Two police forces have been reprimanded by the data watchdog for unlawfully recording 200,000 phone conversations and capturing personal data.
The Information Commissioner’s Office (ICO) issued the rebuke to Surrey and Sussex police forces after an app was launched on the work phones of 1,015 staff members that recorded all incoming and outgoing calls.
The automatic recordings made since 2016 included “highly sensitive” conversations with victims, witnesses and perpetrators of suspected crimes.
The ICO said it considered issuing a £1 million fine to both forces but opted for the reprimand to reduce the impact on public services.
A spokesman said: “The ICO considered it highly likely that the app captured a large variety of personal data during these calls and it considered that the processing of some of this data was unfair and unlawful.
“Police officers that downloaded the app were unaware that all calls would be recorded, and people were not informed that their conversations with officers were being recorded.
“The app was first made available in 2016 and was originally intended to be used as recording software by a small number of specific officers, but Surrey Police and Sussex Police chose to make the app available for all staff to download.
“The app has now been withdrawn from use and the recordings, other than those considered to be evidential material, have been destroyed.”
Stephen Bonner, ICO deputy commissioner, said: “Sussex Police and Surrey Police failed to use people’s personal data lawfully by recording hundreds of thousands of phone calls without their knowledge.
“People have the right to expect that when they speak to a police officer, the information they disclose is handled responsibly.
“We can only estimate the huge amount of personal data collected during these conversations, including highly sensitive information relating to suspected crimes.
“The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services.
“This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again.
“This case should be a lesson learned to any organisation planning to introduce an app, product or service that uses people’s personal data.“Organisations must consider people’s data protection rights and implement data protection principles from the very start.
“The two forces have been told to report back to the ICO within three months to explain how they have addressed the watchdog’s concerns and recommendations.”
In a statement the two forces said the app was “unintentionally” enabled for all staff to use and was downloaded on to 432 phones.
They said immediate action was taken when the error was identified in March 2020 and access was removed to the app while the forces referred themselves to the ICO, IOPC and CPS.
Temporary Assistant Chief Constable Fiona Macpherson ar Sussex Police said: “Police management of personal data is vital and we take rigorous measures to ensure this.
“This case exposed a lack of governance around use of this digital application, and this is regrettable. As soon as the error was reported, we took urgent action to ensure that this did not happen again.”