The ICO exists to empower you through information.

The ICO laid a report before Parliament on 11th July 2022.

Behind the screens - maintaining government transparency and data security in the age of messaging apps details a yearlong investigation into the use of private correspondence channels - including private email, WhatsApp and other similar messaging apps - by Ministers and officials at the Department of Health and Social Care (DHSC) during the pandemic.

Our key findings included that:

  • There was extensive use of private correspondence channels by Ministers, and staff employed by DHSC.

  • While there is clear evidence that Ministers were regularly copying information to government accounts to maintain a record of events, there was a risk that these arrangements were not always followed by all Ministers and needs to be improved.

  • DHSC’s policies and procedures were inconsistent with Cabinet Office policy on the use of private email (June 2013) and had some significant gaps based on how key individuals were working in practice. This presented a risk to the effective handling of requests for information in line with the relevant codes of practice under FOI.
  • The use of such channels in this way also presented risks to the confidentiality, integrity and accessibility of the data exchanged.
  • We recognise that the use of private channels brought some real operational benefits at a time in which the UK was facing exceptional pressures throughout the COVID-19 pandemic. However, it is of concern that such practices continued as BAU without any review of their appropriateness or the risks they presented, and we have made recommendations for improvement to DHSC.

Action taken by the ICO

The ICO has now issued DHSC with a practice recommendation (included in the report) ordering the department to improve its management of FOI requests and address inconsistencies in its existing FOI guidance. This will ensure FOI requests are better managed, particularly in relation to any material created or contained in personal accounts.

A reprimand has also been issued under the UK General Data Protection Act (UKGDPR), requiring DHSC to improve its processes and procedures around the handling of personal information through private correspondence channels and ensure information is kept secure. We have also issued a set of recommendations to further support this.