Government use of WhatsApp needs to be reviewed, says ICO

Use of private channels by MPs poses a risk to security, accountability and transparency, says watchdog

The Information Commissioner's Office (ICO) has urged the government to conduct a review into the systemic risks and areas for improvement surrounding the use of private correspondence channels, such as WhatsApp, private email and other messaging apps by ministers and government officials.

According to the data protection watchdog, the Department of Health and Social Care (DHSC), which was the main focus of its review, used these channels frequently, posing real risks to government accountability and transparency.

It said the DHSC did not have the "appropriate organisational or technical controls" to ensure that risks were properly managed. As a result, it has asked for a government-wide examination of how such channels are used across Whitehall.

"I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials were forced to make quick decisions and work to meet varying demands." said John Edwards, the UK Information Commissioner.

"However, the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security," he added.

The ICO was prompted to open an inquiry in July last year after concerns were raised about the use of private messaging channels by the former health secretary Matt Hancock and his deputy, James Bethell, in the context of awarding contracts to private companies. On learning that it might be searched by a committee investigating Covid contracts, Bethell claimed to have lost his phone.

"My worry is that information in private email accounts or messaging services is forgotten, overlooked, auto-deleted or otherwise not available when a Freedom of Information request is later made," Elizabeth Denham, who was the information commissioner at the time, stated at the time.

A lawsuit was filed against the Cabinet Office and the Department for Digital, Culture, Media, and Sport (DCMS) last year by transparency campaigners who demanded the disclosure of each instance in which ministers and top officials used personal phones, emails, or self-deleting messaging apps to conduct official business.

Campaigners said that the use of these services made it easier to erase information and conceal probable violations of the law.

The activists claimed that the Public Documents Act of 1958 in the UK states that all government records pertaining to government policy must be reviewed and preserved for the purpose of public archiving.

But judges reached a decision in April that the law on keeping public records said "nothing" concerning the use of personal devices for official work.

According to the ICO report [pdf], the ministers and employees frequently use private email channels to carry out official business.

Staff used:

• 17 private text accounts
• eight personal email accounts
• one person LinkedIn account

The watchdog says the rules and procedures of the DHSC were not in line with policy regarding the use of private email.

It adds that the use of private channels of communication does not in itself represent a violation of either data protection or Freedom of Information (FOI) laws if adequate safeguards in place allowed information to be provided when asked. However, its investigation found that "such controls were lacking".

While the report acknowledges instant messaging provided "some real operational benefits" during the epidemic, it casts doubt on the security of private message channels.

As a result of the investigation, the ICO has issued a reprimand under the General Data Protection Regulation of the United Kingdom (UKGDPR), requiring the DHSC to enhance its practices and procedures regarding the handling of personal information through private correspondence channels and to ensure that data is kept secure.

The data regulator has also issued DHSC with a practice recommendation, ordering it to improve the way it handles FOI requests and fix inconsistencies with its existing FOI guidelines.

"I am ... recommending that government should now establish a separate review to look at how different, non-corporate communication channels are being used across government. This should identify any systemic risks and areas for improvement, as well as whether there should be greater consistency in approach across departments," said Edwards in the report's introduction.

"The review could also consider whether there is a case for a stronger duty on ministers, public servants and others who are responsible for maintaining the public record."