The Information Commissioner’s Office (ICO) has reprimanded the Department of Health and Social Care (DHS) for its use of WhatsApp during the Covid-19 pandemic.
The UK’s data protection watchdog has also called for a “government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps”.
A report – Behind the screens – maintaining government transparency and data security in the age of messaging apps – details the ICO’s investigation into the use of these channels by Ministers and officials at the DHSC. The report found that:
- There was extensive use of private correspondence channels by Ministers and DHSC staff.
- The practice is commonly seen across much of the rest of government and predates the pandemic.
- The DHSC did not have appropriate organisational or technical controls in place to ensure effective security and risk management of private correspondence channels being used.
- The use of such channels presented risks to the confidentiality, integrity and accessibility of the data exchanged.
The ICO has now called for a review of practices, and provided some key recommendations, to ensure improved use of private correspondence channels moving forward.
While this review dealt with the workings of public officials, all organisations using WhatsApp and other messaging platforms for business use must make sure they are not falling foul of data protection regulations. Especially when communicating with, and sharing information about, customers.
Even WhatsApp Business (which is designed for business use and is safer than the standard app) isn’t bullet proof. Businesses must still ensure they have customer consent, provide information about what data will be collected, and meet all the other various data protection requirements to ensure compliance. If they don’t, they could find themselves facing hefty fines and data breach compensation claims.