freshidea - stock.adobe.com

ICO calls for review into government use of private email and WhatsApp messages

Information Commissioner’s Office reprimands Department of Health and Social Care after ministers and officials conducted government business on their own email accounts and messaging apps

Ministers, special advisers and government officials used private email accounts and messaging services, including WhatsApp, to share government advice, raising concerns about privacy and data protection, the information regulator has found.

The use of private messaging services, which appears to have become “custom and practice” across government, also raises questions about the government’s compliance with the principles of freedom of information, a report by the Information Commissioner’s Office (ICO) found after a year-long probe.

In an unprecedented move, the regulator reprimanded the Department of Health and Social Care (DHSC) following the investigation into ministers’ and officials’ use of private email, WhatsApp and text messaging services for government business.

It warned the department that if there were further incidents or complaints in future, the ICO may consider formal regulatory action.

The probe followed complaints from Covid victims that ministers, including former health secretary Matt Hancock and senior government officials in the health and social security department, had used private messaging services to make “life and death” decisions during the pandemic.

Information commissioner John Edwards this week urged the government to review the use of private email and messaging services after concluding that they were likely to be widely used for communication across Whitehall.

“I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials are forced to make quick decisions and work to meet varying demands,” he said.

“However, the price of using these methods, although not against the law, must not result in a lack of transparency and data security.”

Ministers and non-executive directors at the DHSC were making regular use of private communication channels, which included exchanges with companies offering PPE and Covid tests during the pandemic.

The health department disclosed that ministers and officials had used 29 private WhatsApp accounts, 17 private text message accounts, eight private email accounts and one private LinkedIn account for government business.

The ICO has asked the Covid-19 Public Inquiry to update its terms of reference to look at the quality of record-keeping by the government during the pandemic.

The regulator said that even if the use of private communications channels was thought necessary at the start of the pandemic, it was concerning that the practice was still continuing with little oversight a year later.

The government’s disappearing data

Cabinet Office messages auto-deleted

A ruling by the High Court in April revealed that the Cabinet Office provided an instant chat app to officials that automatically deleted messages after 24 hours.

Senior civil servant deleted WhatsApp

James Bethel, former parliamentary undersecretary for the DHSC, said in a witness statement that his WhatsApp account often became “overwhelmed” due to the volume of pandemic communications he was receiving. He said he was forced to repeatedly delete and reinstall the app, but believed his messages would be stored automatically. The department’s IT service later warned him that this was not necessarily the case.

Police lost messages about surveillance operations

Senior police investigators in the UK used encrypted private messaging apps, such as Signal and WhatsApp, to exchange information with French and other British investigators during an operation to hack the EncroChat cryptophone network. Some of the messages are understood to have been lost when officers replaced or lost their mobile phones without making backups.

Greenshill lobbying

Former prime minister David Cameron was implicated in lobbying for financial services company Greenshill Capital. According to press reports, ministers and senior officials who received private messages sent on behalf of the company have been accused of deleting or losing information on their mobile phones.

Boris Johnson’s disappearing WhatsApp messages

In May 2021, Dominic Cummings gave evidence about WhatsApp exchanges with the prime minister and others about the handling of the pandemic, but the Cabinet Office has claimed in Freedom of Information requests that it does not have copies of the exchanges.

Confidential data shared

Messages send by DHSC officials and ministers contained personal data, including names, contact details and information relating to individuals’ work.

A few emails sampled by the ICO contained special category data, including medical information, and a reference to an individual’s political party membership.

The ICO also found evidence that people in the DHSC had used private emails, rather than official government systems, to send restricted information.

The DHSC lacked appropriate security controls over the use of private emails and messaging services, which created “an unnecessary level of risk”, the ICO found.

The department had not carried out any risk assessments and did not know where data, including some restricted information, was being stored, or whether it was being held in the UK.

The failure of ministers and executive directors to exchange information on the DHSC network introduced risks including inappropriate access to government information, risks to confidentiality, and the risk that data could be lost, including information relevant to the long-term public record, the regulator said.

