Scottish Government to Cease WhatsApp Use for Official Business by 2025

December 18, 2024

In response to growing concerns over the retention and deletion of messages by politicians and civil servants during the pandemic, the Scottish Government has unveiled plans to cease the use of non-corporate mobile messaging apps, such as WhatsApp, for official business by the spring of 2025. A review, conducted by Emma Martins, the former data protection commissioner for the Channel Islands, began in January to scrutinize the use of these platforms during the Covid-19 response and culminated in this policy shift.

Key Areas of the Review

The review presented 20 recommendations to improve the handling, storage, and sharing of government data among staff and ministers. It also highlighted critical areas, including corporate governance, alignment with government values, learning and development processes, recruitment procedures, records management, and the use of mobile messaging apps. The findings underscored that the current policy on mobile messaging apps is inadequate and requires an overhaul to meet data protection laws, freedom of information requirements, public records standards, and codes of conduct.

Recommendations for Secure Messaging

The review called for a transition to platforms like Microsoft Teams for official communication, emphasizing their superior control and management features. It also highlighted the necessity for clear controls over messaging apps within a secure environment to support robust cyber hygiene practices. The recommendations included technical guidelines such as avoiding messaging apps for classified information, adhering to GDPR data regulations, and using VPNs and PIN protections to secure communications. Concerns were raised about the potential for WhatsApp to leak metadata, such as IP addresses, and the review advised measures to prevent this.

Addressing Retention Policies

Criticism regarding the routine deletion of messages during the pandemic prompted the review to recommend implementing stronger retention policies. It emphasized the importance of fully backing up data from mobile messaging apps to comply with data protection, freedom of information requests, and inquiry requirements. Additional measures suggested included preventing automatic photo downloads, controlling message display on home screens, and managing group memberships adequately. These steps aim to fortify the government’s data management practices and enhance overall transparency.

Training and Shadow IT Concerns

Training and education for all users in good cyber hygiene and adherence to ministerial and civil service codes were highlighted as crucial. The review also tackled the issue of “shadow IT,” advocating for the exclusive use of government-issued devices and thoroughly evaluating applications for security before their widespread adoption. This recommendation aims to mitigate risks associated with unauthorized and potentially insecure technology use within the government.

Response from the Government

In light of increasing concerns regarding the retention and deletion of messages by politicians and civil servants during the pandemic, the Scottish Government has announced plans to discontinue the use of non-corporate mobile messaging apps, such as WhatsApp, for official communications. This change is scheduled to be implemented by the spring of 2025. The decision comes after a thorough review initiated in January by Emma Martins, the former data protection commissioner for the Channel Islands. Martins’ investigation focused on the utilization of these platforms during the Covid-19 response and highlighted the need for more secure and regulated forms of communication. This policy shift aims to ensure better accountability and data protection within the Scottish Government, addressing worries that important communications might evade official records. By transitioning to corporate messaging systems, the government seeks to maintain transparent and efficient communication while safeguarding sensitive information and complying with data protection regulations.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later