Surrey and Sussex police have been reprimanded by the Information Commissioner’s Office (ICO) after it emerged more than 200,000 phone calls had been recorded without the knowledge or consent of those on the call. The ICO held off issuing a fine, which it now only uses for public services in the most serious cases due to the financial impact fines can have.
In 2017 an app called Another Call Recorder (ACR), published the year before, was rolled out to a small number of specialist hostage negotiators. According to a spokesperson speaking on behalf of both forces, this was “for the purpose of supporting kidnap and crisis negotiations and maximising public safety” but there was no way to restrict the use of the app so it was downloaded to more than 1,000 staff devices over the following three years with no guidance in place.
“There was no means at that time of restricting use of the app and, unintentionally, it was enabled for all staff to download without appropriate guidance in place. When enabled, the app records and stores all phone calls made in the mobile device,” the spokesperson explained.
The app is designed to automatically record and store any incoming and outgoing calls and as a result, conversations were recorded with victims, witnesses, and suspected criminals. Each of these recordings were automatically saved by the system and included a “large variety of personal data“.
There was no way to restrict which devices it was downloaded to, the spokesperson added, and as soon as the error was identified in March 2020 access was removed, evidence secured and the data protection breach was sent to the ICO and the Investigatory Powers Commissioner’s Office (IPCO).
An initial investigation internally found that the app, and related audio files were on 432 phones and a total of 1,024 officers had downloaded the app as of March 2020. “Of these, four users had recordings on their devices which fell within the category of “users who have identified recording(s) that are evidence of an offence that is or was under investigation,” the spokesperson explained.
This was all reported to the Crown Prosecution Service. The investigation found that three of those four recordings related to criminal cases and one of them could have had a potential impact if the case had progressed to trial.
Police say recorded data has been destroyed
The app has since been removed from use and any recordings not considered lawful evidence have been destroyed. The regulator has also ordered the forces involved to consider the data protection implications of any app deployment from the start and document the process.
“We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes,” said ICO deputy commissioner Stephen Bonner. “People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly.”
The ICO has the power to issue a fine of up to £1m to each of Surrey and Sussex Police but instead opted to issue a warning due to the impact on public services a fine would have. “The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services,” said Bonner.
“This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data. Organisations must consider people’s data protection rights and implement data protection principles from the very start.”
As well as ensuring it has a full review process in place before deploying apps, the ICO has told the force to also consider the method and means of data processing and ensure it is compliant with data protection legislation before it is deployed.
They also must issue guidance to staff on the use of any apps in relation to data protection, review existing policies and procedures and review the content of data protection training around law enforcement policing.
Both forces have three months to show the appropriate actions have been taken within three months of the notice being issued and a spokesperson for both forces said “the majority of these have already been implemented” including a new governance process for any apps.
Sussex Police temporary assistant chief constable Fiona Macpherson told Tech Monitor: “This case exposed a lack of governance around use of this digital application, and this is regrettable. A robust process is now in place to ensure any new requests for mobile apps are subject to appropriate due diligence and scrutiny.”