The ICO exists to empower you through information.

The Information Commissioner’s Office (ICO) has issued a reprimand to both Surrey Police and Sussex Police, following the rollout of an app that recorded phone conversations and unlawfully captured personal data.

In June 2020, the ICO became aware that staff members across both police forces had access to an app that recorded all incoming and outgoing phone calls. 1,015 staff members downloaded the app onto their work mobile phones and more than 200,000 recordings of phone conversations, likely with victims, witnesses, and perpetrators of suspected crimes, were automatically saved.

The ICO considered it highly likely that the app captured a large variety of personal data during these calls and it considered that the processing of some of this data was unfair and unlawful. Police officers that downloaded the app were unaware that all calls would be recorded, and people were not informed that their conversations with officers were being recorded.

The app was first made available in 2016 and was originally intended to be used as recording software by a small number of specific officers, but Surrey Police and Sussex Police chose to make the app available for all staff to download. The app has now been withdrawn from use and the recordings, other than those considered to be evidential material, have been destroyed.

The ICO has applied its revised public sector approach to this case – instead of issuing a £1m fine to both Surrey Police and Sussex Police, they have each received a formal reprimand. The ICO’s approach aims to reduce the impact of fines on those accessing public services and to encourage greater data protection compliance from public authorities to prevent harms from occurring in the first place.

Stephen bonner

“Sussex Police and Surrey Police failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge. People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly. We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes.

“The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services. This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again.

“This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data. Organisations must consider people’s data protection rights and implement data protection principles from the very start.”

- Stephen Bonner, ICO Deputy Commissioner – Regulatory Supervision

Recommendations

The ICO recommended that Surrey Police and Sussex Police should take action to ensure their compliance with data protection law, including:

  • Deployment of any new apps should consider data protection at the very beginning and document the process. A specific team should consider the method and means of data processing, with remedial action taken to ensure processing is compliant with current data protection legislation prior to the app being deployed.
  • Instruction and data protection guidance should be issued to staff in respect of the use of any apps, with officers required to confirm that issued guidance has been read and understood.
  • Review existing policies and procedures to ensure that adequate consideration has been given to data subject rights during the processing of personal data and special category data.
  • Review the content of data protection training, particularly in respect of law enforcement processing.

The ICO has asked Surrey Police and Sussex Police to provide details of actions taken to address these recommendations within three months of the reprimand being issued.

Notes to editors
  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.