ICO Issues Reprimand for Call Recording App

The ICO has announced that it has issued both Sussex and Surrey Police with a reprimand relating to an app that recorded telephone calls without callers' knowledge.

The press release from the ICO states that "In June 2020, the ICO became aware that staff members across both police forces had access to an app that recorded all incoming and outgoing phone calls…The ICO considered it highly likely that the app captured a large variety of personal data during these calls and it considered that the processing of some of this data was unfair and unlawful. Police officers that downloaded the app were unaware that all calls would be recorded, and people were not informed that their conversations with officers were being recorded."

The ICO's Findings

Following being notified of the use of an app that recorded all incoming and outgoing phone calls by both police forces, the ICO began an investigation and found that:

• The app was first made available in 2016 and was originally intended to be used as recording software by a small number of officers but both forces chose to make the app available for all staff to download;

• No adequate risk assessment at the time the app was initially made available has been provided;

• It was unclear how the app had been approved for release as there was no documentation available for this;

• Devices on which the app was downloaded captured calls indiscriminately and without the knowledge of affected data subject; and

• Data subjects were not informed that their telephone calls were being recorded resulting in them being denied the opportunity to exercise their rights of access under data protection law.

The ICO found that use of the app capturing calls indiscriminately and without the knowledge of those concerned was unnecessary and could have been avoided if the police forces had taken steps to limit use of the app.

The ICO also found that the use of apps by staff was not routinely reviewed and there were at least two missed opportunities to review how personal information processed by the app was being used and its compliance with data protection law.

The Law

Data protection law requires that personal information collected (including information collected for law enforcement purposes) must be:

• adequate, relevant and not excessive in relation to the purpose for which it is processed;

• kept for no longer than is necessary for the purpose for which it is processed;

• processed in a manner that ensures appropriate security of personal information, using appropriate technical or organisational measures.

• The ICO found that the use of the call recording app by both police forces breached all of these provisions of data protection law.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They are commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds. It should be noted that the ICO considered issuing each police force with a £1million fine but decided against doing so in accordance with its revised approach to public sector enforcement.

Lessons Learned

Whilst these reprimands have been issued to two police forces, the details of the investigation and the findings of the ICO will be of use to both public sector and private organisations who wish to record telephone calls. The enforcement action highlights the benefits of conducting a data protection impact assessment (DPIA) as a DPIA would have identified the data protection risks involved in enabling an app to record all call as a blanket rule without notifying callers of the recording.

A full copy of the reprimands are available to view here