Widespread use of private messaging apps such as WhatsApp by the Department of Health and Social Care (DHSC) creates “systemic risk” for the department, according to a new report from the Information Commissioner’s Office (ICO). The ICO is calling for a wider investigation into the use of private messaging services across government, amid fears they could hinder transparency and offer insufficient data protection.
A new report from the ICO, which follows a year-long investigation, says the use of private email and messaging by DHSC left personally identifiable information (PII) on private servers, where it lacks appropriate protection. The regulator said that this is due to a “lack of clear controls and a rapid increase in the use of messaging apps and technologies” within the department.
Department of Health private messaging causes security risks
Examples of lapses in security outlined by the report include protectively marked information being located in non-corporate or private accounts outside of the DHSC’s official systems. “This information which had been stored on outside servers, shows an oversight in the consideration of storage and retention of this information and the associated risks this could bring.”
The ICO has submitted an official reprimand to the DHSC alongside the report. It says that “most, if not all, of the messages sent and received contained personal data,” such as names, contact details and information related to individuals’ work in a professional capacity.
Though the ICO recognises that the DHSC must send information containing personal data to private channels on occasion, the reprimand says that “where such channels are in use and the processing of personal data is taking place, they should be operated in compliance with the requirements of UK data protection law”.
ICO demands probe into private messaging service use
The ICO has also submitted an order to the department to improve its management of Freedom of Information (FoI) requests and to address the inconsistencies in its existing FoI guidance, and said that the use of private systems can frustrate the FoI process.
Information commissioner John Edwards explained: “Information in private email accounts and messaging services is forgotten, overlooked, autodeleted or otherwise not available when a freedom of information request is later made. This frustrates the freedom of information process and puts at risk the preservation of official records of decision making.”
The regulator is demanding a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be realised. It stresses that data protection and transparency requirements must be met when conducting business on WhatsApp or similar platforms.
Last year, junior health minister Lord Bethell was criticised for conducting government business on WhatsApp using his private phone. This led to documents and messages relating to the awarding of Covid-19-related contracts being lost.
The report says: “This will help address the significant inconsistencies in approach that appear to be taking place across government and help ensure that risks are better managed.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.