Ministers, special advisers and government officials have used private email accounts and messaging services including WhatsApp to share government advice, raising privacy and data protection concerns, the information regulator has found.
The use of private messaging services, which appears to have become “custom and practice” within the government, also raises questions about the government’s compliance with freedom of information principles, report by the Information Commissioner’s Office (ICO), discovered after a year-long investigation.
In an unprecedented move, the regulator reprimanded The Department of Health and Social Care (DHSC) following the investigation into the use by ministers and staff of personal emails, WhatsApp and text messaging services for government business.
He warned the department that if there were any further incidents or complaints in the future, the ICO could consider formal regulatory action.
The inquiry followed complaints from Covid victims that ministers, including former health secretary Matt Hancock and senior government officials at the Department of Health and Social Security, used private messaging services to make “life and death” decisions during the pandemic.
Information Commissioner John Edwards this week called on the Government to review the use of private email and messaging services after concluding they were likely to be widely used for communication in Whitehall.
“I understand the value of instant communication that something like WhatsApp can bring, especially during the pandemic when employees are forced to make quick decisions and work to meet different demands,” he said.
“However, the cost of using these methods, while not breaking the law, should not lead to a lack of transparency and data security.”
Ministers and non-executive directors at the DHSC regularly used private communication channels that included exchanges with companies offering PPE and Covid tests during the pandemic.
The Ministry of Health revealed that ministers and officials used 29 private WhatsApp accounts, 17 personal text messaging accounts, eight personal email accounts and one private LinkedIn account for government business.
The ICO has asked the Covid-19 Public Inquiry to update its terms of reference to look at the quality of government record-keeping during the pandemic.
The regulator said that even if the use of private communication channels was considered necessary at the start of the pandemic, it is worrying that the practice still continues with little oversight a year later.
Shared confidential data
Messages sent by DHSC officials and ministers contained personal data, including names, contact details and work-related information about individuals.
Several emails seized by the ICO contained special category data, including medical information and a reference to a person’s political party membership.
The ICO also found evidence that people at DHSC used personal emails, rather than official government systems, to send restricted information.
The DHSC lacked appropriate security controls over the use of personal email and messaging services, which created an “unnecessary level of risk”, the ICO found.
The department has not carried out any risk assessments and does not know where data, including some restricted information, is stored or whether it is stored in the UK.
The failure of ministers and chief executives to share information on the DHSC network created risks including inappropriate access to government information, privacy risks and the risk of data loss, including information linked to the long-term public register, the regulator said.
“There were no steps in place to monitor, evaluate or otherwise verify the use of third-party platforms,” the ICO report said.
Freedom of information
The ICO found there was “clear evidence” provided by the DHSC that ministers regularly copied information from their personal accounts to government accounts to maintain a departmental record of events.
However, the ICO said it would be “sensible” for the DHSC to introduce systematic ways of capturing public register information, even if it was as simple as requiring staff to copy emails to official email accounts.
Instead, ministers were expected to review “significant volumes of material” in their personal email and messaging accounts to decide what information to pass on to their departments, the report said.
But the scale of using private communication channels suggests that “on the balance of probabilities” there is a risk that “errors have been made by individuals in retaining parts of the public record over a historically significant period”, the ICO said.
“We find it surprising that, over such a long and busy period, a more efficient and risk-reduced information management process was not put in place that would also reduce the potential impact on Ministers’ time,” it added.
Invitation to Government Review
The ICO has called on Cabinet to carry out a strategic review of the use of private communications channels in government and identify the risk they pose.
The ICO said the UK is “probably out of step” with countries such as New Zealand and Canada, which have updated their legal requirements on the creation of government records. Northern Ireland and Scotland, for example, have introduced legislation requiring the government to document information and decisions.
There is a “cultural shift” in “significant parts of the public sector” in the UK towards taking advantage of new communications technologies – without a strategic risk assessment, the regulator said.
Furthermore, there has been no system-wide consideration of the measures that the government may need to mitigate the risks.
“This is not just a product of pandemic demands, but rather a continuation of a trend to adopt new ways of working without sufficient consideration of the risks and problems they may pose,” Edwards said in the foreword to the report.
The regulator’s recommendations include keeping records of all individuals who are “allowed” to use personal email and messaging services, and clear processes to capture information, for example, when individuals leave quickly during transfers.
Other measures could include strengthening ministerial and civil servant codes to clarify the responsibilities of officials to maintain public records and ensure compliance with the Right to Information Act.