The Information Commissioner’s Office (ICO) has called for a government review into the use of private correspondence channels – including email, WhatsApp and other messaging apps – within official business.
It has published its own report – Behind the screens - maintaining government transparency and data security in the age of messaging apps – that details a yearlong investigation the use of these channels by ministers and officials at the Department of Health and Social Care (DHSC) during the pandemic.
The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies had the potential to lead to important information being lost or insecurely handled.
An example of this included some protectively marked information being located in non-corporate or private accounts outside of DHSC’s official systems and stored on outside servers. This demonstrates an oversight in the consideration of storage and retention of this information and the associated risks.
The ICO concluded that there are real risks to transparency and accountability within government and has called for a review of practice,s as well as action to ensure improvements in relation to how officials and ministers use private correspondence channels.
Transparency and security
Information Commissioner John Edwards said: “I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials were forced to make quick decisions and work to meet varying demands. However, the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security.
“Public officials should be able to show their workings, for both record keeping purposes and to maintain public confidence. That is how trust in those decisions is secured and lessons are learnt for the future.”
Among the key findings of the ICO investigation were that there was extensive use of private correspondence channels by ministers, and staff at DHSC, and evidence in the public domain suggests this practice is common across government and predates the pandemic.
While there is clear evidence that ministers were regularly copying information to government accounts to maintain a record of events, there was a risk that these arrangements were not always followed.
In addition, DHSC did not have appropriate organisational or technical controls in place for security and risk management, and its policies and procedures were inconsistent with Cabinet Office policy on the use of private email.
Benefits and risks
The ICO has recognised that the use of private channels brought some operational benefits, but is concerned that such practices continued as ‘business as usual’ without any review of their appropriateness or the risks.
It has now issued DHSC with a reprimand under the UK General Data Protection Regulation, requiring DHSC to improve its processes and procedures around the handling of personal information through private correspondence channels and to ensure information is kept secure.
The overall findings have prompted the ICO to call for the government to set up a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be realised whilst ensuring data protection and transparency requirements are met.
It said this will help address the significant inconsistencies in approach that appear to be taking place and help ensure that risks are better managed.
The ICO has also issued DHSC with a practice recommendation ordering the department to improve its management of freedom of information (FoI) requests and address inconsistencies in its existing FoI guidance.
Edwards added: “The broader point is making sure the Freedom of Information Act keeps working to ensure public authorities remain accountable to the people they serve. Understanding the changing role of technology is part of that picture.
“I’ll be setting out more details on how my office will approach FoI differently later this week when I launch ICO25 – the ICO’s new three-year plan.”