The breach followed the roll-out of an app called Another Call Recorder in 2016 that recorded phone calls.
The forces made the app available for use by a “small number” of specialist hostage negotiators in 2017.
But at the time, there was no way of restricting its use, and as soon as the mistake was noticed in 2020, it was disabled.
Surrey Police statement in full.
The Information Commissioner’s Office has today announced
its decision to issue a reprimand to the Chief Constables of Surrey and Sussex
Police for unauthorised use of a data recording app.
The notice relates
to the use of an application known as Another Call Recorder (ACR), an app
available for download to mobile devices which can be used for recording phone
calls.
In 2017, the forces made the app available for use by a
small number of specialist hostage negotiators for the purpose of supporting
kidnap and crisis negotiations and maximising public safety.
There was no means at that time of restricting use of the
app and, unintentionally, it was enabled for all staff to download without
appropriate guidance in place. When enabled, the app records and stores all
phone calls made in the mobile device.
The forces took immediate action when the error was
identified in March 2020 including removing access to the app, securing
evidence and self-referring the breach to the relevant regulators, including
the Investigatory Powers Commissioner’s Office (IPCO) and the Information
Commissioner’s Office. The Crown Prosecution Service was also made aware.
A thorough internal audit was carried out to establish the
number of officers and staff across both Surrey Police and Sussex Police who
downloaded the app, the extent to which they used it and the quantity and
nature of any material which may have been recorded.
This established that the app was used on 432 phones and
that those phones held audio files. The audit also established that 1,024
officers and staff had downloaded the app.
Of these, four users had recordings on their devices which
fell within the category of “users who have identified recording(s) that are
evidence of an offence that is or was under investigation”.
Three of these related to criminal cases and each of the
investigating officers was contacted and advised to ensure that the CPS was
informed of the existence of these calls, in accordance with the Criminal
Procedures & Investigations Act 1996.
Further enquiries established that only one of these could
have had a potential impact if the case progressed to trial.
Both force Professional Standards Departments were fully
involved in the findings. At no point was any risk or harm to any data subject
identified.
All officers and staff who had downloaded the app were
directed to delete any calls they had recorded without listening to them. The
app and any files were removed and all mobile devices were reset to ensure that
all the files were permanently deleted.
The ICO report also outlined a number of recommendations,
the majority which have already been implemented.
A new governance process was put in place, ensuring that all
new apps are compliant with current legislation before being made available.
All staff are provided with instructions and data protection guidance in
respect of the use of any apps via a message which appears on the front screen
of all devices.
All existing policies and procedures have been reviewed to
ensure that adequate consideration has been given to data subject rights during
the processing of personal data.
Both forces use the College of Policing approved package in
relation to data protection training, and it is mandatory for all staff to
complete an annual refresher.
Temporary Assistant Chief Constable Fiona Macpherson
explained: “Police management of personal data is vital and we take rigorous
measures to ensure this.
“This case exposed a lack of governance around use of this
digital application, and this is regrettable.
“As soon as the error was reported, we took urgent action to
ensure that this did not happen again. We initiated a review of all
applications available on the corporate Google Play Store to ensure that there
are no other applications that may have had similar functionality. A robust
process is now in place to ensure any new requests for mobile apps are subject
to appropriate due diligence and scrutiny.
“Steps were also taken to mitigate the situation by
establishing how many officers had downloaded the app, the extent of their use
of the app and any potential impact on upcoming legal proceedings. Officers and
staff were also given clear instructions to delete any conversations they had
recorded without listening to them.
“We also referred the matter proactively to the two regulatory bodies, ICO and IPCO, for their consideration and have fully complied with their directions.”