Don’t have an “app”cident: SA and UK authorities crack down on employers for personal information breaches through apps

The need to protect personal information is becoming increasingly prevalent worldwide, and the consequences for failing to do so are becoming more stringent. Recently, the UK's Information Commissioner's Office reprimanded the Surrey and Sussex Police for data protection breaches that resulted from using cell phone apps that automatically recorded all incoming and outgoing telephone conversations and saved them onto staff members' mobile devices. Similarly, South Africa’s Information Regulator found the South African Police Service (SAPS) had interfered with the protection of personal information of rape victims whose personal information had been shared via WhatsApp.

 

The ICO’s reprimand

 

In the UK case, the ICO found that an excess of 202 000 telephone conversations had been recorded and downloaded from a cellphone app. The app had been initially intended for use by only a certain level of police officers, but was later made available to all staff and, as a result, had been downloaded by 1 015 staff members. The ICO found it highly likely that the app captured a variety of data, including sensitive personal data, in circumstances where it is unknown how many of the recordings related solely to law enforcement matters. The ICO found the collection of the data was considered to be in breach of the Data Protection Act, 2018 (“DPA”) and the General Data Protection Regulation (“GDPR”) in that it was unfair, unlawful, and not in all cases necessary for the purposes of law enforcement. It also found that:

 

  • No adequate risk assessment had been undertaken in respect of the intended processing of personal information at the time the app was initially made available to staff.
  • The list of available apps was not routinely reviewed and no review of the app’s availability or the resultant processing of personal information took place when the DPA was introduced.
  • Inadequate instruction or guidance was provided to staff to inform them how the app functioned to ensure compliance with the applicable data protection legislation.
  • The lack of adequate oversight in this regard rendered the information processing non-compliant with the DPA 2018.
  • There was a lack of transparency and fair processing in that data subjects were not informed that their telephone calls were being recorded. This resulted in them being denied the opportunity to exercise their rights of access to their information, and to object to the recording; complain about the recording; ensure the accuracy of retained information; request rectification and/or erasure; or to exercise their right of access to personal information in order to obtain transcripts or copies of recordings.
  • The retention of call recordings on the staff’s mobile devices was not subject to any review or oversight.

 

The ICO ultimately recommended that the following actions be taken by the police to ensure their compliance with the DPA 2018:

 

  • The consideration and deployment of any new apps should be assessed by a specific team, with adequate and appropriate consideration being given to the method and means of processing, and any effects this will have on data subject rights.
  • This process should be documented and authorised at an appropriate level, with remedial action being taken to ensure that the processing is compliant with current legislation prior to the app being deployed.
  • Adequate instruction and guidance should be issued to staff in respect of the use of any app, with confirmation that the issued instruction and guidance has been read and understood in order for the police to be satisfied that staff are aware of their compliance responsibilities during app usage.
  • A review of existing policies and procedures to ensure that adequate consideration has been given to data subject rights during the processing of personal information and special category data.
  • A review of the content of data protection training to ensure sufficient prominence is given to the requirement for consideration of data subject rights.

 

The ICO considered imposing a hefty administrative penalty in the amount of GBP1-million. However, as a result of its revised approach to working effectively with public authorities, the ICO used its discretion to reduce the impact of fines on the public sector by using its wider powers such as warnings, reprimands and enforcement notices.

 

A South African look-alike

 

Similarly, in April 2023, the South African Information Regulator issued an enforcement notice against the SAPS for disclosing the personal information of eight rape victims, including their names, ages, home addresses and the nature of the violations against them, to a number of SAPS members via WhatsApp.

 

The Information Regulator found that the disclosure of this information constituted interference with the protection of personal information of the data subjects (the victims) by the SAPS, as it breached the conditions for the lawful processing of personal information in terms of the Protection of Personal Information Act (“POPIA”) in that:

 

  • By distributing the personal information of data subjects in a WhatsApp message, it processed such information unlawfully, unreasonably and in a manner that infringed the data subjects’ privacy and did so without their consent.
  • The personal information of data subjects contained in the WhatsApp message was excessive and not relevant to the purpose for which it was distributed, which, according to the SAPS, was to alert the respective police stations of the serious crimes that had been committed.
  • The SAPS had failed to take appropriate, reasonable, technical measures to prevent the unlawful accessing of the personal information of data subjects.
  • The SAPS did not comply with the duty to notify the Regulator and the data subjects of the security compromise.

 

The Information Regulator therefore ordered that SAPS must:

 

  • notify the data subjects of the security compromise of their personal information;
  • publish a prominent apology to the data subjects in major national weekly newspapers and social media platforms such as Facebook and Twitter, for the unlawful processing of their personal information;
  • investigate the conduct of the SAPS members responsible for the unlawful processing of the personal information; and
  • include POPIA training in all SAPS training programmes.

 

One could argue that the Information Regulator adopted a lenient approach when dealing with the complaint - an approach similar to that of the ICO. In our view, the procedure followed by the Information Regulator, in the light of the nature of the complaint and the actions it ordered to be taken by SAPS to rectify the interference and ensure compliance with POPIA, is appropriate and reasonable.

 

If the SAPS does not comply with the enforcement notice within the stipulated period, the Information Regulator may very well issue an infringement notice directing SAPS to pay an administrative fine of up to ZAR10-million. A failure to comply with ICO’s order could also constitute a criminal offence in terms of POPIA. A person convicted of this offence could be fined or imprisoned for a period not exceeding 10 years, or both.

 

Guidance to employers and other responsible parties

 

Employers in South Africa can learn from the recommendations of the ICO and the Information Regulator to comply with data protection laws, including POPIA or similar foreign legislation, when using apps. Employers should:

 

  • Conduct a risk assessment to determine the risks attached to the use of any app, on mobile devices or otherwise, by the employer, its employees and any other individuals who make use of, or will be affected by, the app.
  • Assess what, how and why personal and special personal information will be processed when using the app.
  • Ensure that appropriate and reasonable technical and organisational security measures are put in place in respect of any apps used to ensure that the integrity and confidentiality of personal information is protected.
  • Regularly reassess what personal information is processed by the apps used, whether the safeguards in place are appropriate, and whether there are any new risks or shortcomings.
  • Notify any data subjects of the processing of their personal information and obtain consent to the processing, if necessary.
  • Ensure that employees receive appropriate training on POPIA, the protection and processing of personal information in the workplace, including through the use of apps.
  • Implement and update policies and procedures to ensure that they govern app usage sufficiently where personal information is processed.
  • Ensure that employees are made aware of the processing of personal information by means of apps.

 

--

Read the original publication at ENSafrica.

Subscribe to our newsletter