It has recently come to light that Boris Johnson received information relating to important Government business through WhatsApp sent directly to his personal telephone. A number of groups have suggested this posed a security risk as to whether the information sent remains secure and further, with the ability to easily permanently delete messages it could lead to information being deleted when it should have otherwise been retained.
Whether or not Boris Johnson was right to use WhatsApp remains to be determined by the High Court but with Boris Johnson facing such scrutiny over its use, should we have concerns about its use as well?
With WhatsApp’s end-to-end encryption it is deemed to be a secure method of communication. For day-to-day use, such as sending messages between friends and family, it is the user’s own decision as to whether they believe WhatsApp to be secure enough for use. But what if it is used for business and used to send personal and sensitive data? The UK General Data Protection Regulations (UKGDPR) govern data controllers who process personal data.
A data controller is a person or company who processes personal data, with personal data being any information that could potentially identify a natural person. Whilst many people may not believe they are a data controller, their roles at work will often deem them to be. By way of example, a Solicitor will be deemed to be a data controller on the basis they process their client’s information which will no doubt include some personal data.
The Data Protection Act 2018 sets out six principles that determine how personal data should be handled, including the following:
- Processing be lawful and fair;
- The purpose of processing that data is specified, explicit, and legitimate;
- The personal data obtained is adequate, relevant, and not excessive;
- Personal data is kept accurate and up to date;
- Personal data is kept no longer than is necessary; and
- Personal data is processed in a secure manner.
The relevant principle when considering whether WhatsApp could be used to process personal data would be principle six, which requires data to be processed in a secure manner. As set out above, it is accepted that WhatsApp is a secure method of communication and therefore its use would not be prevented in accordance with the Data Protection Act.
Whilst the use of WhatsApp would not breach any Data Protection laws, concerns may be raised in respect of retaining that information. For example, many Solicitors will be required to keep records for many years should they be required for a further claim. This ties in with principle five in that data should only be retained for as long as necessary. As highlighted by Boris Johnson’s use of WhatsApp, messages can easily be permanently deleted. If a firm is required to retain records, therefore, it would be advised that a separate record be kept and backed up regularly to prevent any issues in the event those messages became lost.
How can we help
Stuart Parris is an Associate in our expert Dispute Resolution team.
If you require any advice concerning the subjects discussed in this article, please do not hesitate to contact Stuart or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us