UK government ministers urged to not conduct business using WhatsApp

The UK’s Information Commissioner’s Office (ICO) has concluded its investigation into the government’s use of private communication channels and is now urging ministers to review how messaging apps and personal email accounts are being used to conduct official government business.

A newly published report marks the conclusion of a yearlong investigation launched in 2021 by then-Information Commissioner Elizabeth Denham. The inquiry was initiated after concerns were raised into the use of the messaging service WhatsApp and private email accounts by former health secretary Matt Hancock and his deputy, James Bethell, at the Department of Health and Social Care (DHSC) during the height of the pandemic.

The report found that official information had been shared through 29 WhatsApp accounts, 17 private text messaging accounts, eight private email accounts and one LinkedIn account.

In his opening remarks, John Edwards, who took over the role of Information Commissioner from Denham in January 2022, said that while it was understandable that new technologies had been rolled out in an effort to keep departments functioning during the pandemic, “the deployment of these technologies failed to appreciate the risks and issues around the security of information and managing transparency obligations.”

He added that “this is not solely a product of pandemic exigencies” but rather “a continuation of a trend in adopting new ways of working without sufficient consideration of the risks and issues they may present for information management across government over several years preceding the pandemic.”

Robert Bateman, head of content at GRC World Forums, said that although the ICO notes that the use of channels like WhatsApp isn’t necessarily forbidden under data protection law, the main issue from a privacy and security perspective appears to be a lack of awareness of the potential risks.

“There are also obvious security risks when using personal devices and multiple communications channels,” Bateman said. “The government seems to have failed to meet its legal obligations by failing to even evaluate those risks.”

Bateman added that the lack of appropriate policies and controls is worrying. “If you haven’t even thought about the risks that might arise when processing personal data in a new way, then you can’t do anything to avoid or mitigate those risks,” he said.

What the ICO concluded

The key findings from the ICO’s investigation include:

• There was extensive use of private correspondence channels by ministers, and staff employed by DHSC that is replicated across multiple government departments and pre-dates the pandemic.
• Not all Ministers were forwarding information from private communication platforms to government accounts, risking the loss of record maintenance.
• DHSC did not have appropriate organisational or technical controls in place to ensure effective security and risk management of private correspondence channels being used.
• DHSC’s policies and procedures were inconsistent with Cabinet Office policy on the use of private email and had some significant gaps based on how key individuals were working in practice.
• The way private communication channels were used presented risks to the confidentiality, integrity and accessibility of the data exchanged.

As a result, the DHSC has been issued with a reprimand under the UK General Data Protection Regulation, requiring the department to improve its processes and procedures around the handling of personal information through private correspondence channels and ensure information is kept secure.

A practice recommendation into how DHSC manages freedom of information (FOI) requests has also been issued by the ICO.