By Lucy Caulkett-
The Information Commissioner’s Office (ICO) has issued a warning to two police forces following the rollout of an app that recorded phone conversations and “unlawfully captured personal data”.
The revelation means conversations of witnesses, including those who may have eventually withdrawn from giving evidence in a court case remained on the phones of police officers without the knowledge, let alone consent of those whose voices and conversations were illegally stored.
The ICO said it became aware in 2020 that staff members across Surrey Police and Sussex Police had access to an app that recorded all incoming and outgoing phone calls.
According to the ICO, 1,015 staff members downloaded the app onto their work mobile phones and more than 200,000 recordings of phone conversations, “likely with victims, witnesses, and perpetrators of suspected crimes”, were automatically saved.
It added: “The ICO considered it highly likely that the app captured a large variety of personal data during these calls and it considered that the processing of some of this data was unfair and unlawful.
“Police officers that downloaded the app were unaware that all calls would be recorded, and people were not informed that their conversations with officers were being recorded.
The app was first made available in 2016, and was originally intended to be used as recording software by a small number of specific officers, but Surrey Police and Sussex Police chose to make the app available for all staff to download, the ICO said.
The app has now been withdrawn from use and the recordings, other than those considered to be evidential material, have been destroyed.
The ICO said it has applied its revised public sector approach to this case – instead of issuing a £1 million fine to both Surrey Police and Sussex Police, they have each received a formal reprimand.
The ICO’s approach aims to reduce the impact of fines on those accessing public services and to “encourage greater data protection compliance from public authorities to prevent harms from occurring in the first place”.
Stephen Bonner, ICO Deputy Commissioner –for Regulatory Supervision, said: “Sussex Police and Surrey Police failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge.
“People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly.
“We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes.
“The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services.
“This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again.
“This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data.
“Organisations must consider people’s data protection rights and implement data protection principles from the very start.”
The ICO has recommended that Surrey Police and Sussex Police should take action to ensure their compliance with data protection law, including:
Deployment of any new apps should consider data protection at the very beginning and document the process. A specific team should consider the method and means of data processing, with remedial action taken to ensure processing is compliant with current data protection legislation prior to the app being deployed
Instruction and data protection guidance should be issued to staff in respect of the use of any apps, with officers required to confirm that issued guidance has been read and understood;
Review existing policies and procedures to ensure that adequate consideration has been given to data subject rights during the processing of personal data and special category data; and
Review the content of data protection training, particularly in respect of law enforcement processing.
The ICO has asked Surrey Police and Sussex Police to provide details of actions taken to address these recommendations within three months of the reprimand being issued.
In a joint response to the ICO reprimand, Sussex Police and Surrey Police said: “The ICO has today announced its decision to issue a reprimand to the chief constables of Surrey and Sussex Police for unauthorised use of a data recording app.
“The notice relates to the use of an application known as Another Call Recorder (ACR), an app available for download to mobile devices which can be used for recording phone calls.
“In 2017, the forces made the app available for use by a small number of specialist hostage negotiators for the purpose of supporting kidnap and crisis negotiations and maximising public safety.
“There was no means at that time of restricting use of the app and, unintentionally, it was enabled for all staff to download without appropriate guidance in place. When enabled, the app records and stores all phone calls made in the mobile device.
“The forces took immediate action when the error was identified in March 2020 including removing access to the app, securing evidence and self-referring the breach to the relevant regulators, including the Investigatory Powers Commissioner’s Office (IPCO) and the ICO. The Crown Prosecution Service (CPS) was also made aware.
“A thorough internal audit was carried out to establish the number of officers and staff across both Surrey Police and Sussex Police who downloaded the app, the extent to which they used it and the quantity and nature of any material which may have been recorded.
“This established that the app was used on 432 phones and that those phones held audio files. The audit also established that 1,024 officers and staff had downloaded the app.
“Of these, four users had recordings on their devices which fell within the category of ‘users who have identified recording(s) that are evidence of an offence that is or was under investigation’.
“Three of these related to criminal cases and each of the investigating officers was contacted and advised to ensure that the CPS was informed of the existence of these calls, in accordance with the Criminal Procedures and Investigations Act 1996.
“Further enquiries established that only one of these could have had a potential impact if the case progressed to trial.
“Both force Professional Standards Departments were fully involved in the findings. At no point was any risk or harm to any data subject identified.
“All officers and staff who had downloaded the app were directed to delete any calls they had recorded without listening to them. The app and any files were removed and all mobile devices were reset to ensure that all the files were permanently deleted.
“The ICO report also outlined a number of recommendations, the majority which have already been implemented.
“A new governance process was put in place, ensuring that all new apps are compliant with current legislation before being made available. All staff are provided with instructions and data protection guidance in respect of the use of any apps via a message which appears on the front screen of all devices.
“All existing policies and procedures have been reviewed to ensure that adequate consideration has been given to data subject rights during the processing of personal data.
“Both forces use the College of Policing approved package in relation to data protection training, and it is mandatory for all staff to complete an annual refresher.”
Assistant Chief Constable Fiona Macpherson added that police management of personal data was “vital and we take rigorous measures to ensure this”.
She said: “This case exposed a lack of governance around use of this digital application, and this is regrettable.
“As soon as the error was reported, we took urgent action to ensure that this did not happen again. We initiated a review of all applications available on the corporate Google Play Store to ensure that there are no other applications that may have had similar functionality. A robust process is now in place to ensure any new requests for mobile apps are subject to appropriate due diligence and scrutiny.
“Steps were also taken to mitigate the situation by establishing how many officers had downloaded the app, the extent of their use of the app and any potential impact on upcoming legal proceedings. Officers and staff were also given clear instructions to delete any conversations they had recorded without listening to them.
“We also referred the matter proactively to the two regulatory bodies, ICO and IPCO, for their consideration and have fully complied with their directions.”
The warning comes after a revelation that Sussex Police will be one of four forces taking part in a two-year trial of the new civil court powers alongside Merseyside Police, Thames Valley Police and West Midlands Police.
The SVROs are aimed at tackling knife crime and serious violence, allowing officers to stop, detain and search offenders who have previously been convicted of knife or offensive weapon offences.
They are also designed to help protect high-risk offenders from being drawn into further exploitation by criminal gangs.