The dangers of using WhatsApp for work

Blurred lines between WhatsApp use for personal communication, interaction with colleagues and business purposes can create serious risk for organisations and employers. TerriSue Cosgrove explains why

Of late, WhatsApp has had a starring role in dismissals that end up in the Labour Court, official enquiries across public and private sectors and even criminal proceedings.

From communication deemed unprofessional or unfortunate that damages reputations, to comments or disclosures that merit court or employment law proceedings, many are unaware of the extent to which WhatsApp messages can be risky in the workplace.

From an employment law perspective, employers should be aware that they may be found vicariously liable for a claim where an employee says something problematic – for example, discriminatory or defamatory -- in a WhatsApp message.

Lately, we have seen many cases coming before the Workplace Relations Commission (WRC) involving inappropriate messaging, with serious consequences, including job loss. In these cases, businesses are typically held responsible and may face WRC fines.

Privacy

Often when employees use WhatsApp, either on their personal phone or a business device, they are unaware their messages can be accessed and may be disclosed to judge their conduct at work. 

Any message in connection with work duties, or within a WhatsApp group – even one only sometimes used for legitimate work purposes – may create liability for either party.

There is some ambiguity, and employees can reasonably expect privacy, but where WhatsApp is commonly used for work purposes, not all messages will be deemed private if contentious issues arise.

While messages may be encrypted, employees must remember that all written, video and audio communication can be recorded and shared. We have a misplaced belief that instant messaging disappears without a paper trail.

With any work gossip shared digitally, however, it takes only a second for someone to take a screenshot to send to a line manager. And, if you use WhatsApp on a company phone, your employer can legitimately access files you send, via device management software, network monitoring or company wi-fi.

Policy

The practical importance of having a social media and/or electronic communications policy in the workplace cannot be underestimated. Controls to manage the online security risks of a Bring Your Own Device (BYOD) situation are also important.

The company’s privacy or IT policy should inform employees about the extent to which their company devices are monitored, and that all monitoring is undertaken in line with internal policy and data protection principles. 

It should also ask staff not to use private communication channels for work purposes, both to protect sensitive company data and employees themselves.

A code of practice on the Right to Disconnect policy legislation should be adhered to. Continuous messaging on platforms like WhatsApp, especially outside of working hours, can prevent employees from fully disconnecting, leading to stress and burnout.

Using personal WhatsApp for business, especially on public wi-fi, makes companies vulnerable to loss of business-related data on employee-owned devices. Phones must be appropriately protected with encryption, security updates, auto-screen lock and password protection. 

Staff might also make unauthorised disclosures of confidential company or client information. Whether deliberately or inadvertently, this can damage the business directly, or allow client claims for breach of confidence or data.

Again, this highlights the need for a strong communication policy. It is essential to not only have a policy but also train employees regularly on its use.

Clear policies, robust procedures and staff training on appropriate communication and behaviour will minimise risks. This should include notifying employees that WhatsApp groups, and their use, can be monitored on work phones and that misuse can result in disciplinary action – even if the use is not specifically created or sanctioned by the employer.

Own it

If an employer actively encourages or allows employees to use social media as a mechanism to store business contacts, they must ensure they have control over how this information is used, especially if the employee quits work.

Where an app or site is used primarily for business purposes, the employer has a stronger case in arguing ownership of it.

Policy documents can make clear statements that the employer owns a social media account, and/or the data or intellectual content on it, as well as the monitoring in place to protect the legitimate interests of the business, such as client confidentiality and reputation.

Companies rarely have an idea of the WhatsApp groups in operation in their organisation, or who has access to them, and 'profiles' are often just a mobile phone number. It is likely that former employees, contractors or customers may have ongoing access to business information that they shouldn’t.

Employers must realise they cannot revoke access to business information once it is on WhatsApp, as data is stored on individual phones, rather than centrally. And, if employees leave, they still have company information, including potentially sensitive data, and there’s little an employer can do about it.

Michael O'Connor of NexGen Cyber says it is essential that companies regularly review digital assets, assess their security controls and implement measures to protect them. This not only safeguards their assets, but also demonstrates the security protocols in place to employees, and reassures clients and business associates.

Such processes ensure data is protected and clearly illustrates its value and the potential repercussions in the event that a complaint is made.

TerriSue Cosgrove is Managing Director at The HR Head