Why Did UK Police Receive No Punishment for Unlawfully Recording 200,000 Calls?

Suppose your privacy was unlawfully violated by somebody recording a phone call where you discussed deeply sensitive matters without you first knowing or consenting to the recording. Then suppose the people who violated your legal rights were the cops. And then suppose the people trusted to enforce privacy laws contemplated issuing a GBP1mn (USD1.25mn) fine to each police force that broke the law this way, but arbitrarily decided not to. This is how your ‘rights’ are protected in modern Britain. If you feel that this makes a mockery of privacy rules, your only comfort comes from knowing future police transgressions may also lead to a strongly worded letter from the Information Commissioner’s Office (ICO), the UK body responsible for prosecuting violators of data protection law. As ICO explained in their recent press release:

The Information Commissioner’s Office (ICO) has issued a reprimand to both Surrey Police and Sussex Police, following the rollout of an app that recorded phone conversations and unlawfully captured personal data.

A reprimand! This might be appropriate if five or six calls were recorded by accident. The police did not record just five or six calls.

In June 2020, the ICO became aware that staff members across both police forces had access to an app that recorded all incoming and outgoing phone calls. 1,015 staff members downloaded the app onto their work mobile phones and more than 200,000 recordings of phone conversations, likely with victims, witnesses, and perpetrators of suspected crimes, were automatically saved.

The idiot superiors of over 1,000 police officers are so bloody ignorant of privacy laws that they saw nothing wrong with software that automatically records every call on a cop’s work phone. But why should they care when ICO rushes to protect the public by taking 33 months to determine that they only needed to issue a reprimand in response? Now try to explain why ICO thinks it is reassuring that they calculated the kind of financial penalty that would be applied if this kind of abuse was perpetrated by an organization in the private sector, but does not apply when the abuse is due to the stupidity and negligence of people employed to enforce the law.

The ICO has applied its revised public sector approach to this case — instead of issuing a £1m fine to both Surrey Police and Sussex Police, they have each received a formal reprimand. The ICO’s approach aims to reduce the impact of fines on those accessing public services and to encourage greater data protection compliance from public authorities to prevent harms from occurring in the first place.

The whole point of fines and other punishments is to encourage compliance with the law. ICO’s approach is just self-serving doublethink. It is possible to argue that fining a public sector body only results in taxpayer’s money being shuffled from one place to another. However, the general excuse for ICO’s weakness is that it lacks the resources it needs. Stephen Bonner, a Deputy Commissioner at ICO, offered this rationalization:

The reprimand reflects the use of the ICO’s wider powers towards the public sector as large fines could lead to reduced budgets for the provision of vital services. This case highlights why the ICO is pursuing a different approach, as fining Surrey Police and Sussex Police risks impacting the victims of crime in the area once again.

The UK has long suffered from a glaring double standard in the application of privacy standards. The police and point-scoring politicians routinely seek to bash the private sector whenever electronic communications are encrypted, thus preventing the police from snooping on anyone they like. Time and again they insist that technical measures to ensure privacy can be safely rolled back because the police can be trusted to follow strict rules about when they would choose to invade an individual’s privacy. But the reality is that police and government incompetence causes far more data protection headaches than technology ever has.

In 2002, school caretaker Ian Huntley murdered two girls. He was able to get the job at the school despite a string of past allegations against him. Background checks revealed nothing because Humberside Police deleted records of Huntley’s past allegations as none had led to a conviction. The police excused themselves by insisting they had to delete the records to comply with data protection law. An independent inquiry reached the opposite conclusion, and the UK news media echoed the inquiry’s conclusions by focusing blame on the Chief of Humberside Police, David Westwood. It is easy to see why Westwood was singled out for criticism, but I believed it was unfair. The inquiry decided that the law was fine as it was stated, but that…

…better guidance is needed on the collection, retention, deletion, use and sharing of information, so that police officers, social workers and other professionals can feel more confident in using information properly.

That conclusion was arrant nonsense. The law, as stated, was absurdly vague and remains unhelpfully vague to this day. It essentially told everybody to delete data unless they should not delete data, without any useful definition of when it becomes necessary to retain data that must otherwise be destroyed. This was why different police forces adopted inconsistent interpretations of the law. The fact that other police forces did not interpret the law in the same way as Humberside Police was treated by some as evidence that Westwood must have been in the wrong, but it rather illustrated that even the most senior police officers in the country could not reach a common understanding of the fuzzy principles they were told to follow in practice. And they were not helped by the forebears of ICO, who routinely dodged demands for clarification because they were career civil servants who reached the top of their profession by knowing not to question the badly-written laws of their masters. Given that the inquiry was also led by a former career civil servant, and we observe a picture where weak and inadequate interpretations of how to implement a law in practice occur because bad advisors are incapable of clarifying those laws. They only know how to shift blame when something goes wrong, which is just another example of the established routine of passing the buck.

I do not believe British police officers suffer from a deliberate bias for or against privacy. I just think they are really poorly qualified to cope with the modern world. More importance is attached to training police about how to handle drunken street fights than teaching them how to obtain and process information in a way that correctly balances the privacy rights of individuals with the need to gather and appropriately share potentially valuable intelligence. British police are now so incapable of using information effectively that they struggle to tell when their own officers are serial rapists. The reason they do not get trained on how to use information is because there is nobody competent to train them; we really need an inquiry in to how ICO functions as an organization. ICO would be considered a failure were it not so successful at safeguarding its own irrelevance. But then an inquiry into ICO would only lead to blame being laid back at the feet of the politicians who promised there would be laws and an agency that would be fit to protect privacy rights in the Information Era. They made this promise to voters, but all they delivered was the illusion of comprehensive protection via a few arbitrary prosecutions. A dogged refusal to talk openly about the scale of the challenge prompted by technological change equally well explains why our societies are incompetent at fighting an explosion of fraud, incompetent at deterring cybercrime, and even incompetent at tackling tricksters who call the head of the government.

The real reason a data protection regulator can get away with thinking about million-pound fines for obvious violations of the law, before deciding to take no meaningful action, is because their complacency mirrors the complacency of the rest of society. 200,000 sensitive phone conversations were recorded despite the most basic principles of privacy laws that were established decades ago, but you would barely know anything was amiss given the blasé response of ICO and the indifference exhibited by news media. We allow a situation where it can be one rule for them, another rule for the rest of us, because we are not serious about demanding the rules be applied to anybody.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.