UK Info Commissioner slams use of WhatsApp by health officials during pandemic

The UK Information Commissioner's Office (ICO) on Monday issued a reprimand and called for a review of how and whether messaging services should be used for government business practices, after finding widespread and potentially dangerous use of private email, WhatsApp and other messaging tools by officials at the Department of Health and Social Care (DHSC).

The actions ordered by ICO came after a year-long investigation as to whether the DHSC was compliant with the UK General Data Protection Regulations (GDPR), the UK Data Protection Act 2018 and the Freedom of Information Act 2000 during the COVID-19 pandemic.

The investigation was sparked by July 2021 complaints concerned with the potential loss of information from public records due to communication practices that used tools not managed by the Department.

According to the ICO report [PDF], confidentiality and security of personal data was put at risk by use of privately operated comms tools.

"This investigation has found failings at DHSC in compliance with both transparency and personal data protection obligations," wrote information commissioner John Edwards.

"There was extensive use of private correspondence channels by Ministers, and staff employed by DHSC. Evidence more widely available in the public domain also suggests this practice is commonly seen across much of the rest of government and predates the pandemic," declared the ICO in its online summary of the report's findings.

• Cookie consent crumbles under fresh UK data law proposals
• Health trusts swapped patient data for shares in an AI firm. They may have lost millions
• Clearview AI fined millions in the UK: No 'lawful reason' to collect Brits' images
• Tech pros warn EU 'data adequacy' at risk if Brexit Britain goes its own way

The next review, the one regarding practices, will identify systemic risks, areas for improvement, and ways to be more consistent in communication approaches across departments. It will also include a look into what issues might have been specific to the pandemic.

The ICO said it has ordered the DHSC "to improve its management of Freedom of Information requests and address inconsistencies in its existing FOI guidance."

The reprimand [PDF] issued to DHSC orders the Department to improve its data handling processes and procedures, per the requirements of the UK GDPR. It states the DHSC has violated processing operations related to storage limitation, integrity and confidentiality, security of processing and more.

Although the ICO is taking a hard stance against the use of non-formal communication, it does go some way to recognize that its creeping prevalence in the public service might just reflect the times.

"It is important to stress that the ICO does not take the view that the DHSC, and public bodies in general, should never send information containing personal data to private communication channels," argued director Steve Eckersley in the ICO's reprimand to DHSC. He went on to explain that communications with personal data must, however, adhere to UK data protection law.

Eckersley said it was understandable to use private correspondence channels during the pandemic, but the lack of oversight inherent to the communication methods presents risks.

Edwards echoed the sentiment in the official report, stating "the pandemic placed extreme demands and stress on our public services" and that it was "understandable" some ministers and officials relied on "new technologies to make their work and their lives more manageable." But Edwards also said new or alternative comms technologies do not relieve anyone of data security and transparency obligations.

"This is not solely a product of pandemic exigencies. But rather a continuation of a trend in adopting new ways of working without sufficient consideration of the risks and issues they may present for information management across government over several years preceding the pandemic." ®