A reprimand has been sent to both Surrey Police and Sussex Police by the UK Information Commissioner’s Office (ICO) for unlawfully capturing personal data by using an app that was recording phone conversations without disclosure.
The app, that recorded all incoming and outgoing phone calls, was made available in 2016. But it wasn’t until June 2020 that the ICO became aware that all staff across both police forces had access to it.
“Sussex Police and Surrey Police failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge.”
Stephen Bonner, ICO Deputy Commissioner – Regulatory Supervision
The app was originally intended to be used by a small number of specific officers, but Surrey Police and Sussex Police decided to make it available for all staff to download.
This meant a total of 1,015 staff members had the app on work mobiles, and more than 200,000 recordings of phone conversations were recorded and saved. These calls were likely to have been with victims, witnesses, and perpetrators of suspected crimes. However, not all officers were aware that the app would record all calls.
“Sussex Police and Surrey Police failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge. People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly. We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes,” said Stephen Bonner, ICO Deputy Commissioner – Regulatory Supervision.
In ‘normal’ outcomes, the ICO would have issued a £1m ($1.2m) fine to both Surrey Police and Sussex Police, however, in this instance, the regulator has applied its revised public sector approach to this case, giving the forces a formal reprimand instead.
“The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services,” said Bonner. “This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again.”
Recordings destroyed
The app has now been withdrawn from use and most of the recordings, apart from those considered to be evidential material, have been destroyed.
“This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data. Organisations must consider people’s data protection rights and implement data protection principles from the very start,” Bonner added.
In June last year, the ICO revised its approach to the public sector, aiming to reduce fines and encourage better collaboration with the sector – including publicising lessons learned and sharing good practice.
“I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives.,” said John Edwards, UK Information Commissioner, at the time. “That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities.”