The ICO has issued the DHSC with a reprimand in relation to data protection compliance matters under the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UKGDPR) and the UK Data Protection Act 2018 (DPA).
The ICO does not take the view that the DHSC, and public bodies in general, should never send information containing personal data to private communication channels. However, where such channels are in use and the processing of personal data is taking place, they should be operated in compliance with the requirements of UK data protection law.
The use of private correspondence channels was taking place, without appropriate controls in place to sufficiently manage the risks such processing presented.