[Update Sept 2021 - WhatsApp issued second-largest GDPR fine of €225m]
WhatsApp has 2 Billion users. That’s just under a third of the world’s population.
In the last few years it has completely engulfed the SMS and consumer messaging app market.
It’s ubiquity on people's phones means that businesses, charities, governments and schools often use it to create internal and external messaging groups, without considering the possible implications.
WhatsApp's adoption within schools amongst teaching staff, governors and parents is no surprise, but for some reason it seems WhatsApp use often bypasses the necessary safeguarding and data protection checks that schools usually carry out when a new piece of technology is considered.
WhatsApp's ease of use is attractive, but schools need to consider the downsides and risks of using WhatsApp and other consumer messaging apps like Facebook Messenger Signal and Telegram.
What are the risks of using WhatsApp and are there alternatives that are safe for schools?
1.WhatsApp is not GDPR-compliant
Given a long term focus on data and safeguarding, schools were more likely to be GDPR compliant than most businesses when regulation was enforced on 25th May 2018.
But, if WhatsApp or other consumer messaging apps such as Signal or Telegram are being used to communicate with staff, parents or any other group, then it is highly likely that your school is no longer GDPR compliant.
Here are some of the reasons why WhatsApp specifically faces challenges around compliance with GDPR regulation when it comes to business and professional use:
- Lack of explicit consent 1 - you can be added to a WhatsApp group without your explicit consent. Only very recently WhatsApp added the ability for you to prevent specific users from doing this but this option is not enabled by default.
- Lack of explicit consent 2 - your contacts can upload your data to WhatsApp/Facebook if they give access to their contacts/address book and you are in it, even though you have not given consent.
- Lack of ability to delete information - after a certain time you cannot delete content you have posted to WhatsApp.
- Lack of ability to get your own data back (SAR - Subject Access Request) - WhatsApp cannot provide you with messages you have posted, only your profile info.
- Your data transferred outside the EU zone - it is not very clear where exactly WhatsApp/Facebook move your data
For more detailed information on why WhatsApp is not GDPR-compliant, read our article "WhatsApp is it GDPR-compliant?".
2.Failure to comply with International Organisation for Standardisation (ISO)
Independent education technology and compliance experts 9ine state on their blog that any school using WhatsApp to communicate amongst staff would fail a ISO 9001 quality management audit.
Structured record-keeping in schools is important in case of HR issues, legal action were taken against a school or any external agency requires access to school data or information.
3.Lack of audit trails, data management and safeguarding
WhatsApp makes it almost impossible to keep an audit trail of data and information, sent within a WhatsApp chat. Data is also held on local devices (not in the cloud).
This means if a staff member leaves a school and they are removed from a WhatsApp group, there is a possibility that they still have access to data and information they shouldn't have access to.
The creation of staff, governor or PTA WhatsApp groups presents data risks as the school has no control over the sharing of information outside of their formal communication channels. Schools cannot control who has access to WhatsApp group chats other than the individual who created the group, so security is difficult to manage.
There have also been reported instances where WhatsApp groups and the details of those in the groups, including their mobile phone numbers, have become publicly visible on Google search.
4. Non-personal use is against WhatsApp's terms of service
Using WhatsApp at work isn't just a problem in schools.
A study in February 2020 found 41% of UK workers admit to using WhatsApp for work purposes - despite it being against WhatsApp’s terms of service to use it in ways that involve any non-personal use.
What can schools do - is there an alternative to WhatsApp?
Messaging is a convenient, fast and simple communications channel for schools and there are GDPR compliant alternatives to WhatsApp.
Andrew Hall, a Safeguarding consultant for schools has recommended that schools look at Guild:
"I’ve been reminded about schools using WhatsApp during this current crisis, so this question (is WhatsApp suitable for Schools) has come up a few times.
A product that does provide secure group messaging is ‘Guild’ which businesses use for its compliance to GDPR and has high-level security to keep information within the corporate company." (Safeguarding in Schools, 2020).
Wellstead Primary School is amongst a growing number of schools using Guild because it is simple to use, intuitive and most importantly, GDPR and ISO 9001 compliant.
Join Guild 🤝
See for yourself how the Guild experience is different to WhatsApp, Slack, LinkedIn or Facebook Groups.
Guild is a safe space to connect, communicate and collaborate with others.
Join us on a platform that is purpose-built for creating groups, communities and networks on mobile.