Brit cops rapped over app that recorded 200k phone calls

Several police forces in Britain are being put on the naughty step by the UK's data watchdog for using a calling app that recorded hundreds of thousands of phone conversations and illegally retained that data.

The Information Commissioner's Office (ICO) said today it was made aware in June 2020 that Surrey Police and Sussex Police were given access to the Another Call Recorder app that recorded all incoming and outgoing conversations.

Some 1,015 staff downloaded the software on their work phones and made more than 200,000 records of phone chats, which the regulator reckons was likely with "victims, witnesses, and perpetrators of suspected crimes" and were "automatically saved."

However, the ICO thinks it probable that the app captured a range of personal information during these calls, and the "processing of some of this data was unfair and unlawful. The police officers were themselves unaware that calls would be recorded and so were the people on the other end of the line," the watchdog added.

The app was first made available in 2016 and was intended to be used by a small subset of specific officers, yet the Sussex and Surrey forces made it open for all staff to download. It's no longer used and the recordings, save for those containing evidential material, were destroyed.

The ICO could have issued a £1 million ($1.24 million) fine to both forces, which represent two counties in the south of England, but instead opted for its revised public sector approach in which it seeks to help entities learn from their mistakes, hence the reprimand.

In a statement, Stephen Bonner, ICO Deputy Commissioner, said: "People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly. We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes.

"The reprimand reflects the use of the ICO's wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services. This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again."

• Marketing biz sent 107 million spam emails... to just 437k people
• Criminal records office yanks web portal offline amid 'cyber security incident'
• UK data watchdog slaps Ministry of Justice with Enforcement Notice for breaking GDPR law
• UK police lack framework for adopting new tech like AI and face recognition, Lords told

In a joint statement, Surrey Police and Sussex Police said the app was meant to be used by a small number of specialist hostage negotiators to support kidnap and crisis negotiations. They said the app was used on 432 phones and 1,024 officers downloaded the app, according to their findings.

"There was no means at that time of restricting use of the app and, unintentionally, it was enabled for all staff to download without appropriate guidance in place. When enabled, the app records and stores all phone calls made in the mobile device.

"The forces took immediate action when the error was identified in March 2020 including removing access to the app, securing evidence and self-referring the breach to the relevant regulators."

"At no point was any risk or harm to any data subject identified," they added.

New governance was put in place to ensure new apps are compliant with existing legislation, and all staff now have instructions on data protection for the use of apps. ®