Does WhatsApp for Work Really Work?

Is the popular Social Media App really suitable for professional purposes?

Aug 8 2023

Last week, NHS Lanarkshire were reportedly reprimanded following the outcome of an investigation by The Information Commissioner's Office (ICO) for its use of WhatsApp for professional medical purposes when private and confidential patient information was accidentally shared with someone it was not intended for.

Images, videos and screenshots which included clinical information as well as patient names, phone numbers and addresses were allegedly shared by staff members on multiple occasions.

Unfortunately, a non-staff member was reported to have been added to the WhatsApp group in error, resulting in the disclosure of personal information to an unauthorised individual.

The chat group had been active for 2 years from April 2020 until April 2022.

While recognising that the team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting, but was not possible at that time due to Covid restrictions, North Lanarkshire Management admitted that the use of WhatsApp was never intended for processing patient data.

Which begs the question - Why was it used? And, is WhatsApp really suitable for professional and business purposes?

App-ropriate?

WhatsApp has been one of the most popular forms of communication for years. There are currently more than 2 billion users, which makes WhatsApp the world’s most popular messenger app. It's no real surprise as the app is user-friendly and lets you easily stay in touch, conveniently within groups, with no additional cost for sending messages and pictures. You can send messages and rich content such as photos, GIFs, videos, and other files. In short, it's a very convenient and effective way of communicating.

For a few years now, particularly since the COVID-19 pandemic, when high numbers of employees were sent away from the office to work from home, WhatsApp has been used as an effective and cheap communication tool for colleagues to keep in touch with each other.

In fact, even before the Pandemic, with some companies taking the view that email was becoming prohibitive rather than being an efficient enabler for communication and productivity, WhatsApp was starting to rear its head as a solution for agile, instant collaboration. No more trawling through dozens or even hundreds of emails to find and digest a one line message. No more long, drawn-out textual correspondence when a few lines and an emoji that says a thousand words can be sent. Just open the app on your phone, process that message quickly and get back to your day.

But how did we get to the point of relying on, and continuing to rely on, the Meta-owned mega app to such an extent for ongoing, professional communication, even now?

Along with the convenience, what may have lulled us in to a sense of security is the fact that WhatsApp is designed to be extremely secure, its end-to-end encryption comprising Military Grade (AES-256) Advanced Encryption Standard capabilities, requiring ciphering & deciphering of keys to take place within the app whenever a new chat group is set up or a chat is initiated, amongst other security protocols. So if it is a highly secure, convenient and effective tool which is already widely used and trusted, what is the problem with using it in a workplace environment?

Well, there are a number of things to consider, including the following:-

1. It is possible (although not guaranteed) that you are using WhatsApp on your personal mobile which doesn’t have an IT Policy installed, opening up potential Data Leakage issues, especially if you have certain settings enabled in WhatsApp (such as the downloading of images locally to your mobile device) What’s more, you can install and use WhatsApp on your personal device easily, opening up all of your contacts on that device for use with WhatsApp. It’s unlikely you could do the same with your company’s email application, for example, unless you agreed to have a security policy installed and accepting all of the sacrifices that go along with that, the very limitations and obligations designed to prevent data leakage. Always remember that any business-related data being collected on personal devices poses a risk.

2. If using WhatsApp on a personal device, your contacts list is not a defined company Global Address List (like your company email has, for example) therefore it may be more likely that you include, and send a message to, the wrong person, outwith your organisation. That Military Grade end-to-end encryption is only beneficial if the group or person you are sending the message to is the correct one.

3. It’s also possible that you could forward a confidential message on to another WhatsApp group in error, a personal friends group chat for example, due to the user interface of WhatsApp. It is designed to be convenient after all.

4. Work and Personal Life considerations. The use of messaging apps for both work-related and personal communications blurs the boundaries between work and personal time. It gives service providers, clients and colleagues the ability to contact and be contacted any time - not always great when striving for work/life balance.

5. Then there are the User Management issues. What about former employees that were part of the chat group? You have to remove those numbers from the contact lists. But how do you manage this? What if you forget? They might be members of multiple groups and without you knowing, are still receiving private and sensitive company information.

6. Groups don’t always stick to the topic that the chat has been set up for. Before you know it, the members may have veered in to other gossip or conversations on commercial information, for example.

7. Lack of Record Keeping. Many industries are required to keep records of certain correspondence which takes place to ensure that regulations are met. Using WhatsApp for certain communications makes that very difficult and could lead to issues.

8. Less organisation. WhatsApp is a basic messaging application and can’t compare to the structure and organisation that an application like Outlook Email offers, for example.

Yes, there is a WhatsApp Business version of the app built with the small business owner in mind which adds some functionality that makes it more suitable for business-type interactions, including signatures, labelling etc but this is not a wholly different beast, the basic premise is the same. Standard WhatsApp was not originally designed for business use.

Policies

Following the ICO investigation and reprimand, the ICO concluded that NHS Lanarkshire did not have the appropriate policies, clear guidance or processes in place when WhatsApp was made available to download and made several suggestions to the health board including ensuring that explicit guidance on data protection is made available to staff when new apps are deployed.

Would appropriate polices, guidance and processes have been enough to mitigate this happening and is it as simple as that? No, not entirely. Policies and processes are undoubtedly required when allowing employees to use applications so as to inform them of how they should and should not behave when using new company tools but Technology Failsafes and Data Leakage Prevention measures must also be set up and be fit for use and purpose at the point the tool is made available for use. Allowing applications to be used without these pre-requisites leaves both the employees and the company open to financial, legal and reputational damage if not. Risk Assessments should also be carried out to determine what is possible and what is likely to go wrong through the use of the tool in worst case scenarios.

Recommendations :-

The ICO has since recommended NHS Lanarkshire take action to prevent future data breaches and suggested the health board should implement a secure clinical image transfer system for the storage of images and videos within a care setting.

This is the key takeaway - A system specifically designed to serve the exact purpose for which the staff of NHS Lanarkshire needed and required - A secure platform for sharing, analysing, reviewing and reporting on medical data, on both desktop and mobile - was not available. And this was a function that WhatsApp was certainly never designed to fulfil.

There is no doubt that the staff only had good intentions, to do their jobs to the best of their ability using the communication tools available to them during what was an extremely busy and stressful period of their careers when a Pandemic placed additional stress on them and on the NHS overall. An appropriate system, especially when COVID struck so quickly and when they had to adapt at extremely short notice, could not have been made available quickly.

Conclusion

There’s also no doubt that WhatsApp has been a huge success in the personal world of social media applications and it may well have its place in certain sections of the professional world, particularly small businesses, for basic, quick conversational interactions. But for other businesses and professions, while it may be tempting to adapt, leverage and utilise whatever mainstream apps and tools are available at the time in order to get the job done, doing so is really only cutting corners instead of exploring the real solution and by proceeding without the appropriate processes and failsafes in place, it could be one shortcut that eventually trips you up.