“There were no steps in place to monitor, assess or otherwise check the use of third-party platforms,” said the ICO report.

ICO reprimands DHSC over private email and messaging use

  • The DHSC did not have appropriate controls in place to ensure the security and risk management of private emails and messaging services.
  • Official government material containing personal data was held on platforms not owned or managed by the department.
  • The use of private correspondence channels created an unnecessary level of risk, which could easily have been negated if ministers and other government employees had used their government email accounts.
  • Some information marked “official sensitive” or containing official sensitive material was sent outside the DHSC.
  • The use of private communications channels “presented unnecessary risks to the confidentiality, integrity and accessibility of the data exchanged”.
  • The ICO has reported its findings on the DHSC to the Government Security Group, part of the Cabinet Office, which is responsible for cyber and physical security across government.
  • The ICO reprimanded the DHSC under the following articles of the UK General Data Protection Regulation:

Article 5(1) (e), which requires information that identifies data subjects to be held for no longer than is necessary.

Article 5(1) (f), which requires personal data to be processed securely and protected from accidental loss and unauthorised processing.

Article 25, which requires necessary safeguards to protect the privacy rights of data subjects to be ensured by default.

Article 32, which requires data to be securely processed.

Freedom of information

The ICO found there was “clear evidence” provided by the DHSC that ministers were regularly copying information from their private accounts to government accounts in order to maintain a departmental record of events.

However, the ICO said it would have been “sensible” for the DHSC to put in systematic ways to capture information for the public record, even if it was as simple as requiring staff to copy emails into official email accounts.

Instead, ministers were expected to review “significant volumes of material” in their private email and messaging accounts to decide what information they should forward to their departments, the report found.

But the scale of use of private channels of communication suggested that “on the balance of probabilities”, there was a risk that “mistakes may have been made by individuals in preserving parts of the public record during a historically significant period”, the ICO said.

“We consider it surprising that for such a prolonged and busy period, a more efficient process with reduced risk to information management was not put in place that would also reduce the potential impact on ministers’ time,” it added.

Call for government review

The ICO has called for the Cabinet Office to carry out a strategic review into the use of private communications channels across government, and to identify the risk they pose.

The ICO said the UK was “arguably out of step” with countries such as New Zealand and Canada, which have updated their statutory requirements around the creation of government records. Northern Ireland and Scotland, for example, have introduced legislation creating a government duty to document information and decisions.

There has been a “cultural drift” across “significant pockets of the public sector” in the UK towards taking advantage of the benefits of new communications technology – without a strategic appraisals of the risk, said the regulator.

Also, there has been no system-wide consideration of the measures that government may need to mitigate the risks.

“This is not solely a product of pandemic exigencies, but rather a continuation of a trend in adopting new ways of working without sufficient consideration of the risks and issues they may present,” said Edwards in a foreword to the report.

The regulator’s recommendations include keeping records of all individuals “permitted” to use private emails and messaging services, and clear processes to capture information, for example when individuals leave quickly during reshuffles.

Other measures could include strengthening ministerial and civil service codes to make clear the responsibilities of officials to maintain public records and ensure compliance with information rights law.

Recommendations for the DHSC

  • Assess the security controls offered by Google Mail, Hotmail and WhatsApp to confirm they support the DHSC’s compliance with data protection laws.
  • Review the privacy notices of email and messaging services to understand where information is processed and stored, the potential risk of third parties accessing the data, and their compliance with data protection laws.
  • Require users to follow security guidance issued by the National Cyber Security Centre, including two-factor authentication and remote access controls.
  • Review “bring your own device” options to provide users with controlled access to DHSC accounts.
  • Limit situations where Google Mail, Hotmail and WhatsApp can be accessed in order to comply with article 5 (1) e of the UK General Data Protection Regulation.
  • Set clear requirements for the deletion of information from personal accounts once it is added to the official records.
  • Ensure that the use of personal devices to exchange personal data adheres to data minimisation principles.
  • Extend all DHSC specified policies about email use to all users of DHSC email accounts, including ministers and non-executive directors.

Read more on IT risk management