Former Health Secretary Matt Hancock found himself in hot water again this month after journalist Isabel Oakeshott leaked more than 100,000 private WhatsApp messages of his to The Daily Telegraph. She received the messages from Mr Hancock while working with him on his memoir and was forced to sign an NDA, apparently to ensure confidentiality of the disclosure. Ms Oakeshott claimed she chose to break the NDA in the public interest to expose the government’s handling of the COVID-19 pandemic. The Information Commissioner’s Office (ICO) said it was not opening an investigation into the leak “at this stage” and repeated journalistic exceptions in the public interest.
Whether Ms Oakeshott was justified in breaking the non-disclosure agreement is a question, but more importantly, was Matt Hancock allowed to disclose those messages in the first place, unrelated to a non-disclosure agreement? Under the Ministerial Code, when ministers resign, they must turn over all communications they had during their tenure and erase all communications records from their phones. It is unlikely that the Cabinet Office would have consented to the disclosure even if there was no intention of making the communications public. However, under the Ministerial Code, it seems unlikely that there is an enforcement mechanism that the government could use against Mr Hancock.
A key consideration for companies here is the importance of a solid social media policy with specific inclusions related to WhatsApp usage and the ability to retain all internal communications when leaving the workplace. Policies can also include restrictions not only on external communications, but also on any communications that take place through internal instant messaging apps.
A good social media policy should provide clear guidelines for employee social media use both inside and outside of the workplace and include:
Best practice when posting on your company’s social media account – including branding guidelines, etiquette and confidentiality; Security and privacy policies – e.g. B. emphasizing the protection of confidential information, ensuring the security of your social media accounts and responding to a security breach; and Personal Account Policies – Even if they post to personal accounts, employees are still representatives of the company. Any damning comments may adversely affect the company’s reputation.
Employers should also make an effort to provide their employees with education and training on how to use social media and to ensure that the guidelines are correctly followed.
The use of social media in the workplace is also associated with numerous data protection implications. Just last year, the ICO published a report on “Government Transparency and Data Security in the Age of Messaging Apps”. Under the GDPR, organizations handling personal data must take “appropriate technical and organizational measures” to ensure that all personal data is processed safely and securely. To meet this requirement, organizations can also consider implementing information security policies that govern the use of messaging apps, especially on all work devices such as work phones. In terms of data protection, it is also important to remember that the use of messaging apps in the context of a subject’s request for information does not entail an exception. Employees should therefore always be careful what they say online.
As social media use continues to grow, this incident serves as a powerful reminder that companies should ensure they have a robust social media policy in place that governs employee behavior when using social media, especially in light of a shift towards hybrid working has led to increased use of WhatsApp in the workplace. Employers should be careful to implement and review social media policies and conduct training to remind employees of the dangers of their abuse.
“It shows that we need to completely rethink how the government does business on WhatsApp, the line between personal and political communication and former ministers’ access to government documents.”