WhatsApp and private email banned for government use at higher security tiers

Officials are warned that, if they choose to use non-corporate channels, they must ‘be prepared to defend your choices’

Officials and ministers using non-government communications platforms to conduct official business have been warned that they will now need to “be prepared to defend your choices”.

New rules also clearly prohibit the use of webmail accounts and mobile messaging apps for sharing anything above government’s lowest level of security classification.

The Cabinet Office has, for the first time in a decade, updated the cross-government guidance on the use of non-corporate communications channels (NCCCs) to send information regarding official business. Departments are required to point their employees towards the new advice in their own internal staff guidance.

The amended communications advice sets out much clearer guidelines – and restrictions – on private email and messaging services being used by ministers, special advisers, and civil servants, as well as government contractors or other external advisers.

The first of four central principle set out by the policy document is that departments should ensure that their technology and process systems are set up so as to “reduce the need for NCCCs”.

The guidance then reminds government organisations that all their communications “belong to the Crown” and are considered classified information.

Officials are advised to “exercise professional judgement appropriate to your circumstances… use NCCCs with care and be prepared to explain and defend your choices”.

The guidelines contain much more specificity than the previous version – which were published in 2013, and referred only to “private email”.

The new advice describes or names a range of different platforms, including WhatsApp, Signal, private email, SMS text-message platforms, and private messages sent via Facebook and LinkedIn. The document also stipulates that “this guidance applies to all current and future NCCCs”.

A colour-coded table makes clear that all such non-government platforms are rated as red, and thus should be considered “must not use” in cases where Secret or Top Secret information is being shared. This includes cases where a personal account is being accessed via corporate device.

For data or documents classified as Official – which sits below Secret and Top Secret as the lowest of the three classification tiers, and applies to the majority of government business – there is greater leeway for the use of NCCCs.

Official-grade data that pertains to “logistical or other non-significant information” can be freely shared via private accounts being accessed from a corporate device. If a personal device is being used, this information can still be shared, if the official or minister takes care to show “due regard to your security responsibilities”.

Significant information is defined by the guidance as that which “materially impacts the direction of a piece of work or that gives evidence of a material change to a situation”.

Messages classified as Official that contains such details – or anything else which is marked as Sensitive or otherwise is subject to additional “protective controls or behaviours” – can be sent via a non-government service accessed on a personal device “only in exceptional circumstances”.

Civil servants are required to report any such instances the leader of their unit and to their department’s Knowledge and Information Management team.

The use of a private account accessed from a corporate device is permitted on condition that “particular care [is] required with due regard for recordkeeping responsibilities”.

The updates to the guidance have been made following several high-profile cases in the past couple of years of ministers using webmail and WhatsApp to communicate on official matters, including the response to the coronavirus pandemic and immigration policy.

The Information Commissioner’s Office conducted a year-long investigation, which concluded with a report that warned of the “systemic risks” that had been created by government’s use of private messaging systems. The data regulator told government to conduct its own review and use the findings to update the existing 10-year-old guidelines.

The updated policy says: “This guidance… communicates government policy and promotes good practice with the following goals: to facilitate efficient day-to-day government discussions in a modern way; to reduce risks to the security of information; [and] to comply with the principles of good government, including record-keeping, accountability and transparency.”

Sam Trendall

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *

Thank you! Your subscription has been confirmed. You'll hear from us soon.
Subscribe to our newsletter