POSTED: August 09 2023
Dear Deirdre …

Dear Deirdre …

Dear Deirdre,

I am the manager of a café with 10 employees. We have started to use WhatsApp as a way to communicate instantly with each other to discuss shift changes, sickness cover and to notify other shifts of any stock needs or anything that might affect the next shift. We’ve set up a group chat and often staff share funny stories or uplifting memes too.   Everyone uses their own phone; they don’t seem to mind and it means we can let each other know instantly of any important info.  It’s been really useful.

Recently though, a female member of the team was contacted directly by male colleague who had obtained her personal number from the group chat to ask her out on a date. The female employee felt uncomfortable as she wouldn’t have chosen to give him her number and didn’t want to have a date with him. This has made us wonder if we need to have some sort of policy or rules in place for using WhatsApp?


Dear Anonymous,

WhatsApp is an internet-based messaging app that allows users to send messages, make video calls, voice messages, share images, documents, user locations, and other content. It’s easy to see why WhatsApp and other similar forms of instant messaging applications are a useful and effective form of communication and can help in the operation of business.

However, it does come with pitfalls as you have now seen, some potentially quite serious that as an employer you need to consider.  Having a robust WhatsApp usage policy outlining your company approach is key.

When you are in a group on WhatsApp, all members have access to the mobile numbers contained in the group and there’s nothing to stop people from taking a number and messaging others directly.   As experienced by your waitress, this can cause issues with harassment because phone numbers can be taken and used for other purposes.

And that’s not the only example. This method of communication can also cause issues with bullying by exclusion, whereby certain individuals are excluded from the group and therefore feel alienated or perhaps the messages could be of a bullying nature.

Bullying and harassment is behaviour that makes someone feel intimidated or offended. Harassment is unlawful under the Equality Act 2010.  In your case, the waitress could raise a grievance against the chef for harassment which is unpleasant for all involved.

WhatsApp potentially contains all sorts of information such as names, numbers, photos and various other contact information from many people. Therefore, it’s vital for employees to give consent for their number to shared, across groups if applicable. It’s also important that you make it clear that participation in any work WhatsApp group is not mandatory and if employees decide to participate, they have the option of leaving any work-based group at any time.

It’s also best to make clear that groups that are work related can be muted outside of work hours and that employees have no obligation to reply if they aren’t at work. Employees could accuse the company of encroaching on their own personal time if they were to receive calls/messages out of their working hours on their own personal phones. It can also cause issues with a work life balance if employees constantly receiving calls/messages out of hours and cause employees to be stressed.

It’s great that you recognise the need for an employee engagement forum and enjoy the benefits of sending funnies and memes- however it’s also important to consider that boundaries can be crossed and there could be communications between colleagues that involve ‘banter’, jokes or comments or even sharing inappropriate images that are discriminatory in nature which may result in employees raising grievances, allegations or bullying and harassment or even seek to bring tribunal claims for discrimination or whistleblowing. There have been numerous cases of such hitting the headlines when they reach tribunal stage. Perhaps setting up something outside of WhatsApp might be easier to manage. Either way having clear processes in place to define expected standards of behaviour is important.

Something else that’s tricky to manage is groups at any given time with new joiners and ex-employees. If the group admin were to forget to remove a disgruntled or any ex-employee that now works for a rival, they will be able to view all sensitive data shared within the group. This could open the business up too many issues as it could contain sensitive commercial information or potential damaging gossip. It can also blur the lines between work-related messages and personal.

Another consideration is WhatsApp’s protection of data under GDPR. WhatsApp has been heavily criticised for its failure to protect its users from data privacy as it does not provide an adequate level of protection of personal data. In 2021, it was fined £193 million by Ireland’s data watchdog for breaching privacy regulations. At the time it was the largest fine ever to be imposed by the Irish Data Protection Commission and the second-highest under the new EU GDPR rules.

The main issue that regulators had with WhatsApp was the lack of information they provided to users about how their data was stored and processed. Regulators found that WhatsApp’s privacy policies were not clear enough.
A consideration for you could be that if a personal mobile phone is lost or stolen, if not correctly protected, it may be used to access confidential company data.

So, overall, it is very important to implement a WhatsApp usage policy as soon as possible to provide information on the conduct of using such an app. The policy should outline your stance regarding the use of WhatsApp, to explain the reason for use, how it will be managed and to set clear guidelines and standards in relation to the above and other considerations.

Additionally, the use of personal phones for work purposes has risks too. Confidential information being stored on personal phones (such as employee contact info and shift rotas in your case) presents a significant risk.  In fact, the use of personal devices should only be used where the security of the data stored on the device can be absolutely guaranteed. This is difficult to achieve with personal mobile phones because employees are less likely to have any added protection on their phones. In fact, because personal phones are used for accessing websites, uploading photos and social purposes there is an even greater risk of viruses or malware.

Following the implementation of the data protection act, all businesses must ensure that any data stored on employees’ phones is as secure as it would be if it was stored on the company server. It is worth noting, the average compensation for breach of the Data Protection Act is between £1,000 and £42,900. However, the cost could be much higher in terms of confidential data therefore it is important that any policies are regularly reviewed and policed to ensure that you are covered for any potential data risks.

It is also worth thinking about it from the employee’s perspective, some people may feel uncomfortable with having work-related apps on their personal phones and could actually refuse to download these or even refuse to share their private numbers

Therefore, it would be a simpler idea to provide employees with work mobile phones which would reduce a lot of these kind of risks. But if this is not possible, then a robust personal mobile phone use policy would be the best alternative to reduce risk.

Here at advo, we can create any of the above policies, aligned to your business and provide advice on your current processes. Get in touch with our consultants today for further advice and support.