The Information Commissioner’s Office (ICO) has issued a reprimand to Surrey Police and Sussex Police for their use of an app that recorded phone conversations and unlawfully captured personal data.
It said that in June 2020 it became aware that staff members of both forces had access to the app for incoming and outgoing calls, with over 1,000 downloading it and more than 200,000 recordings of conversations with victims, witnesses and perpetrators being made.
The ICO considered it likely that a large variety of personal data was captured through the recordings and that the processing of some of it was unfair and unlawful.
Police officers who downloaded the app were unaware that all calls would be recorded and people were not informed it was happening.
The app was first made available in 2016 and was originally intended to be used by a small number of specific officers, but both police forces decided to increase the availability to all staff.
Withdrawal and destruction
It has now been withdrawn and the recordings, other than those considered to be evidential material, destroyed.
Both of the police forces have received a formal reprimand, as opposed to a possible £1 million fine under the ICO’s previously more stringent approach.
The organisation’s deputy commissioner for regulatory and supervision, Stephen Bonner, said: “Sussex Police and Surrey Police failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge. People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly.
“We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes.
“The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services. This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again.
“This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data. Organisations must consider people’s data protection rights and implement data protection principles from the very start.”
The ICO also outlined a number of steps the police forces should take to ensure compliance with data protection law.
These include ensuring they consider the data protection implications of any new app deployment, documenting the process and considering the method and means of data processing; and giving staff instruction and guidance on data protection in the use of any apps, with officers required to confirm it has been read and understood.
The forces have also been told to review their relevant policies and procedures and the content of their data protection training.