Be Careful if you are using WhatsApp

from Silk Helix
Photograph of Andy Crow
24 August 2021
by Andy Crow

From a data protection perspective, organisations should be very wary of allowing employees to use WhatsApp for work related conversations.

Importantly, WhatsApp only allows its use for personal reasons and so any organisation using it is breaking those terms. Their terms of service state:

“You will not use (or assist others in using) our Services in ways that: (f) involve any non-personal use of our Services unless otherwise authorized by us.”

Also, the fact that once your people are in a group they can add anyone else to a WhatsApp group without their consent is of concern. If a member of staff gives access to their phone contacts for WhatsApp, then they are uploading that data to Facebook without the consent of those contacts. WhatsApp protect themselves by passing the responsibility for this ‘consent’ to individual users:

“You provide us, all in accordance with applicable laws, the phone numbers of WhatsApp users and your other contacts in your mobile address book on a regular basis, including for both the users of our Services and your other contacts.”

Additionally, organisations must legally maintain adequate controls over legitimate business records including employee conversations if work-related. There are additional requirements around sensitive category data e.g. medical records, ethnicity. WhatsApp does not provide these controls or records. Facebook has committed WhatsApp to encryption and is moving towards messaging which gives greater levels of secrecy and anonymity.

Whilst you probably have Access Controls in place, you may well be unaware of what WhatsApp groups exist in your business. Even if you had a list of the groups, you cannot be sure who is on them given ‘profiles’ are typically just a mobile phone number. It is possible that former employees, contractors or even customers have ongoing access to information that they should not.

As data is stored on individuals’ phones, rather than centrally, you cannot revoke access to it. So, if employees leave then they will still have access to information, including potentially sensitive data, and there is nothing you can do about it. Whilst you can remove them for a group if you have the right permissions the messages they received/sent, whilst in the group, will remain on their phone.

It is also worth remembering that any personal data that is stored on somebody’s phone that is being used in a work context is subject to disclosure should a Subject Access Request come in. Also, any lost or stolen phone of staff members who are using in house chat should need to report the incident as a data breach as it contains business related information.

For more information contact DPO for Education at or 01702 660234

While this guide covers the basics, every situation has its own complexities so you should always seek professional advice.
We can help, so book a Free Advice Call .

Article last updated: 24 August 2021

Keep up to date with our weekly hints, tips and news.
Sign up to the
Silk Helix
Your email address will only ever be used to send you HR hints, tips and news from Silk Helix Ltd. Don't worry, you can unsubscribe at any time.
Silk Helix

Products and Services

Unlimited advice and support, when you need it
Employment Contracts and Employee Handbook
On-site and digital courses
Our fully outsourced HR department for small business

Experts in HR for Small Business

Silk Helix take the stress out of managing your people. Contact us for a free consultation today.

Not found the answer you need?
Don’t waste any more time Googling. Book a call with a qualified advisor. We’ll answer your question, no obligation.
Book a Free Advice Call