Financial sector feels pressure to monitor use of WhatsApp
Katie Hewson, Nic McMaster and Nelson Kiu of Stephenson Harwood LLP report on how to navigate the data protection implications of monitoring staff use of messaging applications.
This article examines the data protection law challenges of ensuring that staff members’ “off-channel communications” are properly recorded. This is a particular challenge for organisations that are subject to regulatory record-keeping obligations, such as financial services organisations (FS Organisations). However, it will be relevant to any organisation that wishes to monitor staff members’ business communications made through unauthorised channels or on personal devices (for example, to check for evidence for use in litigation).
Many FS Organisations have recently bolstered their supervisory procedures to more closely monitor the use of off-channel communications for conducting business activities. This follows a decision by the US Securities and Exchange Commission (SEC) to issue fines totalling US$1.1 billion against 15 organisations in September 2022. In issuing the fines, the SEC noted that employees’ use of messaging applications (such as WhatsApp and SMS) for work-related purposes had resulted in a failure by the FS Organisations to maintain or preserve these communications. This was because the information on these applications was not easily accessible to the FS Organisations. Similar “books and records” preservation requirements are imposed under UK regulations, with reports that the UK regulator is also looking into the use of WhatsApp at FS Organisations.
The use of unauthorised applications or personal devices for work purposes is a pressing one for many different types of business, as personal data on unauthorised applications can in some circumstances be within the scope of a data subject rights request. The UK Information Commissioner’s Office (ICO) has also called for government departments to review the use of private apps within government1.
Whilst their obligations, and in particular the recent enforcement action for failure to monitor work communications, might make organisations eager to implement systems monitoring the use of off-channel communications, it is important to take stock and ensure that any such regimes also have due regard to their UK data protection obligations. An over-zealous attempt to detect and prevent the use of off-channel communications could inadvertently cause an organisation to fall into non-compliance with its own obligations under the UK and EU data protection laws.
Requirements relevant to UK organisations
Books and records requirements are in place to ensure that certain business- related communications are captured and stored so that regulators can investigate potential wrongdoing in the future. The loss of these records can seriously hamper regulatory enforcement actions.
The UK financial services industry is subject to particular rules around the collection and preservation of business- related records. For example, FS Organisations subject to Chapter 10A of the Financial Conduct Authority’s Senior Management Arrangements, Systems and Controls sourcebook must take “all reasonable steps to record telephone conversations, and keep a copy of electronic communications, that are made with, sent from, or received on, equipment provided, or accepted for use, by the firm”. UK firms are also potentially caught by books and records requirements under US legislation enforced by the SEC. The SEC requirements may be relevant to UK members of a US group, or to advisers required to maintain original records of communications connected to a range of international transactions. The use of off-channel communication systems makes it much more difficult for any organisation to monitor, capture and retain such communications. The UK Financial Conduct Authority (FCA) has warned of the dangers of unmonitored use of personal devices and encrypted communication applications and, following the SEC’s actions, is reportedly undertaking its own analysis of the use of WhatsApp within FS Organisations.
The FS Organisations that were fined in the US had been charged with “failing to reasonably supervise with a view to preventing and detecting” violations of the books and records requirements. The fines were accompanied by requirements to undertake a comprehensive review of policies and procedures relating to the retention of electronic communications found on personal devices. Financial services regulators have also emphasised the importance of companies adopting an active, supervisory role to support compliance. For example, the SEC has referred positively to monitoring staff members’ social media accounts (where use of social media is permitted) and installing applications on personal devices to monitor the use of prohibited applications prior to allowing them to be used for business communications.
In response to the SEC sanctions, FS Organisations have strengthened their supervisory and monitoring capabilities, including by requiring employees to screenshot work-related messages on personal devices and to forward these to compliance departments. There have also been reports of firms undertaking wide-ranging monitoring of staff emails and other work-related communications for indications of non-compliance (such as scanning for emails saying “WhatsApp me”) or even requiring certain employees to install applications on their personal devices to allow compliance staff to monitor all their calls, texts and messaging app conversations with clients.
