Following recent new stories about the use of “private” messaging services in the public sector, I thought it may be useful to post a little about this subject.
Some of us may have policies in place which discourage or prohibit the use of private messaging services and/or email in dealing with Council business, while for others the use of these services may be a regular occurrence. One of the concerns is for security of information – once information is “out there” the organisation loses control of its distribution and retention. Another concern is that even though the information or conversation is “off-site”, it is still subject to certain regulations, as are we as users.
Corporate IT should also be asking, where use is regular or widespread, whether improvements could be made to internal systems which would satisfy the evolving communication needs of officers and customers.
The Freedom of Information Act states that information is held by a public authority if “it is held by another person on behalf of the authority” (s3, (2) (b)) – this could mean that in the case of an FoI request, records of a conversation or information exchange on Whatsapp for example, could fall under the remit of the request.
The problem here is that messages or information which are on employee’s personal
accounts, be that on Facebook, WhatsApp, Gmail or any number of platforms, where they are part of the Council’s business, need to be accessible from within the corporate confines. The ICO suggests that if the communication was generated in the course of conducting the authority’s business, it may fall within the scope of a request. Therefore, they go on to suggest that such information is stored onto corporate systems as soon as possible to ensure that it is discoverable and accessible. This could take the form of screenshots from messaging apps, saving emails to network drives and so forth.
Similar issues would likely apply to information requested under Subject Access Requests (UK GDPR, Data Protection Act 2018).
The ICO has published their guidance at https://ico.org.uk/for-organisations/official-information-held-in-non-corporate-communications-channels/ , and it would be interesting to hear how colleague, and your Data Protection Teams, treat this subject – please leave your thoughts in the comments.
Kevin Davies Torfaen Rheolwr Systemau TGCh Diogelu’r Cyhoedd/ Public Protection ICT Systems Manager Blaenau Gwent Gweinyddwr Flare/Flare Administrator