Businesses should weigh up the risks before using WhatsApp - ​Loretta Maxfield

It’s easy to see why. As an instant messaging tool, WhatsApp is incredibly user-friendly. It can be used for everything from arranging social events to reporting an absence, and in some cases for more serious confidential, commercial information-sharing.

However, using WhatsApp in the workplace carries significant risks. While the app offers end-to-end encryption, creating a perception of technical security, its informal nature and in some cases, lack of clear oversight and management by employers, can create risk.

A key issue is the blurred lines between personal and professional communications. People are often much more informal on WhatsApp compared with a work email. Employees may feel comfortable sharing personal opinions or making jokes and there is a danger that if remarks are discriminatory, derogatory, or stray into the realms of harassment related to protected characteristics under the Equality Act, employers could potentially face claims if deemed to have been carried out in the course of employment.

Similarly, managers should be cautious about contacting people outside agreed working hours on WhatsApp. This could lead to a claim under the Working Time Regulations or for work-related stress.

Data breaches are of great concern given the ease of adding people to group chats. A hospital was severely reprimanded by the Information Commissioner’s Office (ICO) for sharing clinical information on WhatsApp when it was not approved for such use and a member of the group added someone in error, subsequently giving that person access to medical data. Also, having important work-related discussions on personal devices could expose businesses to risks if a device is lost, stolen, or hacked.

Its quickfire model can create a lack of transparency. Messages can be deleted, edited, or sent privately without traceability, making it difficult for businesses to monitor or audit conversations. This could lead to legal and compliance issues, especially in highly-regulated industries like finance, healthcare, and legal services where businesses would be expected to keep and maintain a full record of client communications.

If businesses adopt WhatsApp, they need to consider how long employees should keep messages and how best to save a record of these communications alongside other client information in its client database.

Security is another important consideration. End-to-end encryption is WhatsApp’s standout feature, but this doesn’t make it foolproof. Data protection regulations, such as UK General Data Protection Regulation (GDPR), demand rigorous control over processing personal data and this goes beyond just encryption; organisational controls must be put in place too.

In certain circumstances, WhatsApp messages can be legally disclosable. For example, WhatsApp messages may be required as part of a Subject Access Request under data protection laws or a Freedom of Information request if an organisation is subject to those regulations.

This means even informal, off-the-record discussions could potentially be scrutinised if a legal request is made. It’s not unusual for screenshots of WhatsApp messages to be produced in disciplinary hearings and tribunals, and we all saw how WhatsApp messages were disclosed as part of the UK Government’s Covid inquiry that uncovered Christmas parties at Number 10.

To ensure WhatsApp is used in a safe, compliant way, organisations should take pragmatic steps to mitigate against misuse including reviewing all business use of WhatsApp, having effective governance in place through clearly communicated policies and procedures, training to ensure people understand and follow guidelines, and ongoing monitoring. It’s best to tread carefully to stay a step ahead.

Loretta Maxfield is a Partner, Thorntons