This article is about the use of WhatsApp as a communication tool in schools and recent vulnerabilities. It discusses school staff using WhatsApp as a communication method for school business.
We are sometimes asked by staff whether it is OK for staff to be in a WhatsApp group for important school messages. Staff often wish to use it because it is an easy way to communicate and a platform that a lot of people are familiar with. It is also free. There are issues around this:
- Non staff members can easily be added
- All personal mobile numbers can be seen by everyone in the group
- Someone needs to take responsibility for removing staff from the group that have left school
- There is no user access control
- Use of personal devices for school business
The ICO called for a review into the use of private email and messaging apps within government as there is a lack of controls: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/07/behind-the-screens-ico-calls-for-review-into-use-of-private-email-and-messaging-apps-within-government/
WhatsApp says is should not be used for business; it is against their terms and conditions. Although WhatsApp have a business app, this is for businesses to link with their customers (ie the public), not designed for private chat within an organisation: https://support.safeguardinginschools.co.uk/article/36-why-schools-shouldnt-use-whatsapp
This article highlights the lack of user management that can create security issues: https://www.beekeeper.io/blog/why-you-shouldnt-use-whatsapp-for-business-communication/
WhatsApp has previously been fined for data breaches: https://www.fieldfisher.com/en/insights/privacy-notices-post-whatsapp
More recently there has been a warning from Action Fraud about a takeover scam of Whatsapp accounts : https://www.actionfraud.police.uk/alert/warning-issued-to-whatsapp-users-over-account-takeover-scam
Our advice would be to always try to minimise any risk, so consider the following:
- Systems owned by an organisation would have the relevant security measures in place to protect against hackers and cyber attacks. See our best practice area: Information & Cyber Security.
- An organisation would have the appropriate user controls measures in place for accessing the data appropriate to a person's role in the organisation. See our Info/Cyber Security Checklist.
- An organisation would have a backup of any data.
- An organisation is required to have access to all data in the event of a Subject Access Request. This is much simpler when all business communication is either in the organisation's cloud or devices. See our best practice area: Subject Access Requests.
- Organisational systems are monitored and so any inappropriate use can be checked and controlled.
- WhatsApp may not be the best tool for more formal communication of for conveying official school policies or announcements and could lead to confusion or miscommunication.
- There is a risk of an individual's private information or confidential data being on everyone's personal device that are in the group - an organisation has control over it's own devices.
Internet Matters offers a WhatsApp social media guide.
Information about whether WhatsApp is safe for children is covered by the NSPCC: Is WhatsApp safe for my child?
If you have been a victim of fraud or cyber crime, report it to Action Fraud or 0300 123 2040, and possibly your DPO, depending on the cyber crime.