1 – Introduction

Section 3 of FOIA sets out the two legal principles which establish whether an organisation holds information for the purposes of FOIA:

“(2) For the purposes of this Act, information is held by a public authority if—

(a) it is held by the authority, otherwise than on behalf of another person, or

(b) it is held by another person on behalf of the authority.”

Section 3(2)(b) provides that, in circumstances where another person holds information on behalf of a public authority, the information is considered to be held by the authority for the purposes of FOIA. It is this sub-section that is of relevance to information held in non-corporate communications channels.

Section 84 contains the definition of information in FOIA and states that ““information” … means information recorded in any form”.

This means that official information held on a public authority’s behalf could be contained in a number of non-corporate channels or locations, including:

• In private email accounts eg Gmail, Outlook or Yahoo Mail.
• In private messaging accounts eg WhatsApp, Signal or Telegram.
• Direct messages sent on apps such as Twitter or via Facebook messenger.
• On private mobile devices, including text messages on mobile phones and voice recordings.

Such channels create a number of risks and potential challenges to compliance with FOIA and adherence to the Code. As far as reasonably practicable, we should always ensure that we use corporate channels for official business. Where this is not possible for whatever reason, all members of the OPFCC should make arrangements to store official information on the corporate IT system as quickly as possible.

Information held in non-corporate communications channels may be subject to FOIA if it relates to the OPFCC’s official business. Regardless of whether it is held in an official or non-corporate communications channel, all such information held by someone who has a direct, formal connection with the OPFCC is potentially subject to FOIA. If the information held in a non-corporate communications channel amounts to OPFCC business, it is very likely to be held on behalf of the OPFCC in accordance with section 3(2)(b).

Information in non-corporate communication channels that does not relate to the business of the OPFCC would not be subject to FOIA.

2 – IT provision for OPFCC staff

All OPFCC staff are provided with secure IT equipment and have access to the Force’s secure IT system. This should mean that they do not need to use non-corporate channels and personal devices in order to undertake their roles. If OPFCC staff repeatedly use non-corporate communication channels, this should be raised as a matter of urgency with both the Data Protection Officer and the Digital & Technology Delivery Manager to enable them to review the capability, usability and limitations of current corporate channels.

3 – Demarcation between official and non-official information

In any sector, it is important to ensure that there is a clear demarcation between official business and non-official communications. In the context of the OPFCC, there is a need to have a clear demarcation between political/private work and OPFCC business including work undertaken by OPFCC staff on behalf of those who contact the organisation. OPFCC Staff will also be made aware of the of the potential for a private conversation on non-corporate channels ‘drifting’ into a discussion about official matters. For example, a discussion about a social event drifting into a discussion about a work meeting. At the point that the discussion becomes about official business, OPFCC staff should use official communication channels, or at the very minimum, forward the official part of conversation to the secure corporate IT system.

4 – Records management

Section 46 of the Data Protection Act stresses the importance and benefits of having good records management. However, the use of non-corporate communications channels for official business makes adherence to good records management practice significantly more difficult. For example:

• Such channels often have limited search functionality.
• The retention and deletion periods on such channels are unlikely to align with those of official systems. In particular, there is a risk of information on non-corporate channels only being held for a limited time or messages being auto deleted.
• Such channels often have limited ability to export information to an official system or to create records which you can transfer onto official systems.
• Access to the information may well be limited to one individual or a small group, but there could be a business need for such information to be more widely available.
• If an individual leaves the organisation, or simply moves roles, access to official information held in non-corporate communications channels can be lost.
• The use of such channels for communicating official information may make it more difficult for the OPFCC to meet its obligations under data protection law.

The OPFCC Data Protection policy explains that, as far as reasonably practicable, OPFCC staff should always ensure that only corporate channels are used for official business. In the unlikely occurrence this is not possible, the policy clear states that OPFCC staff should immediately record any information on OPFCC-related business on non-corporate channels on the secure corporate IT system.

The OPFCC Data Protection policy also sets out mitigating measures for staff if they use non-corporate communications channels for official business. The measures include the following:

• If OPFCC staff use a private email account for OPFCC business, they must copy in an OPFCC email address to ensure the completeness of the authority’s records.
• Anyone using such channels also needs to understand how to transfer or export information from the messaging app or platform onto official systems.

Should any OPFCC staff use non-corporate communications channels for official business, all transfers or exports of information should be completed within 24 hours of taking place. Should the information relate to key decisions, both the Data Protection Officer and the Digital & Technology Delivery Manager need to be informed immediately. This is importance as non-corporate communications channels have sometimes been used to exchange information about emergency or fast-developing, high-profile events. However, the role of the OPFCC in similar events may subsequently be subject to external scrutiny, such as an inquiry, inquest or investigation. The use of non-corporate communication channels for official business may pose challenges in adhering to the UK GDPR’s data protection principles, such as data minimisation, storage limitation, and ensuring the integrity and confidentiality of personal data.

5 – Concealment and deletion

Any OPFCC staff who erase, destroy or conceal information with the intention of preventing its disclosure following receipt of a request is committing a criminal offence under section 77 of the Freedom of Information Act 2000. This offence can apply to both a public authority and to any person who is employed by, is an officer of, or is subject to the direction of the authority.  For example, where information that a request covers is knowingly treated as not held because it is in a non-corporate communications channel, this may count as concealment intended to prevent the disclosure of information. The person concealing the information may be liable to prosecution.

6 – Data Protection Impact Assessment & Data Breach Notification

In cases where the use of non-corporate communication channels for official business is unavoidable or prevalent, a Data Protection Impact Assessment (DPIA) should be conducted to identify and mitigate potential risks to the rights and freedoms of individuals. Any potential data breaches involving personal data held in non-corporate communication channels should be reported to the Data Protection Officer without undue delay, in line with the UK GDPR’s breach notification requirements.