UK investigation: Should government officials use private communication apps like WhatsApp, Gmail?

“I am, and will remain, an advocate for the advantages that new communication platforms provide. However, their use does not remove the requirement for government officials, departments and the wider public sector to continue to be accountable to the people they serve,” John Edwards, Information Commissioner, UK’s Information Commissioner’s Office (ICO) said in a report investigating government officials’ use of private correspondence channels like WhatsApp, Gmail, LinkedIn, etc for official purposes.

Back in July 2021, ICO received complaints about the alleged use of private correspondence channels for official business by Ministers in the Department of Health and Social Care (DHSC). “The complainants were concerned that such practices could result in information being lost from the public record. Information not recorded in this way would not be available to help the public and official inquiries to understand decisions taken by Ministers and officials. It is also information that the public has a right to seek access to under the Freedom of Information Act (FOIA). Such claims also raise concerns about the confidentiality and security of personal data conveyed and stored on messaging apps,” the report explained. In response to these complaints, ICO launched an investigation into the use of private correspondence channels by Ministers and others working at the DHSC.

Why does this matter? While the report focuses on one specific department in the UK government, the use of private communication channels by government officials is prevalent around the world including in India. The recommendations proposed in the UK report highlight issues that other public authorities can learn lessons from. “For instance, there should be stronger protocols about how Ministers and Non-Executive Directors (NEDs) are provided with access to official information. Also, more consideration could be given to how that information is communicated, stored and deleted, if this is done over non-corporate channels,” the report stated.

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.

Key findings by ICO

1. Extensive use of private correspondence channels: ICO found that Ministers and staff employed by DHSC extensively used private correspondence channels. ICO also found that this practice is commonly seen across much of the rest of the Government. “For some individuals, based on what we have seen, this was often focussed on meeting arrangements and related material. For others, it also included more substantive issues linked to the handling of the pandemic. At times, this included officials directly emailing from their corporate account to Ministers on their private account,” ICO explained. “The use of such platforms did not in itself constitute a breach of either freedom of information or data protection laws and rules. This is provided that DHSC had sufficient controls in place to keep and consider public records when requested for disclosure by the public,” ICO remarked.
2. Risk that mistakes may have been made: “The scale of the use of private channels suggests that, on the balance of probabilities, there is a risk that mistakes may have been made by individuals in preserving parts of the public record during a historically significant period,” ICO stated.
3. No appropriate controls in place: “DHSC did not have appropriate organisational or technical controls in place to ensure effective security and risk management of such channels,” ICO found.
4. Inconsistent policies: “We have found that the policies about the use of private correspondence channels for official business were inconsistent, unclear and not up-to-date. This is not conducive to good information management nor reflective of good practice,” ICO stated. “This presented a risk to the effective handling of requests for information in line with the relevant codes of practice under FOI [Freedom of Information],” ICO added.
5. Risks to integrity and confidentiality: The use of private channels presented risks to the confidentiality, integrity and accessibility of the data exchanged, ICO said.
6. A mix of channels used: “The allegations in the media that the Secretary of State at the time ‘only’ used private correspondence channels are not accurate. In practice, a mix of channels was used by him and the other Ministers we have considered as part of our investigation,” ICO said.
7. ‘Protectively marked’ info was present on third-party systems: ICO identified that ‘protectively marked’ government information was being held outside government IT systems, but the Cabinet Office indicated that it considered this information and found no concerns over how the information was held.

Key recommendations by ICO

Measures under Freedom of Information Act (FOIA) 2000: Based on the statutory powers available under the FOIA, ICO issued a formal Practice Recommendation (PR), which sets out the following steps that DHSC can take:

1. Update guidance for staff on the use of non-corporate channels so it is consistent across the different policies currently used by the department.
2. Establish a centrally held register of the individuals permitted to use private channels and devices.
3. Establish a process for granting this permission that includes confirmation of how, and with what frequency, individuals will transfer official information onto official systems. This should include specific provisions for when individuals leave the department suddenly.
4. Review and update DHS’ existing information request handling policies and training to ensure they are consistent with the changes made in response to the measures outlined above.
5. Follow up with any DHSC Ministers, NEDs or senior staff who have left during the pandemic period and may have used private devices and correspondence channels to seek confirmation that they have transferred all
   relevant records onto the department’s systems.
6. In light of any material that may be received as part of this exercise, review DHS’ FOI request log to ensure that it considers this information for release, if relevant to any requests.
7. Write to the Commissioner by the deadline set out in the notice to confirm that it has complied with his recommendations and how it has achieved this.

Measures under UK GDPR and DPA18: As part of its investigation, ICO found issues with the following areas connected to the UK GDPR:

• Article 5(1)(e) – Storage limitation
• Article 5(1)(f) – Security
• Article 25 – Data Protection by Design and Default
• Article 32 – Security of processing

To address these issues, ICO has recommended:

1. Storage limitation: In order to facilitate storage limitation (article 5 (1) (e) of the UKGDPR), the DHSC should limit the situations under which such accounts (Google Mail, Hotmail, WhatsApp) can be used to prevent routine processing on such platforms.
2. Improving security by reviewing access controls: In order to improve security (Article 5(1)(f) and Article 32 of UKGDPR), DHSC should undertake a review to assess the security and access controls in place in relation to the platforms in regular use (Google Mail Hotmail, WhatsApp) when exchanging communications that contain personal data.
3. Review T&Cs and privacy policies of private platforms: As part of the review mentioned in the above point, DHSC “must assess the aforementioned platforms terms and conditions and privacy notices to understand how information would be processed, where it would be stored, and to consider any implications for (a) the security of those platforms in relation to the potential for third party access, (b) the extent to which storage limitation is place, (c) the extent to which the data protection by design and default requirements can be met if use of the platforms is to continue.”
4. Require users to adhere to the latest security guidance: The DHSC should also require users of the platforms to adhere to appropriate security guidance, such as that issued by the National Cyber Security Centre (NCSC) with regard to:
   • Minimum authentication requirements, for example, two-factor authentication controls
   • Remote access controls
5. Review BYOD options: The Department should also review secure ‘bring your own device’ (BYOD) options for controlled access to official DHSC accounts via personal devices.
6. Deletion of the information: DHSC should set clear requirements for the deletion of information from personal accounts once added to the official record.
7. Data minimisation: The DHSC should ensure that the use of personal devices when exchanging personal data adheres to data minimisation principles.
8. Data protection by design: In order to promote data protection by design and default (Article 25 of the UKGDPR), DHSC should extend the application of DHSC-specific policies and procedures relating to email use to all holders of @dhsc.gov.uk accounts as standard (including to Non-Executive Directors and Ministers).

Wider recommendations for other departments across the government: “On the balance of probabilities, we think that, while we have investigated DHSC for the reasons outlined if we had investigated a number of other departments, it is likely we would have found similar risks and issues,” ICO remarked before making broader recommendations for other departments to consider. “We recommend that they should review their internal guidance and working practices to ensure they are consistent with the recommendations we have made to DHSC,” ICO said.

Wider review: ICO has also recommended a wider review be conducted to understand the full impact of the official use of private communication channels.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

• Why Did WhatsApp Ban 19 Lakh Indian Users In May?
• European Commission Tells WhatsApp To Clarify Its Privacy Policy Change By End Of February 2022
• India Has Not Signed The Declaration For The Future Of The Internet
• Summary: UK Government To Devise Regulatory Framework For Stablecoins And Crypto Assets