DSAR Defence Series - Using Personal Communication Apps

As data privacy professionals, we always face difficult issues and cases, many of which we can mitigate if we give them some thought and effort before they occur; in this series of blogs, we will cover some examples of more difficult issues and give pointers on how to avoid or minimise them.

The scenario

An employee works for a company that issues a telephone for business use, which means they now have two mobile phones, one personal and the other company-issued for business use and data.

This employee frequently uses messaging services and decides to install WhatsApp on the business phone. They log in with their (personal) credentials because it is "convenient." They then use WhatsApp to communicate with their colleagues about business and personal topics.

One of the people the employee has been communicating with via WhatsApp has left the business and has requested a DSAR; this includes requesting that WhatsApp and other chat messages be included in the DSAR response.

Should the information from the WhatsApp communications form part of the DSAR response, and what steps could be taken to help avoid and mitigate such an issue?

The response

This is a tricky scenario, but what makes it tricky is the use of WhatsApp (or other communications apps) for business purposes using a personal account which is not under the control of the business, which has to obtain and process the DSAR response.

As with most tricky scenarios, it is a good idea to discuss the DSAR with the data subject making the request; in some cases, they may be looking for something very specific and have worded their request more broadly or have been advised to do so and clarifying the request can help both parties understand the requirements better.

If limiting the scope through conversation has not been possible, then in some cases, advice from data protection regulators (the ICO in the UK, for example) may help. 

For this scenario, there is some advice that you may be able to use and apply:

1 "We do not expect you to instruct staff to search their private emails, personal devices or private instant messaging applications in response to a SAR, unless you have a good reason to believe they are holding relevant personal data".

This advice from the ICO will likely help in many cases, but there will be some cases where that may not be the case. In such scenarios, it is important to assess the details of the request and potentially limit the scope by the ways and means offered by the GDPR itself; for example, is the request for WhatsApp chats manifestly unfounded or excessive? 

If so, this would offer the opportunity to limit the scope or, indeed, to reject the request. However, do be prepared to defend such a decision (including to the ICO) if required.

Mitigations

Staff training and awareness

Making staff aware of the reasons why business information cannot be shared on personal applications or accounts can greatly reduce the instances or chances of this happening. Education and awareness are crucial parts of a good DSAR defence strategy.

Limiting by policy

Allowing staff to install applications on company-issued mobile devices poses potential security and privacy risks. With IT playing such an important role in every business these days, all organisations must have an IT Policy (this may be called by a different name) that limits the devices and applications used to access business data and communications to those approved by the business.

Such a policy should be one of the key policies within the business and should be referenced within employment contracts and staff guidance or handbooks where issued.

Limiting by permission

Wherever possible, users should not have the access rights to install unauthorised applications on their devices, and the IT department should enforce the IT policy through security profiles and permissions.

 1 Guidance from the ICO website