The Information Commissioner’s Office (ICO) has issued Surrey Police and Sussex Police with reprimands after finding that officers had unlawfully used a mobile phone app to covertly record more than 200,000 phone calls.
The police forces escaped potential fines of £1m following a change in policy by the ICO last year, which aims to protect public bodies from having to make large payouts for data protection breaches when fines could disrupt public services.
More than 1,015 members of staff downloaded a free app from the Google Play Store, which was used to unlawfully record conversations with victims, witnesses and perpetrators of suspected crimes, the information commissioner found.
The practice, which went on for over three years, raised questions about the ability of police officers to identify and disclose recordings that are legally required to be shared with defendants under the Criminal Procedure and Investigations Act 1966 (CPIA).
The data protection watchdog found that the police forces had breached the Data Protection Act 2018 and had missed several opportunities to bring their practices into line with data protection law. The police forces self-reported the breach in March 2020.
ICO deputy commissioner Stephen Bonner said the data protection watchdog had ruled out fining the police forces as doing so would damage their ability to fight crime.
“The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services. This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again,” he said.
Computer Weekly revealed in January 2022 that Surrey and Sussex police forces authorised the recording app, called Another Call Recorder (ACR), for hostage negotiators when dealing with kidnappers and crisis negotiations in 2017.
The app recorded and stored all incoming and outgoing calls made on police-issued mobile phones and mobile data terminals.
Stephen Bonner, ICO
The ICO found that although it had been technically possible for Surrey Police to assign the app to a limited number of specialist officers, it had not chosen to do so, and in practice it was available to staff across the force to download.
Bonner said Surrey and Sussex police forces had failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge.
“People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly. We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes,” he said.
Risk of failure to disclose evidence
The ICO’s reprimand raises questions about whether police officers could fulfil their legal duty to disclose telephone conversations relevant to criminal cases.
According to the ICO, evidence provided by the forces suggested that many of the police officers who had downloaded the app were not aware that all calls were being recorded.
The forces had no mechanism to automatically back up recordings of phone calls or to retain recordings if phones were lost or damaged.
“This calls into question whether all the personal information processed during the period the app was in use has been appropriately disclosed as evidential material,” the ICO wrote in the reprimand.
The ICO said that no evidence was presented to suggest that information contained in recorded phone calls would have altered the verdict in criminal cases.
Widespread use of phone app
Computer Weekly previously reported that officers throughout both forces had access to the Google Play Store where they were able to download the app.
The ICO found that the forces had missed opportunities to review police officers’ use of the recording app when a new technology platform was introduced in November 2017.
The forces also failed to review the use of the app and its processing of personal data when the Data Protection Act 2018 came into force. “This is of particular concern given the enhanced rights afforded to data subjects under the new legislation,” the ICO said.
The police forces had failed to inform staff how the app operated or to ensure that officers were aware that the use of the app amounted to processing personal data under data protection legislation, it said.
Police also breached the forces’ electronic device policy by using the app to “record notes or other investigative details”.
The ICO found that people were not informed that their telephone calls with police officers were being recorded, which deprived them of their right to object to the recording or to obtain transcripts or copies.
The ICO concluded that it was “highly likely” that the app captured a variety of data, including sensitive personal data across a broad range of topics, in breach of the Data Protection Act 2018.
Police manually transferred recordings from police mobile phones protected by encryption to removable media, raising concerns about whether personal and special category data was stored securely, in breach of data protection law.
Forces self-reported breach
In a joint statement, Surrey Police and Sussex Police said they took immediate action when they realised the error in March 2020 by removing the app, securing evidence and referring the breach to the Investigatory Powers Commissioner’s Office (IPCO) and the information commissioner.
An internal audit found that 1,024 officers and staff had downloaded the app and that the app had been used on 432 phones that held audio files. Four app users identified recordings that contained evidence of an offence.
According to the statement, only one of the recordings could have had a potential impact if the case progressed to trial.
The forces said they had put new processes in place to ensure that all new apps are compliant with legislation before being issued and that staff are given access to data protection advice.
Temporary assistant chief constable Fiona McPherson said: “The case exposed a lack of governance around use of this digital application, and this is regrettable. As soon as the error was reported, we took urgent action to ensure that this did not happen again.”
Katie Wheatley, head of the crime fraud and regulatory team at law firm Bindmans, said it was astonishing that Sussex and Surrey police had apparently failed to consider legal requirements to retain and disclose material for criminal investigations.
“I still find it astonishing that these recordings were being made for years without any consideration being given by the forces concerned or individual users of the legal requirement for retention and disclosure of material relevant to investigations,” she told Computer Weekly.
“It suggests that these requirements were not at the top of their minds as they should be. This is concerning, as disclosure is a cornerstone of the criminal justice system and helps to prevent miscarriages of justice,” added Wheatley.
Monika Sobiecki, a partner at Bindmans, and a data protection specialist, said that in her view the reprimand is overly lenient even in the context of the ICO’s own Regulatory Action Policy.
“It is not the first time there has been a rapid de-escalation by the ICO of penalties from their notice of intent to final decision. We’ve seen it in a number of cases for example BA, Marriott, Ticketmaster,” she told Computer Weekly.
She said that it made sense, however, for the ICO, which is likely to face robust legal challenges to any fines imposed, to focus its resources on the cases it views as most critical.
Dai Davis, a data protection lawyer, told Computer Weekly that issuing a reprimand rather than a fine to public sector organisations would make sense if it led to better compliance with data protection legislation.
“The information commissioner is entitled to do what he has done. The ICO has a limited budget, is understaffed, underpaid. He has to put resources where credible,” he said.
Davis said it was difficult to understand why, out of 1,000 police users, only four recordings were found that related to criminal offences.
The ICO has asked Surrey Police and Sussex Police to provide details, within three months, of the actions they have taken to implement measures recommended by the ICO to ensure they are complying with data protection law.