Whilst these kinds of monitoring arrangements reduce the risk of further violations of the books and records requirements, any organisation seeking to monitor unauthorised apps or personal devices for work communications needs to take particular care that they do not breach applicable data protection requirements. This is because off-channel communications typically occur on personal messaging applications and on personal devices, which employees reasonably expect to remain private. Monitoring of these off-channel communications is also likely to pick up a significant amount of non- business-related personal data, including special category personal data. As such, broad-based monitoring of these applications and devices is unlikely to be compatible with FS Organisations’ data protection obligations.
Data protection considerations
Less than a month after the SEC fines were announced, the ICO published draft guidance on employee monitoring. This was followed by a consultation period on the draft guidance, which closed in January 20232.
Whilst the draft guidance does not specifically deal with how supervisory regimes can be implemented in a way which achieves compliance with both books and records and data protection requirements, it does provide helpful guidance on the issues that any organisation needs to be alive to when designing their communications monitoring programmes. In respect of policies and systems that would result in the monitoring of personal devices, emails and other employee communications, the guidance suggests that organisations consider:
- using aggregated analytics reports to identify trends without identifying specific workers;
- using network data in the first instance to check for unauthorised usage and, if this is not sufficient, using the network data to narrow the scope of the monitoring of the details of particular communications; and
- banning the private use of work devices and blocking problematic websites and applications on work devices.
Organisations should also publish clear policies prohibiting the use of off- channel communications where such use would limit or prevent the organisation from being able to capture and retain records in accordance with its obligations. Supporting these policies with education, regular updates and strong enforcement action is also important so that employees clearly understand their obligations to pre- serve records and avoid the use of off- channel communications for work- related matters. These policies and practices are also relevant when it comes to justifying decisions about whether to undertake more targeted monitoring activities, as it is less likely that employees could reasonably expect their communications to remain permanently off-limits from supervision where they are being con- ducted in violation of clear and well- respected policies.
When it comes to systems that monitor employees’ use of off-channel communications, organisations will need to ensure that any regime is proportionate to their obligations to collect and preserve relevant records and is supported by an appropriate lawful basis. Prior to implementing such a scheme, organisations will also need to ensure that the monitoring is clearly described in applicable privacy notices and that they have undertaken a data protection impact assessment. Organisations should also be aware of the following issues:
- For FS Organisations: monitoring that is necessary only to comply with the SEC rules is unlikely to be justified under the “legal obligation” lawful basis, as the relevant legal obligation must be laid down by UK laws and regulations. Accordingly, FS Organisations will need to con- sider whether the processing is also justified under UK record-keeping rules or otherwise seek an alternative lawful basis. If relying on legitimate interests, a separate legitimate interest assessment will need to be carried out and documented.
- FS Organisations in the UK can presently rely on the public interest derogation for direct transfers of personal data to the SEC in the US in connection with the SEC’s evaluation of UK FS Organisations’ compliance with US record-keeping requirements. However, FS Organisations must be satisfied that the SEC requests are within the scope of its regulatory powers and keep a record of these considerations.
- If broad monitoring is being con- templated, then an Article 9 (UK GDPR) basis for processing special category data may need to be identified, due to the likelihood of such data being caught.
- Monitoring of work-related devices is likely to be more easily justified than monitoring of personal devices. This is due to differences in employee expectations regarding the privacy of communications on these devices (particularly where monitoring is detailed in policies) and also due to the larger volume of incidental personal data existing on a personal device. Monitoring personal devices could also result in organisations being a controller in relation to a large amount of personal data relating to its staff held on such devices, increasing their susceptibility to data breaches and also more costly rights requests.
It is important that all organisations adapt their supervisory policies and systems in line with the updated monitoring guidance from the ICO, particularly once the final version of this is published.
Katie Hewson is a partner, Nic McMaster is an associate and Nelson Kiu is a senior paralegal at Stephenson Harwood LLP.
© 2023 PRIVACY LAWS & BUSINESS March 2023