Information Commissioner reprimands two police forces for recording 200,000 phone conversations without consent

The Information Commissioner's Office (ICO) has issued Surrey Police and Sussex Police with reprimands under its new approach to enforcement against the public sector, instead of imposing a £1m monetary penalty, after finding that some officers at both police forces were using an app that automatically recorded phone conversations.

In June 2022 the ICO announced that fines for public authorities would be issued in only "the most egregious cases" as part of a two-year trial experimenting with a different approach to punishing public authorities for data breaches.

The investigation into Surrey Police and Sussex Police began in June 2020 when the ICO became aware that staff members across both police forces had access to an app that recorded all incoming and outgoing phone calls.

Just over a thousand staff members were found to have downloaded the app onto their work phones, resulting in more than 200,000 recordings of phone conversations automatically saved.

According to the ICO, these conversations would have likely included correspondence with victims, witnesses and perpetrators of suspected crimes.

It added that it is highly likely the app captured a large variety of personal data during the phone calls and it considered that the processing of some of this data was unfair and unlawful.

Police officers that downloaded the app were unaware that phone calls would be recorded, and people were not informed that their conversations with officers were being recorded.

Commenting on the decision to issue the reprimand rather than a fine, Stephen Bonner, the ICO's Deputy Commissioner – Regulatory Supervision, said: “The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services. This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again.”

Bonner added: “This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data. Organisations must consider people’s data protection rights and implement data protection principles from the very start.”

Speaking on behalf of both police forces, Temporary Assistant Chief Constable Fiona Macpherson said: "This case exposed a lack of governance around use of this digital application, and this is regrettable."

Macpherson added: "As soon as the error was reported, we took urgent action to ensure that this did not happen again. We initiated a review of all applications available on the corporate Google Play Store to ensure that there are no other applications that may have had similar functionality. A robust process is now in place to ensure any new requests for mobile apps are subject to appropriate due diligence and scrutiny.

"Steps were also taken to mitigate the situation by establishing how many officers had downloaded the app, the extent of their use of the app and any potential impact on upcoming legal proceedings. Officers and staff were also given clear instructions to delete any conversations they had recorded without listening to them.

"We also referred the matter proactively to the two regulatory bodies, ICO and IPCO, for their consideration and have fully complied with their directions."

Adam Carey