ICO Calls for Review of Government “Private” Messaging

The Information Commissioner’s Office (ICO) has asked the UK government to review its use of “private correspondence channels,” including email, WhatsApp and other messaging services.

The review follows an investigation into how ministers and civil servants at the Department of Health and Social Care (DHSC) used unofficial channels during the pandemic. The year-long investigation was carried out by previous Information Commissioner, Elizabeth Denham.

The ICO found that the use of WhatsApp and other messaging services in place of official government channels ran the risk of “important information around the government’s response to the pandemic being lost or insecurely handled.” This included protectively marked information being stored outside the DHSC’s servers.

The DHSC, the ICO found, lacked appropriate “organizational or technical controls” to ensure that private correspondence channels had the right security and risk management measures in place. Additionally, the department’s policies were inconsistent with the Cabinet Office policy on the use of private channels.

The ICO conceded that using private channels provided “operational benefits” during the pandemic. But the report pointed out that the practice had become business as usual without reviewing the risks.

The ICO issued recommendations to the DHSC to improve its use of private channels. And it is calling for the government to set up a separate review of channels, including messaging services, to ensure data protection and transparency requirements are met.

“Particularly since the advent of widespread hybrid working, it’s not uncommon for corporate digital communication to bleed over into private correspondence channels, such as WhatsApp, especially in job roles where the line between personal and professional life is blurred,” said Sridhar Iyengar, MD for Zoho Europe, and an expert on remote working.

“Using these channels to communicate in a professional capacity is extremely risky, as the threat of data leaks, mis-sent emails or messages or hacked communications is significantly high.”

According to Ilia Kolochenko, founder of ImmuniWeb, the use of unofficial communications is a growing problem in the public sector, not just in the UK.

“Most governmental bodies and entities do not have a vetted replacement for instant messengers, such as WhatsApp, so people continue communicating work-related questions via insecure third-party channels,” he said.

“And it is virtually impossible to draw a straight line of demarcation between some personal and

professional communications, creating a temptation to use private devices and messengers for work-related discussions. This problem has no simple solution.” Clear policies and up-to-date training, however, will minimize the risks, he added.

What’s Hot on Infosecurity Magazine?