The Information Commissioner’s Office (‘ICO’) has called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. This comes after the announcement of an enquiry into the messaging systems used by government throughout the pandemic, earlier this year. The ICO report details a yearlong investigation, launched in 2021 by Commissioner Elizabeth Denham, into the use of these channels by Ministers and officials at the Department of Health and Social Care (‘DHSC’) during the pandemic.
The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies – such as WhatsApp – had the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled.
- The ICO has now issued DHSC with a practice recommendation ordering the department to improve its management of FOI requests and address inconsistencies in its existing FOI guidance. This will ensure FOI requests are better managed, particularly in relation to any material created or contained in personal accounts.
- A reprimand has also been issues
- To make sure wider lessons are learnt, the ICO is also calling for the government to set up a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be realised whilst ensuring data protection and transparency requirements are met.
This is a particularly important story when we think about WhatsApp. If you are a regular on our podcast or a regular newsletter reader, at Digital Law we regularly mention WhatsApp and the dangers of using this platform for business related purposes. This year alone, we have discussed multiple stories, including one from the MOD, informing service personnel to use alternative messaging apps such as Signal due to WhatsApp’s security. This is because while the app is ‘encrypted’, due to the fact that the messages are stored on the cloud, this makes it more accessible for hackers. Alternative messaging apps such as Signal are more secure because no messages are stored on the cloud, rather they are stored on the device themselves, effectively then the only way to get the messages would be to take the device itself.
Finally, for the avoidance of all doubt, this is not a new policy. You should not be using WhatsApp for business purposes. Especially considering highly regulated sectors such as law, finance and government. Highly regulated sectors, in this particular case, relating to the government, really highlights why, for a regulated sector, using unsecure platforms can be a real problem. It also highlights the stance that the ICO are likely to take if you, as an organisation, have a breach and you are using WhatsApp or other similar messaging platforms such as Telegram.
For more information as well as advice and guidance, please do not hesitate to contact us at firstname.lastname@example.org.