The UK’s data watchdog has called for a review into the use of non-corporate communication channels in government, after finding transparency and security concerns over the widespread use of instant-messaging apps and private email accounts in the Department of Health and Social Care during the pandemic.
A year-long investigation by the Information Commissioner’s Office found the proliferation of messaging apps like WhatsApp, combined with a lack of clear controls, meant there was a risk that important information about the government’s response to the Covid pandemic could be lost or “insecurely handled”.
The ICO launched its review a year ago after receiving complaints about the alleged use of private correspondence channels for official business by ministers in DHSC.
Complainants were concerned information could be lost from the public record, damaging transparency and accountability, and that the use of private accounts and apps could prevent the public from accessing material that should be available under the Freedom of Information Act.
There were also concerns about the security and confidentiality of personal data shared and stored on messaging apps and private email accounts.
The investigation confirmed there was “extensive use” of private correspondence channels by DHSC ministers and officials. Sensitive information was sometimes stored in private accounts outside the department’s official systems – something the ICO described as an “oversight in the consideration of storage and retention of this information” and the risks this could bring.
“The scale of the use of private channels suggests that, on the balance of probabilities, there is a risk that mistakes may have been made by individuals in preserving parts of the public record during a historically significant period,” the Behind the Screens report said. DHSC lacked “appropriate organisational or technical controls” to ensure data was secure and risk was effectively managed, it added.
The watchdog has issued the department with a reprimand under data-protection legislation, as well as a practice recommendation under the FoI Act, outlining how DHSC can improve its processes, procedures and the way it manages risk.
The ICO acknowledged DHSC’s stance that the use of private channels brought “real operational benefit” to the pandemic response. But it said it was concerning that no review of these channels’ appropriateness or risks took place.
“The pandemic placed extreme demands and stress on our public services. It is understandable, therefore, that some ministers, advisors, NEDs and senior officials have relied on new technologies to make their work and their lives more manageable,” information commissioner John Edwards wrote in a foreword to the report.
“In our view, however, the deployment of these technologies failed to appreciate the risks and issues around the security of information and managing transparency obligations. This is not solely a product of pandemic exigencies. But rather a continuation of a trend in adopting new ways of working without sufficient consideration of the risks and issues they may present for information management across government over several years preceding the pandemic.”
The report stressed the issue was not confined to DHSC.
“Evidence more widely available in the public domain also suggests this practice is commonly seen across much of the rest of government and predates the pandemic,” it said.
It has therefore called on ministers to set up a review examining how non-corporate communication channels are being used across government.
The review should identify systemic risks and areas for improvement and consider whether departments should adopt a more consistent approach – something that could be implemented via the ministerial and civil service codes, the report said.
Commenting on the report, Edwards said that while instant communication can provide value to public services, "the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security".
“Public officials should be able to show their workings, for both record keeping purposes and to maintain public confidence. That is how trust in those decisions is secured and lessons are learnt for the future," he said.
Last year, the ICO published fresh guidance saying emails from private accounts and WhatsApp messages between officials and ministers are covered by the Freedom of Information Act.
The guidance said official communications should be shared via corporate channels as much as possible, but if circumstances require the use of informal channels then messages should be stored on corporate systems as quickly as possible. It recommended anyone using a private email account copy messages to an official email address, and said public servants should be taught how to export data from messaging apps to official systems – and should do so frequently.
A government spokesperson said the ICO report would be considered carefully and that a review into the policy for use of “non-corporate” communication channels was already under way.
“This report makes clear that the correspondence channels used by ministers and the department were lawful,” they said.
“Ministers and officials had to work at extraordinary pace during the pandemic and the use of modern technology was necessary to deliver important public services that saved lives.”