18 April, 2023
The ICO has announced that it has issued both Sussex and Surrey Police with a reprimand relating to an app that recorded telephone calls without callers' knowledge.
The press release from the ICO states that "In June 2020, the ICO became aware that staff members across both police forces had access to an app that recorded all incoming and outgoing phone calls…The ICO considered it highly likely that the app captured a large variety of personal data during these calls and it considered that the processing of some of this data was unfair and unlawful. Police officers that downloaded the app were unaware that all calls would be recorded, and people were not informed that their conversations with officers were being recorded."
Following being notified of the use of an app that recorded all incoming and outgoing phone calls by both police forces, the ICO began an investigation and found that:
The ICO found that use of the app capturing calls indiscriminately and without the knowledge of those concerned was unnecessary and could have been avoided if the police forces had taken steps to limit use of the app.
The ICO also found that the use of apps by staff was not routinely reviewed and there were at least two missed opportunities to review how personal information processed by the app was being used and its compliance with data protection law.
Data protection law requires that personal information collected (including information collected for law enforcement purposes) must be:
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They are commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds. It should be noted that the ICO considered issuing each police force with a £1million fine but decided against doing so in accordance with its revised approach to public sector enforcement.
Whilst these reprimands have been issued to two police forces, the details of the investigation and the findings of the ICO will be of use to both public sector and private organisations who wish to record telephone calls. The enforcement action highlights the benefits of conducting a data protection impact assessment (DPIA) as a DPIA would have identified the data protection risks involved in enabling an app to record all call as a blanket rule without notifying callers of the recording.
A full copy of the reprimands are available to view here
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here