View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 12, 2022updated 05 Aug 2022 7:57am

Department of Health reprimanded for using private messaging services

Using WhatsApp for official business creates risks around data security and hinders transparency, the ICO says.

By Claudia Glover

Widespread use of private messaging apps such as WhatsApp by the Department of Health and Social Care (DHSC) creates “systemic risk” for the department, according to a new report from the Information Commissioner’s Office (ICO). The ICO is calling for a wider investigation into the use of private messaging services across government, amid fears they could hinder transparency and offer insufficient data protection.

The ICO has submitted an official reprimand to the DHSC. (Photo by Ken Jack, Contributor at iStock/Getty Images)

A new report from the ICO, which follows a year-long investigation, says the use of private email and messaging by DHSC left personally identifiable information (PII) on private servers, where it lacks appropriate protection. The regulator said that this is due to a “lack of clear controls and a rapid increase in the use of messaging apps and technologies” within the department.

Department of Health private messaging causes security risks

Examples of lapses in security outlined by the report include protectively marked information being located in non-corporate or private accounts outside of the DHSC’s official systems. “This information which had been stored on outside servers, shows an oversight in the consideration of storage and retention of this information and the associated risks this could bring.”

The ICO has submitted an official reprimand to the DHSC alongside the report. It says that “most, if not all, of the messages sent and received contained personal data,” such as names, contact details and information related to individuals’ work in a professional capacity. 

Though the ICO recognises that the DHSC must send information containing personal data to private channels on occasion, the reprimand says that “where such channels are in use and the processing of personal data is taking place, they should be operated in compliance with the requirements of UK data protection law”.

ICO demands probe into private messaging service use

The ICO has also submitted an order to the department to improve its management of Freedom of Information (FoI) requests and to address the inconsistencies in its existing FoI guidance, and said that the use of private systems can frustrate the FoI process.

Information commissioner John Edwards explained: “Information in private email accounts and messaging services is forgotten, overlooked, autodeleted or otherwise not available when a freedom of information request is later made. This frustrates the freedom of information process and puts at risk the preservation of official records of decision making.”

The regulator is demanding a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be realised. It stresses that data protection and transparency requirements must be met when conducting business on WhatsApp or similar platforms.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

Last year, junior health minister Lord Bethell was criticised for conducting government business on WhatsApp using his private phone. This led to documents and messages relating to the awarding of Covid-19-related contracts being lost.

The report says: “This will help address the significant inconsistencies in approach that appear to be taking place across government and help ensure that risks are better managed.”

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: New medical device regulations prioritise innovation, but could risk patient safety

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU