Slacking off? ICO probe throws up concerns over instant messaging

Even the most archaic of organisations have been swept up by the march of technology – including the British government.

For some time now, that great bastion of glacially paced change has allowed its staff the rather small pleasure of communicating via instant messaging software Slack, instead of relying on reams of dreaded reply-all emails.

What it has apparently failed to think through, though, is how it's going to deal with the official information that's exchanged on Slack, which needs to be both recorded properly for posterity and accessible to the public through the Freedom of Information Act.

That's the dilemma that landed on the Information Commissioner's desk earlier this year, when she received her first ever complaint about the way a government department had handled a request for information held on Slack.

The Cabinet Office had refused to comply with the request, which asked for "the full history/all information held" on the ukgovernmentdigital.slack.com channel, saying it was vexatious because of the burden involved in complying.

In a decision notice published at the end of last month, the Information Commissioner's Office backed up the Cabinet Office's argument, given that at the time of the request there would have been some 65,000 messages to read through and redact where necessary.

It's hard to argue with that decision – in fact it's easier to question why the requester took such a broad-brushed approach that was bound to be shot down. El Reg wonders if they know how much crap chatter builds up on Slack on a daily basis? (Fear not, dear readers, Vulture Central's channel is reserved for only the most important communiques.)

But the document also reveals some unsettling truths.

First, there's a lack of clarity – and certain naivety – over what goes on in the government Slack channels.

The Cabinet Office initially told the ICO that Slack "is not used in any official capacity", but in the same sentence added that any decisions made outside the official system would be "properly recorded and transferred to official systems".

It shouldn't come as a great surprise that Slack is used for official decisions, since its raison d'être is to improve productivity by cutting out email chains and allowing people to have conversations more like the ones they'd have in real life.

It's also a boon to those who need to work remotely or are in cross-departmental teams – both of which should be high on the government's agenda.

The Cabinet Office has now acknowledged this, saying that an internal review it carried out in response to the initial request showed that "it's arguable that, although the majority of messaging is for social purposes, a number of messages... fall into the category of 'official business'".

A spokesperson told The Register that the Cabinet Office was "amending our previous view on this issue, and now consider that some of the information on UKgovernmentslack is held for the purposes of FOIA. We will be reviewing our internal guidance and procedures accordingly".

Although it's hard to believe the Whitehall machine was unaware of Slack's more official use, the decision to revise guidance is a positive step – but it also runs the risk of creating an onerous system that negates the flexibility Slack brings to teams.

And, as Jon Baines, chairman of the National Association of Data Protection and Freedom of Information Officers, points out, it's now another system where official information is gathered.

"The use of multiple systems always makes records management more complex, with the potential for things to be overlooked, or sidestepped," he said.

Getting things for free

Meanwhile, the ICO's investigation also revealed that the government only has the free version of Slack. (Can't be seen to be frittering away taxpayers' money on frivolous chat platforms, after all.)

This means not all data can be exported – private group or direct message history and files are excluded – and that messages will be hidden from users (though not deleted) after a few weeks.

Such restrictions are "a real obstruction to FOI and to departments' ability to operate in an accountable way", says Maurice Frankel of the Campaign for FOI. He also questioned whether it would be truly compatible with record retention policies.

According to the Code of Practice on Records Management, set out within the FOIA, "records should remain useable for as long as they are required".

On this, Baines says: "The Cabinet Office might argue that the data that cannot be extracted is not actually 'required', and so there is no need to access it.

"But a counter argument is that information such as private group history and files, direct message history and files, and edit and deletion logs, none of which apparently can be retrieved using the free version, is potentially highly relevant."

Slack off?

The Cabinet Office's work – which is being carried out with the National Cyber Security Centre and the National Archives – should look at all these issues.

As will the ICO's own investigation, which will develop guidance on cloud-based communications tools for public authorities given the "novel issues" it says have been raised by this case.

Some think this is the beginning of the end for Slack in government: neither Frankel or Baines think that the way the system is currently used makes it a viable option for government instant messaging.

Instead, they want to see chats revert to existing systems, to a platform that can be better integrated into those systems – or, says Frankel, even to a bespoke one.

But the government should be wary of taking a knee-jerk approach here. The way Slack is currently used has flaws that urgently need addressing, but it is also a widely used, generally well-supported, free (at least for the moment) service that people coming to the civil service from outside understand.

Asking staff to adapt to a new platform might be more time consuming than ensuring they use the one they have correctly.

And expecting a reliable bespoke platform to be developed by a government that doesn't have the greatest of digital track records might be something of a pipe dream – not to mention a distraction for teams that would be better served fixing other problems.