Ministers have announced they will end the use of non-corporate mobile messaging apps including WhatsApp to conduct official government business.
From next spring, such apps will be removed from government devices after concerns were raised about the retention and deletion of messages by politicians and civil servants during the pandemic.
Twenty recommendations have been made by former former Channel Islands data protection commissioner Emma Martins after she was appointed in January to look into how platforms were used during the response to Covid.
Her review looked more widely at the way government data is handled, including its storage and sharing between staff and ministers.
The findings are focused on corporate governance, including the values of the Scottish Government, learning and development process, recruitment procedures, records management and the use of mobile messaging apps.
Updated guidance and training for staff and Ministers will take place ahead of the new policy being implemented.
Deputy First Minister Kate Forbes said: “I am very grateful to Emma Martins for her time and insight in conducting her review.
“We have carefully considered the recommendations and we will end the use of mobile messaging applications to conduct government business by spring 2025. At that point, mobile messaging apps will be removed from corporate devices.
“The use of mobile messaging apps increased during the pandemic as staff worked remotely in unprecedented and difficult circumstances. Having reflected on our working practices, we are now implementing changes to the use of mobile messaging apps.”
She said: “Ms Martins’ timely review sets out some of the most challenging issues facing all governments. Work has already started to implement recommendations, and we will build on that work to ensure that data management, especially in relation to new technologies, is as robust as possible in order to continue to deliver efficient and effective public services.”
When it comes to technology, the review recommended that a new policy be put in place for mobile messaging apps (MMAs), especially outside official corporate systems. Such use was found to be “extensive” among ministers and officials across the UK.
It found that the current policy was “not fit for purpose” and it should be replaced with a new policy reflecting the laws around data protection, freedom of information, and public records, as well as codes of conduct.
The review stated that the use of platforms such as Microsoft Teams through official government accounts had been a useful tool for communicating, and that government business needs “always to be conducted on devices and platforms which enable government management and control”.
In order to maintain a robust approach to governance, the review recommended controls around the use of messaging apps, such as use within an environment which supports “good cyber hygiene”. MMAs must not be used for SECRET or TOP SECRET government information, the review found, and the processing of personal data must be in accordance of the GDPR data regulations.
Furthermore it warned that instant messaging applications, including WhatsApp, leak metadata such as IP addresses, which could expose location information.
The review said: “It is therefore important to ensure appropriate security through the use of a VPN [virtual private network] or similar which will add a significant layer of security to MMAs, ensuring that traffic is routed through government infrastructure. It can be turned off when the user leaves the employ of the government.” A PIN must also be used.
Importantly, it stated that MMAs must be “fully backed up for retention purposes meaning all data could be recalled if required to respond to a data protection, freedom of information, or inquiry request.” One of the principal criticisms faced by ministers and officials in their Covid response had been the ‘routine deletion’ of messages.
Other features of mobile device management will include the prevention of photos being ‘downloaded by default’ and messages being displayed on home screens. There must also be appropriate governance around the setting up of groups to “ensure appropriate addition, monitoring and deletion of members.”
Skills wise, all users will require training and a high level of education to ensure they adhere to good cyber hygiene measures and abide my ministerial and civil service codes. And so-called ‘shadow IT’ – the use of systems either outside official channels or within but without the knowledge or approval of the IT or security department – was also a focus.
The review recommended that: “On unmanaged devices there will be evidence of shadow IT, and this will be harder to manage without a strong policy to guide users to only use government issued devices. Applications that find their way into mainstream use should be evaluated for security and applicability before being adopted for broader use and support from the Scottish Government.”
Emma Martins said: “I was pleased to be appointed to conduct this review and I am grateful to the Scottish Government for the open and constructive way in which they have engaged with me throughout.
“Technologies are changing our lives at home and in the workplace. No organisation can afford to sit back and hope that navigating those changes will come without effort. Values need to be clear, individuals need to engage, and governance needs to be effective.
“The Scottish Government already understands this and there a number of improvements already in train. It is my sincere hope that the recommendations in this review serve as additional fuel for that important journey.”
