Britain’s data watchdog has rebuked two police forces for unlawfully recording 200,000 phone conversations and capturing large amounts of personal data.
The Information Commissioner’s Office (ICO) reprimanded Surrey Police and neighbouring and Sussex Police after it emerged they had recorded all incoming and ongoing calls when they rolled out an app on 1,015 staff members’ work phones in 2016.
The app automatically recorded “highly sensitive” conversations with victims, witnesses, and those accused of crimes.
The ICO could have given both forces a £1 million fine each but it opted for a reprimand because the fines would have to be paid for out of police budgets and that would naturally impact the general public.
But a spokesman said, “The ICO considered it highly likely that the app captured a large variety of personal data during these calls and it considered that the processing of some of this data was unfair and unlawful.”
“Police officers that downloaded the app were unaware that all calls would be recorded, and people were not informed that their conversations with officers were being recorded,” he added.
The app was originally intended to be used as recording software by specialist officers but Surrey and Sussex forces both chose to make it available for all staff to download.
“The app has now been withdrawn from use and the recordings, other than those considered to be evidential material, have been destroyed,” the ICO spokesman confirmed.
ICO Deputy Commissioner Stephen Bonner said, “Sussex Police and Surrey Police failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge.”
He said, “People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly.”
The ICO said they could not even begin to estimate the amount of personal data collected during conversations between police officers and staff and members of the public.
In a joint statement Surrey and Sussex Police said the app had been “unintentionally” downloaded on to 432 phones.
They said immediate action was taken when the error was identified in March 2020 and access was removed to the app.
Sussex Police Says It Was ‘Regrettable’
She said: “This case exposed a lack of governance around use of this digital application, and this is regrettable. As soon as the error was reported, we took urgent action to ensure that this did not happen again.”An ICO spokesman said, “The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services.”
“This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again,” he added.
But he warned: “This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data. Organisations must consider people’s data protection rights and implement data protection principles from the very start.”
The two forces have been told to report back to the ICO within three months to explain what actions they have taken to address the watchdog’s concerns and recommendations.
The collection of personal data is governed by the Data Protection Act and the GDPR (General Data Protection Regulation) guidelines.
Last month YouTube was accused by a British parent of illegally gathering data on children under 13, which would be in breach of a UK data privacy code.
The complaint claims up to 5 million UK children under the age of 13 are having their location, viewing habits, and preferences logged in the data banks of YouTube, which is owned by Alphabet, which also owns Google.