The Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police after they breached data protection law.
Officers from both organisations used the social media app, WhatsApp, and instant-messaging service, Telegram, on their personal phones to share information for the purpose of combatting vehicle crime. At the time of the ICO’s investigation, the Telegram group included 241 officers from multiple UK police forces and international law enforcement agencies. The ICO found evidence that personal information was being shared in the group without appropriate safeguards in place.
Using social media messaging apps on personal devices avoids the necessary oversight supervisors and managers should have. There are official channels for law enforcement agencies to lawfully share information which should be used by staff.
Details of the reprimands
Dover Harbour Board
An officer from Dover Harbour Board created and managed the social media distribution group using his personal mobile phone, first on WhatsApp before moving it to Telegram in 2020.
The ICO found that Dover Harbour Board had an inadequate awareness of, and compliance with, data protection law and that its data protection training was insufficient for operational policing purposes. No risk assessment was carried out when setting up the groups and no safeguards were put in place; such as a process to remove members who left law enforcement employment.
Since the incident, Dover Harbour Board has provided officers with further data protection training and the ICO has recommendations including reviews of its data protection policies and the potential use of any other social media groups by its staff.
The decision to issue a reprimand to Dover Harbour Board is aligned with the ICO’s public-sector approach. A fine of £500,000 was considered, but large fines for public sector organisations come out of the public purse and the impact is therefore felt in the form of reduced budgets for vital services.
Kent Police
Kent Police reported itself to the ICO after an officer disclosed their colleague took a photo of an individual’s identity document using a personal mobile phone and uploaded the image onto Telegram. The ICO discovered 25 officers from the force were members of the Telegram group, with five known to have shared personal information and two having administration rights for moderation purposes. The ICO concluded that Kent Police had failed to ensure officers were adequately informed that the use of personal devices to process data obtained in their official duties was not acceptable.
Once aware of its officers’ use of the group, Kent Police instructed them to stop using it immediately. The ICO has issued a reprimand and made recommendations including the provision of guidance around the use of social media apps.
SallyAnne Poole, ICO Head of Investigations, said:
“Data protection law is not a barrier to policing. But the use of these apps was the wrong approach and demonstrated a failure by both Dover Harbour Board and Kent Police to ensure their officers keep people’s personal information safe and secure.
“We welcome the action already taken by both organisations and have suggested further steps to ensure their officers can carry out their responsibilities while ensuring that people’s personal information is handled carefully.”
The Dover Harbour Board and Kent Police reprimands are available in full online.
Notes to editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.