The ICO launched an investigation after more than 1,000 Sussex and Surrey police officers were found to have downloaded a free app to covertly record calls with members of the public on police-issued phones.

Google Play Store App

The app, free to download for the Google Play Store, and called ‘Another Call Recorder’ (ACR), had been approved for use in 2017 for negotiators when dealing with kidnaps/hostage and other crisis situations. The app, which reportedly works best on older Android phones is able to record and store all incoming and outgoing calls made on a mobile by accessing the microphone and the speaker’s data feeds, and by saving the recordings to the phone’s storage.

Problem – No Means To Restrict

As discovered by the ICO, the fact that any police officers were able to download the app for free from Google Play meant that its use couldn’t be restricted to just the purpose that it was originally approved for. The ICO’s investigation found, therefore, that the app had been used to make “indiscriminate” covert recordings of calls with members of the public on 700 police phones (545 installations of the app by Sussex, and 238 by Surrey). The indiscriminate, widespread, and apparently arbitrary use of the app by Police was stopped after Surrey and Sussex forces found out about the practice in March 2020 and referred themselves to the ICO and the Investigatory Powers Commissioner’s Office (ICPO) four months later.

Disclosure

The main legal issue to be investigated was that of ‘disclosure,’ i.e., whether it breached the Investigatory Powers Act by amounting to unlawful “interception” of a communication by means of a private or public telecommunication system.

Other potential legal issues relating to the use of the app could include:

– Whether the other party on the call had been warned that they were being recorded (relating to Article 8 of the European Convention on Human Rights).

– Whether usage of the app may have breached data protection laws e.g., if it was used to record calls relating to a minor crime, rather than the major crime of hijacking that it has been passed for use with.

The Findings

The IPCO’s investigation concluded that:

– The app was recording the communication while it was being transmitted, which constituted recording at a “relevant time.”

– The version of the app used by police didn’t allow recordings of the calls to be automatically uploaded to cloud services i.e., didn’t make them available to a third party while in the course of transmission; it was only available to the app user once the recording had been stored locally on the device. This meant that the conduct was not sufficient by itself to render the call recording “interception”. Also, the IPCO concluded that the installation and use of the app is not interception.

– Since telephone calls are protected under Article 8, European Convention on Human Rights (ECHR) the use of the app by police did constitute ‘covert’ surveillance i.e., it did not warn the other party that they were being recorded.

What Does This Mean For Your Business?

It is a little shocking that hundreds of members of two police forces were using a free app for years to make arbitrary, covert recordings of people, without their consent or knowledge, and did not know that this could constitute a breach of laws. It should be noted that the particular app used by the police is in contrast to apps used by businesses, such as Skype for Business, Microsoft Teams and Zoom because these do inform users when a participant records the call, and their recording feature automatically warns all other parties.

As the IPCO report pointed-out, however, both forces, upon discovery of the issue, promptly brought it to the attention of the relevant authorities and took immediate steps on their own to stop the usage of the app and remove it from devices. In this case, because the app kept the recordings on the phone itself and didn’t send them to a third-party (the cloud) it was deemed not to be interception.

In the business world, a Prospect trade union poll from last November showed that 32 per cent of UK workers are being remotely monitored and tracked by employers. There is concern about a lack of regulation at present and the issue of consent is very important. Businesses should note that under Article 8 of the European Convention on Human Rights, individuals have a non-absolute right to respect for their private and family life and correspondence, and (UK) GDPR has some important details relating to data protection and consent that need to be considered. For businesses who want to monitor their employees, however, the broad rules are that workers are entitled to some privacy at work, and employers must tell employees about any monitoring arrangements and the reason for it. Also, employers should have procedures in place setting out what is and what isn’t allowed, and these procedures should be made clear and understood by all workers before monitoring begins. Generally, employers must have a genuine reason to conduct any covert monitoring such as criminal activities or malpractice, and any monitoring should be limited, targeted and within certain times, with employers having regard for private communications.