The data protection watchdog the Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police chief constable (as the data controller) after they breached data protection law, because officers were using the WhatsApp app for sharing info. The ICO says it considered a fine to Dover Harbour of £500,000, but large fines for the public sector come out of the public purse and the impact is therefore felt on services, it says.
A Port of Dover Police officer created a WhatsApp group using his personal mobile phone that in 2020 migrated to Telegram, used by ‘multiple UK police forces and international law enforcement agencies for the purpose of combatting vehicle crime’, the ICO found (and stating that the Dover Harbour Board is the relevant data controller, as the harbour police are its employees). The Harbour Board took the opinion that no personal data was processed on the Group; the ICO disagreed. The watchdog found data protection awareness, or compliance, were lacking; that founder officer’s supervisor had removed himself from the WhatsApp Group before its migration to Telegram ‘due to the volume of messages being processed but was aware of the continuation of the group on Telegram’. The officer told the regulator that ‘several of his supervising officers during the lifetime of the use of the Group had been members’.
As for security of the data, the ICO noted that the move to Telegram was because it was felt to be ‘a more secure network. However, the ICO adds, ‘although the app is encrypted the default user settings do not have adequate encryption automatically activated, with users being required to individually implement privacy settings’. Most messages were cloud chats which are stored on Telegram’s servers and can be accessed by Telegram’. The ICO summed up that ‘access to the personal data shared via
Telegram cannot be considered to be securely held or access adequately restricted’, a breach of the Data Protection Act 2018.
Besides, the users were using their personal devices, not officially provided devices that, the ICO noted, ‘routinely have enhanced levels of security and encryption that are not usually present on personal devices’. As for managing of the group, totalling 241, ‘there was no process in place for removing members who left law enforcement employment’.
Kent Police self-reported in February 2021, when a Kent Police officer took a photograph of an identity document using her personal mobile phone and uploaded the image onto Telegram, ‘for the purpose of verifying an individual’s identity’ (without telling the person whose ID it was of the further processing of his personal data). The ICO becoming involved, Port of Dover Police were told to cease use of the group. Kent Police told the ICO that use of the app was not officially sanctioned; 25 of its officers were members (including two who had administration rights), though the force maintained that only five had used the Telegram app to share personal data.
The ICO spoke of its concern ‘that the sustained use of such a tool could have gone unnoticed by supervisors’. Given the length of time the apps were in use and the numbers of users, the ICO discounted this was a case of ‘individual human error’; rather, the ICO pointed to ‘an organisational failure’ over acceptable use of devices. The Kent force told the regulator that Telegram was blocked on officially provided mobile devices.
SallyAnne Poole, ICO Head of Investigations, said: “Data protection law is not a barrier to policing. But the use of these apps was the wrong approach and demonstrated a failure by both Dover Harbour Board and Kent Police to ensure their officers keep people’s personal information safe and secure. We welcome the action already taken by both organisations and have suggested further steps to ensure their officers can carry out their responsibilities while ensuring that people’s personal information is handled carefully.”
Photo by Mark Rowe: Dover harbour, winter morning.
