evidence that Ministers were regularly copying information to government accounts to maintain a record of events, there was a risk that these arrangements were not always followed by all Ministers and needs to be improved.
- DHSC did not have appropriate organisational or technical controls in place to ensure effective security and risk management of private correspondence channels being used. For example, the department did not hold information about where personal data on third-party accounts were hosted as DHSC does not manage third-party servers.
- DHSC’s policies and procedures were inconsistent with Cabinet Office policy on the use of private email (June 2013) and had some significant gaps based on how key individuals were working in practice. This presented a risk to the effective handling of requests for information in line with the relevant codes of practice under FOI.
- The use of such channels in this way also presented risks to the confidentiality, integrity and accessibility of the data exchanged.
- We recognise that the use of private channels brought some real operational benefits at a time in which the UK was facing exceptional pressures throughout the COVID-19 pandemic. However, it is of concern that such practices continued as BAU without any review of their appropriateness or the risks they presented, and we have made recommendations for improvement to DHSC.
Action taken by the ICO
The ICO has now issued DHSC with a practice recommendation (included in the report) ordering the department to improve its management of FOI requests and address inconsistencies in its existing FOI guidance. This will ensure FOI requests are better managed, particularly in relation to any material created or contained in personal accounts.
A reprimand has also been issued under the UK General Data Protection Regulation (UKGDPR), requiring DHSC to improve its processes and procedures around the handling of personal information through private correspondence channels and ensure information is kept secure. We have also issued a set of recommendations to further support this.
To make sure wider lessons are learnt, the ICO is also calling for the government to set up a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be realised whilst ensuring data protection and transparency requirements are met. This will help address the significant inconsistencies in approach that appear to be taking place across government and help ensure that risks are better managed.
The ICO also welcomes the decision of the UK COVID-19 Inquiry, chaired by Baroness Hallett, to accept the ICO’s recommendation to consider how information was recorded by the government during the pandemic specifically. This will further ensure lessons are learnt for the future.
The ICO has previously published guidance on how the FOI Act applies to official information held on private correspondence channels. The guidance explains that any official business should be conducted through corporate communication channels, such as departmental email accounts, wherever possible and that official information exchanged through private channels should be transferred onto official systems as soon as possible.
Notes to Editors
- Today’s report follows an ICO investigation launched by Commissioner Elizabeth Denham into complaints received in July 2021 about Ministers and other government officials using private communication channels, including personal emails and social media platforms, to conduct official business.
- The ICO has already successfully called for the COVID-19 Inquiry to be extended to consider how information was recorded by government during the pandemic.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in Edinburgh, Cardiff and Belfast.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.