Be Careful if you are using WhatsApp

From a data protection perspective, organisations should be very wary of allowing employees to use WhatsApp for work related conversations.

Importantly, WhatsApp only allows its use for personal reasons and so any organisation using it is breaking those terms. Their terms of service state:

“You will not use (or assist others in using) our Services in ways that: (f) involve any non-personal use of our Services unless otherwise authorized by us.”

Also, the fact that once your people are in a group they can add anyone else to a WhatsApp group without their consent is of concern. If a member of staff gives access to their phone contacts for WhatsApp, then they are uploading that data to Facebook without the consent of those contacts. WhatsApp protect themselves by passing the responsibility for this ‘consent’ to individual users:

“You provide us, all in accordance with applicable laws, the phone numbers of WhatsApp users and your other contacts in your mobile address book on a regular basis, including for both the users of our Services and your other contacts.”

Additionally, organisations must legally maintain adequate controls over legitimate business records including employee conversations if work-related. There are additional requirements around sensitive category data e.g. medical records, ethnicity. WhatsApp does not provide these controls or records. Facebook has committed WhatsApp to encryption and is moving towards messaging which gives greater levels of secrecy and anonymity.

Whilst you probably have Access Controls in place, you may well be unaware of what WhatsApp groups exist in your business. Even if you had a list of the groups, you cannot be sure who is on them given ‘profiles’ are typically just a mobile phone number. It is possible that former employees, contractors or even customers have ongoing access to information that they should not.

As data is stored on individuals’ phones, rather than centrally, you cannot revoke access to it. So, if employees leave then they will still have access to information, including potentially sensitive data, and there is nothing you can do about it. Whilst you can remove them for a group if you have the right permissions the messages they received/sent, whilst in the group, will remain on their phone.

It is also worth remembering that any personal data that is stored on somebody’s phone that is being used in a work context is subject to disclosure should a Subject Access Request come in. Also, any lost or stolen phone of staff members who are using in house chat should need to report the incident as a data breach as it contains business related information.

For more information contact DPO for Education at info@dpoforeducation.co.uk or 01702 660234

Article last updated: 24 August 2021