Be Careful if you are using WhatsApp

from Silk Helix
Photograph of Andy Crow
24 August 2021
by Andy Crow
LinkedIn

From a data protection perspective, organisations should be very wary of allowing employees to use WhatsApp for work related conversations.

Importantly, WhatsApp only allows its use for personal reasons and so any organisation using it is breaking those terms. Their terms of service state

“You will not use (or assist others in using) our Services in ways that: (f) involve any non-personal use of our Services unless otherwise authorized by us.”

Also, the fact that once your people are in a group they can add anyone else to a WhatsApp group without their consent is of concern. If a member of staff gives access to their phone contacts for WhatsApp, then they are uploading that data to Facebook without the consent of those contacts. WhatsApp protect themselves by passing the responsibility for this ‘consent’ to individual users:

“You provide us, all in accordance with applicable laws, the phone numbers of WhatsApp users and your other contacts in your mobile address book on a regular basis, including for both the users of our Services and your other contacts.”

Additionally, organisations must legally maintain adequate controls over legitimate business records including employee conversations if work-related. There are additional requirements around sensitive category data e.g. medical records, ethnicity. WhatsApp does not provide these controls or records. Facebook has committed WhatsApp to encryption and is moving towards messaging which gives greater levels of secrecy and anonymity.

Whilst you probably have Access Controls in place, you may well be unaware of what WhatsApp groups exist in your business. Even if you had a list of the groups, you cannot be sure who is on them given ‘profiles’ are typically just a mobile phone number. It is possible that former employees, contractors or even customers have ongoing access to information that they should not.

As data is stored on individuals’ phones, rather than centrally, you cannot revoke access to it. So, if employees leave then they will still have access to information, including potentially sensitive data, and there is nothing you can do about it. Whilst you can remove them for a group if you have the right permissions the messages they received/sent, whilst in the group, will remain on their phone.

It is also worth remembering that any personal data that is stored on somebody’s phone that is being used in a work context is subject to disclosure should a Subject Access Request come in. Also, any lost or stolen phone of staff members who are using in house chat should need to report the incident as a data breach as it contains business related information.

For more information contact DPO for Education at info@dpoforeducation.co.uk or 01702 660234

Experts in HR for Small Business

Silk Helix take the stress out of managing your people. Contact us for a free consultation today.

While this guide covers the basics, every situation has its own complexities so you should always seek professional advice. We can help, so call us on 01245 910 500.
We are here to answer your HR and Employment Law questions. At Silk Helix we are proud of the Qualified Advice we provide, so get in touch and find out how we can solve your people issues now.
Book a Free Advice Call

Article last updated: 24 August 2021

Was this article useful to you?
Explore our Knowledge Hub for more like this.