The UK’s data regulator has criticized the government’s use of private messaging channels such as WhatsApp for official business during the pandemic.
Following a year-long review of the practice withn the Department of Health and Social Care (DHSC), the Information Commissioner’s Office (ICO) says it’s resulted in important information being lost or insecurely handled.
Examples of this included some protectively marked information being located in non-corporate or private accounts outside DHSC’s official systems. This, says the ICO, brings real risks to transparency and accountability.
“I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials were forced to make quick decisions and work to meet varying demands. However, the price of using these methods, although not against the law, must not result in a lack of transparency and inadequate data security,” says information commissioner John Edwards.
“Public officials should be able to show their workings, for both record-keeping purposes and to maintain public confidence. That is how trust in those decisions is secured and lessons are learnt for the future.”
The report concluded that the use of private correspondence channels predated the pandemic, and was aidespread across the rest of government. And while ministers were regularly copying information to government accounts to keep the records straight, this didn’t always happen as it should, risking the confidentiality, integrity and accessibility of the data involved.
Meanwhile, there were no appropriate organisational or technical controls in place to ensure effective security and risk management, and DHSC’s policies and procedures were inconsistent with Cabinet Office policy.
Ministers including former health secretary Matt Hancock – who resigned a month before the investigation was launched – and his deputy, Lord Bethell, were found to be sharing information through 29 WhatsApp accounts, 17 private text accounts, eight private email accounts and one LinkedIn account.
The ICO has urged the DHSC to tighten up its processes and is also calling for the government to set up its own, separate review of the use of private messaging to make sure that data protection and transparency requirements are met.
Any official business should be conducted through corporate communication channels such as departmental email accounts wherever possible, and official information exchanged through private channels should be transferred onto official systems as soon as possible.
“The broader point is making sure the Freedom of Information Act keeps working to ensure public authorities remain accountable to the people they serve,” says Edwards. “Understanding the changing role of technology is part of that picture.”
He added that the ICO will give announces changes to the way it handles FOI later this week when it launches its new three-year plan.