Ministers, special advisers and government officials used private email accounts and messaging services, including WhatsApp, to share government advice, raising concerns about privacy and data protection, the information regulator has found.
The use of private messaging services, which appears to have become “custom and practice” across government, also raises questions about the government’s compliance with the principles of freedom of information, a report by the Information Commissioner’s Office (ICO) found after a year-long probe.
In an unprecedented move, the regulator reprimanded the Department of Health and Social Care (DHSC) following the investigation into ministers’ and officials’ use of private email, WhatsApp and text messaging services for government business.
It warned the department that if there were further incidents or complaints in future, the ICO may consider formal regulatory action.
The probe followed complaints from Covid victims that ministers, including former health secretary Matt Hancock and senior government officials in the health and social security department, had used private messaging services to make “life and death” decisions during the pandemic.
Information commissioner John Edwards this week urged the government to review the use of private email and messaging services after concluding that they were likely to be widely used for communication across Whitehall.
“I understand the value of instant communication that something like WhatsApp can bring, particularly during the pandemic where officials are forced to make quick decisions and work to meet varying demands,” he said.
“However, the price of using these methods, although not against the law, must not result in a lack of transparency and data security.”
Ministers and non-executive directors at the DHSC were making regular use of private communication channels, which included exchanges with companies offering PPE and Covid tests during the pandemic.
The health department disclosed that ministers and officials had used 29 private WhatsApp accounts, 17 private text message accounts, eight private email accounts and one private LinkedIn account for government business.
The ICO has asked the Covid-19 Public Inquiry to update its terms of reference to look at the quality of record-keeping by the government during the pandemic.
The regulator said that even if the use of private communications channels was thought necessary at the start of the pandemic, it was concerning that the practice was still continuing with little oversight a year later.
Confidential data shared
Messages send by DHSC officials and ministers contained personal data, including names, contact details and information relating to individuals’ work.
A few emails sampled by the ICO contained special category data, including medical information, and a reference to an individual’s political party membership.
The ICO also found evidence that people in the DHSC had used private emails, rather than official government systems, to send restricted information.
The DHSC lacked appropriate security controls over the use of private emails and messaging services, which created “an unnecessary level of risk”, the ICO found.
The department had not carried out any risk assessments and did not know where data, including some restricted information, was being stored, or whether it was being held in the UK.
The failure of ministers and executive directors to exchange information on the DHSC network introduced risks including inappropriate access to government information, risks to confidentiality, and the risk that data could be lost, including information relevant to the long-term public record, the regulator said.
“There were no steps in place to monitor, assess or otherwise check the use of third-party platforms,” said the ICO report.
Freedom of information
The ICO found there was “clear evidence” provided by the DHSC that ministers were regularly copying information from their private accounts to government accounts in order to maintain a departmental record of events.
However, the ICO said it would have been “sensible” for the DHSC to put in systematic ways to capture information for the public record, even if it was as simple as requiring staff to copy emails into official email accounts.
Instead, ministers were expected to review “significant volumes of material” in their private email and messaging accounts to decide what information they should forward to their departments, the report found.
But the scale of use of private channels of communication suggested that “on the balance of probabilities”, there was a risk that “mistakes may have been made by individuals in preserving parts of the public record during a historically significant period”, the ICO said.
“We consider it surprising that for such a prolonged and busy period, a more efficient process with reduced risk to information management was not put in place that would also reduce the potential impact on ministers’ time,” it added.
Call for government review
The ICO has called for the Cabinet Office to carry out a strategic review into the use of private communications channels across government, and to identify the risk they pose.
The ICO said the UK was “arguably out of step” with countries such as New Zealand and Canada, which have updated their statutory requirements around the creation of government records. Northern Ireland and Scotland, for example, have introduced legislation creating a government duty to document information and decisions.
There has been a “cultural drift” across “significant pockets of the public sector” in the UK towards taking advantage of the benefits of new communications technology – without a strategic appraisals of the risk, said the regulator.
Also, there has been no system-wide consideration of the measures that government may need to mitigate the risks.
“This is not solely a product of pandemic exigencies, but rather a continuation of a trend in adopting new ways of working without sufficient consideration of the risks and issues they may present,” said Edwards in a foreword to the report.
The regulator’s recommendations include keeping records of all individuals “permitted” to use private emails and messaging services, and clear processes to capture information, for example when individuals leave quickly during reshuffles.
Other measures could include strengthening ministerial and civil service codes to make clear the responsibilities of officials to maintain public records and ensure compliance with information rights law.