The former Health Secretary, Matt Hancock, has found himself in hot water again this month after journalist Isabel Oakeshott leaked more than 100,000 private WhatsApp messages of his to The Daily Telegraph. She obtained the messages from Mr Hancock whilst working on his memoir with him and was required to sign an NDA, seemingly ensuring the confidentiality of the disclosure. Ms Oakeshott claimed she chose to break the NDA in the public interest, to reveal the government’s handling of the COVID-19 pandemic. The Information Commissioner's Office (ICO) said it was not launching an investigation into the leak "at this stage", reiterating journalistic exemptions in the public interest.

Whether Ms Oakeshott was justified in breaking the NDA is one question, but more importantly was Matt Hancock allowed to disclose these messages in the first place, regardless of any NDA? According to the ministerial code, upon resignation ministers must hand over any communications they had whilst in office and delete any records of communication from their phones. It is unlikely that the Cabinet Office would have approved of the disclosure, even if there was no intent to publish the communications. However, under the ministerial code it seems unlikely that there is any enforcement mechanism that the government could use against Mr Hancock. 

A key takeaway here for businesses is the importance of having a robust social media policy, with specific inclusions surrounding the use surrounding WhatsApp and the ability to retain any internal communications upon leaving a place of work. Policies may also include not only limits on external communication but also any communication that takes place on internal instant messaging apps.

A good social media policy should clearly set out guidelines for employee’s use of social media both inside and outside of the workplace and should feature the following:

• Best practice if posting on your company’s social media account – including brand guidelines, etiquette and confidentiality;
• Security and privacy guidelines – such as placing an emphasis on the protection of confidential information, ensuring your social media accounts are secure and how to respond if a security breach takes place; and
• Personal account guidelines - even when posting on personal accounts, employees are still representatives of the company. Any damming comments may have an adverse impact on the company’s reputation.

Employers should also look to provide education and training to employees on the use of social media and ensure policies are complied with correctly.

The use of social media within the workplace also comes with a host of data protection implications. It was only last year that the ICO published a report surrounding ‘government transparency and data security in the age of messaging apps’. Under the GDPR, organisations that handle personal data must implement “appropriate technical and organisational measures” to ensure that all personal data is processed safely and securely. To aid with this requirement, organisations may also consider implementing information security policies which control the use of messaging apps, especially on any work devices such as work mobiles. In respect of data protection, it is also important to remember that the use of messaging apps does not receive an exemption attached to it under a Subject Access Request. Employees should always, therefore, be mindful of what they say online.

As the use of social media continues to grow, this incident serves as a strong reminder that businesses ought to to ensure they have a robust social media policy in place, setting out the behaviours of employees using social media, especially given that a shift in hybrid working has led to an increased use of WhatsApp within the workplace. Employers should be mindful to implement and review social media policies and implement training to remind employees of the dangers of its misuse.