Surrey Police and Sussex Police have been reprimanded by the Information Commissioner’s Office (ICO) for unauthorised use of a data recording app. The app in question, Another Call Recorder (ACR), was made available to a small number of specialist hostage negotiators in 2017. However, due to a lack of appropriate guidance, it was enabled for all staff to download and use. The app records and stores all phone calls made on the mobile device, without people’s knowledge or consent.
The error was identified in March 2020 and immediate action was taken, including removing access to the app, securing evidence, and self-referring the breach to relevant regulators such as the Investigatory Powers Commissioner’s Office (IPCO) and the ICO. An internal audit was carried out which established that the app was used on 432 phones and that 1,024 officers and staff had downloaded it.
The audit found that four users had recordings on their devices which fell within the category of “users who have identified recording(s) that are evidence of an offence that is or was under investigation”. Three of these related to criminal cases and each investigating officer was advised to inform the Crown Prosecution Service (CPS) of the existence of these calls. Further enquiries established that only one of these could have had a potential impact if the case progressed to trial.
All officers and staff who had downloaded the app were directed to delete any calls they had recorded without listening to them. The app and any files were removed and all mobile devices were reset to ensure that all the files were permanently deleted. The ICO report outlined a number of recommendations, the majority of which have already been implemented, including a new governance process for ensuring compliance with current legislation before apps are made available, providing data protection guidance for all staff, and reviewing existing policies and procedures.
Temporary Assistant Chief Constable Fiona Macpherson acknowledged the lack of governance around the use of the digital application and the regrettable error. She also highlighted that a robust process is now in place to ensure any new requests for mobile apps are subject to appropriate due diligence and scrutiny. The matter was referred proactively to the ICO and IPCO for their consideration and the forces fully complied with their directions. No harm to any data subject was identified at any point during the investigation.
