UK Information Commissioner highlights issues around the use of private messaging apps

March 8, 2023
3 minutes

Increasingly, private messaging apps are becoming a topic of regulatory scrutiny in many jurisdictions. 

In the United States, towards the end of 2022, a number of significant fines were imposed by the Securities and Exchange Commission and the Commodity Futures Trading Commission on multiple prominent financial institutions over breaches of various communications and record-keeping requirements involving (among other things) the use of such technologies.  

In the UK, following The Daily Telegraph’s recent reporting on the issue of over 100,000 leaked messages sent using private messaging apps, which were apparently used by ministers to discuss critical UK Government business and make significant decisions during the global COVID 19 pandemic (the so-called “Lockdown Files”), the UK Information Commissioner, John Edwards, has highlighted the importance of maintaining appropriate records when using such apps.

Mr Edwards has stressed the need to keep public records of such private messages, in the interests of clarity and accountability and to facilitate learning from previous experiences. While stopping short of suggesting that the use of private messaging apps to conduct government business should be prevented, Mr Edwards observed that there is a risk that decisions made using such technologies may be lost from the public record if relevant messages are not correctly documented and retained.

Mr Edwards' comments follow a 2022 report by the Information Commissioner’s Office (ICO) into similar issues which resulted from a 12-month long investigation. This report noted that an absence of explicit rules around the use of private messaging apps in the conduct of government business and their swift proliferation could result in critical information being mislaid or managed insecurely, potentially damaging government accountability and transparency.

Although not completely analogous, the Information Commissioner’s comments serve as a useful reminder to all organisations which process personal data of the importance of appropriately regulating the use of communications technologies by their employees in order to ensure compliance with such organisations’ obligations under applicable data protection legislation, such as the EU General Data Protection Regulation 2016/679 (EU GDPR), the UK Data Protection Act 2018, (DPA) and the UK GDPR (as defined in the DPA). 

For example, under the EU GDPR and the UK GDPR, organisations which handle personal data are obliged to implement “appropriate technical and organisational measures” to ensure that all personal data is processed securely. Discharging such obligations involves, among other things, carrying out risk assessments and implementing comprehensive policies and procedures to ensure personal data security. 

As part of this, organisations should consider implementing information security policies which control the use by their employees of certain technologies such as private messaging apps, as well as the use by employees of personal devices, ("Bring-Your-Own-Device" policies), in each case for work purposes.  This is because the use of such technologies and devices could potentially lead to increased security vulnerabilities (although organisations should also take care to ensure that any relevant security policies comply with applicable requirements in respect of employee monitoring).

Other relevant data protection obligations that data controllers should consider if permitting the use of private messaging apps in the context of their businesses include (among other things) the requirements to:

  • Process personal data fairly, lawfully and transparently.
  • Ensure that personal data is accurate and up to date.
  • Retain personal data only for as long as is necessary for the purposes for which the personal data were collected.
  • Maintain appropriate and comprehensive records of personal data processing activities.

This could all become more challenging to comply with if the use of certain communications technologies within the workplace remains uncontrolled.  

There is no doubt that the use of private messaging apps is here to stay and such technologies are likely to continue to increase in popularity.  As the Information Commissioner noted “New technologies bring new opportunities, and it is clear that these can play a crucial role in keeping us connected.

Having said that, regulatory oversight in this area – whether of government business, other public sector organisations or the private sector – is also likely to continue.  In view of this, organisations would do well to consider how to ensure that the use of these technologies within their businesses is managed in an appropriate and compliant way.