Use of private email and messaging apps: the data protection implications for business.

Harrison Drury’s regulatory team looks at the risks in using private email and messaging applications such as WhatsApp within the business environment.

In July 2022, the Information Commissioner’s Office (ICO) released a report, titled ‘Behind the screens – maintaining government transparency and data security in the age of messaging apps’.

The report provides the findings of the ICOs investigation, launched by the Information Commissioner in 2021, into the use of private email, WhatsApp and other messaging platforms used by ministers and officials at the Department of Health and Social Care (DHSC) during the pandemic.

While the investigation was focused upon the DHSC, the findings of the report have important implications for business.

The inherent risk of using social messaging platforms

Where company staff use private electronic channels, such as private email or WhatsApp as a communication tool in the course of their work, there is an inherent risk to the data security behind these communications.

That risk stems from the fact that these communications exist on platforms and in places outside the control of the business. This makes them less secure and outside the precautions and procedures that businesses may use to protect business data and team/client communication.

In addition, and in such a scenario, confidential information, including personal data and sensitive personal data, might be dispersed across a range of data centres that sit behind the email and messaging service providers; and may remain there for an indefinite period and beyond the control of the business.

Article 5(1) of the UK GDPR sets out the seven key principles that lie at the heart of the UK’s data protection regime. These include: i) lawful, fair and transparent processing, ii) storage limitation, and iii) integrity and confidentiality.

Where company staff use private electronic channels to communicate, it is not difficult to imagine a situation in which confidential information belonging to the business, including personal data and/or sensitive personal data, could be lost, deleted, or accessed by a third party. This can potentially place the business in breach of the obligations inherent to Article 5(1).

Using WhatsApp for business

WhatsApp’s terms of service prohibit the use of the messaging platform for non-personal use (i.e. business or commercial use), unless authorised by the platform.

The alternative WhatsApp Business app provides basic tools for communication for micro and small businesses. It is free to use and offers the same basic features as the one for personal use, e.g. both sides can start chats, and you can participate in group chats. The terms of service allow the use of the messaging platform for business, commercial, or authorised use.

However, given that WhatsApp Business, like WhatsApp, is a cloud-based service operating from the US, and the data protection and transparency implications arising in consequence, businesses should be wary of staff using WhatsApp Business to share confidential information, personal data and sensitive personal data.

The importance of using appropriate channels

Businesses would be wise to ensure that all official and work-related communication takes place on and via the appropriate electronic channels authorised by the business. It is strongly recommended to advise staff against using private email and messaging platforms to share confidential information, personal data and sensitive personal data with one another or third parties.

If you are concerned about the use of private email and messaging applications being used in your business or wish to seek further advice on any data protection issues, do not hesitate to contact Harrison Drury’s regulatory and compliance team on 01772 258321.