ICO warns against use of private correspondence channels in government following DHSC reprimand

The Information Commissioner’s Office (ICO) has issued a reprimand for the Department of Health and Social Care (DHSC) following an investigation into the use of private communication channels such as WhatsApp and personal emails by its Ministers and officials during the pandemic.

The ICO report of the investigation – Behind the screens - maintaining government transparency and data security in the age of messaging apps – launched by then Information Commissioner Elizabeth Denham in 2021, found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies for official business risked important information on the government’s response to the pandemic being lost or insecurely handled.

It issued a reprimand to the department under the UK General Data Protection Regulation (UKGDPR), requiring DHSC to improve its processes and procedures around the handling of personal information through private correspondence channels and ensure information is kept secure.

An example of this included some protectively marked information being in non-corporate or private accounts outside of DHSC’s official systems. The storage of this information on outside servers, the report said, showed a lack of awareness of the risks that external storage and retention of this information could bring.

The ICO also issued DHSC with a practice recommendation ordering the department to improve its management of FOI requests and address inconsistencies in its existing FOI guidance to ensure FOI requests are better managed, particularly in relation to any material created or contained in personal accounts.

The Information Commissioner’s Office concluded that there were real risks to transparency and accountability within government. It requested that the government to set up a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be achieved whilst ensuring data protection and transparency requirements are met.

John Edwards, the current UK Information Commissioner, said: “I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials were forced to make quick decisions and work to meet varying demands. However, the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security.

“Public officials should be able to show their workings, for both record keeping purposes and to maintain public confidence. That is how trust in those decisions is secured and lessons are learnt for the future.

“The broader point is making sure the Freedom of Information Act keeps working to ensure public authorities remain accountable to the people they serve. Understanding the changing role of technology is part of that picture. I’ll be setting out more details on how my office will approach FOI differently later this week when I launch ICO25 – the ICO’s new three-year plan.”

The ICO’s key findings:

• There was extensive use of private correspondence channels by Ministers, and staff employed by DHSC. Evidence also suggests this practice is commonly seen across much of the rest of government and predates the pandemic.
• While there is clear evidence that Ministers were regularly copying information to government accounts to maintain a record of events, there was a risk that these arrangements were not always followed by all Ministers and needs to be improved.
• DHSC did not have appropriate organisational or technical controls in place to ensure effective security and risk management of private correspondence channels being used. For example, the department did not hold information about where personal data on third-party accounts were hosted as DHSC does not manage third-party servers.
• DHSC’s policies and procedures were inconsistent with Cabinet Office policy on the use of private email (June 2013) and had some significant gaps based on how key individuals were working in practice. This presented a risk to the effective handling of requests for information in line with the relevant codes of practice under FOI.
• The use of such channels in this way also presented risks to the confidentiality, integrity and accessibility of the data exchanged.
The ICO report recognises that during the COVID-19 pandemic, the use of private channels could have brought some operational benefits during a time of ‘exceptional pressure’. However, there was concern that such practices continued as ‘business as usual’ without a review of their appropriateness.

Lottie Winson