Surrey Police and Sussex Police reprimanded for recording phone calls without people's knowledge

The UK’s Information Commissioner’s Office (ICO) announced on 18 April that it has issued a reprimand to both Surrey Police and Sussex Police for recording more than 200,000 phone calls without people’s knowledge. The privacy breaches relate to the rollout of an app by both police forces that recorded phone conversations and captured personal data unlawfully.

According to the ICO, the specific app used by both police forces, first made available in 2016, was originally intended to be used by a small number of specific officers, but Surrey Police and Sussex Police made the app available for download by all staff. The app has since been withdrawn from use and the recordings have been destroyed, except for those considered to be evidential material.

The ICO’s revised public sector approach, which was announced in June 2022, in order to enable the regulator to work more effectively with public authorities, has been applied in this case. Both Surrey Police and Sussex Police have been given a formal ICO reprimand rather than the £1 million fine that would have applied prior to the revised approach.

The ICO has also issued recommendations for action that must be taken within three months of the reprimand being issued to Surrey Police and Sussex Police to ensure their compliance with data protection law, including: that the deployment of any new apps should consider data protection at the very beginning and that the process should be documented; instruction and data protection guidance should be issued to staff in respect of the use of any apps; existing policies and procedures should be reviewed to ensure that adequate consideration has been given to data subject rights during the processing of personal data and special category data; and the content of data protection training should be reviewed, particularly in respect of law enforcement processing.

Commenting on the reprimands, ICO Deputy Commissioner for Regulatory Supervision, Stephen Bonner, said: “Sussex Police and Surrey Police failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge. People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly. We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes. The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services. This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again. This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data. Organisations must consider people’s data protection rights and implement data protection principles from the very start.”