The UK data regulator has criticized the government’s use of private messaging channels such as WhatsApp for official business during the pandemic.
Following a year-long review of the practice with the Department of Health and Social Care (DHSC), the Information Commissioner’s Office (ICO) says it resulted in the loss or insecure handling of important information.
Examples of this included some protectively marked information held in non-corporate or private accounts outside of official DHSC systems. This, says the ICO, brings real risks to transparency and accountability.
“I understand the value of instant communication that something like WhatsApp can provide, particularly during the pandemic, where officials were forced to make quick decisions and work to meet various demands. However, the price of using these methods, while not illegal, should not result in a lack of transparency and inadequate data security,” says Information Commissioner John Edwards.
“Public officials should be able to show how they work, both for record-keeping purposes and to maintain public confidence. That’s how you ensure confidence in those decisions and learn lessons for the future.”
The report found that the use of private correspondence channels predated the pandemic and was widespread throughout the rest of the government. And although ministers regularly copied information to government accounts to keep correct records, this did not always happen as it should, putting at risk the confidentiality, integrity, and accessibility of the data involved.
Meanwhile, there were no appropriate organizational or technical controls in place to ensure effective security and risk management, and DHSC’s policies and procedures were not in line with Cabinet Office policy.
Ministers, including former health secretary Matt Hancock, who resigned a month before the inquiry began, and his deputy, Lord Bethell, were found to be sharing information via 29 WhatsApp accounts, 17 private text accounts, eight private email accounts, and one LinkedIn account. account.
The ICO has urged the DHSC to tighten its processes and is also calling on the government to set up its own separate review of the use of private messages to ensure that transparency and data protection requirements are met.
Any official business should be conducted through corporate communication channels, such as departmental email accounts, whenever possible, and official information exchanged through private channels should be transferred to official systems as soon as possible.
“The broader point is to make sure that the Freedom of Information Act continues to work to ensure that public authorities remain accountable to the people they serve,” says Edwards. “Understanding the changing role of technology is part of that picture.”
He added that the ICO will announce changes to the way it handles FOI later this week when it launches its new three-year plan.