Should we be using WhatsApp for Internal Communication in Schools?
Carrier pigeon, telegram, fax, post-it note, email...methods of communication have changed considerably over time and alongside advances in technology. The rise of the smartphone and omnipresence of mobile networks facilitates instant messaging services like WhatsApp, Facebook Messenger, WeChat. These apps have propelled communication into real time and revolutionised the ease of conversing without having to make a phone call (which in itself is a problem but hey, who doesn’t like an emoji 😀).
It’s because WhatsApp is easy to operate, informal and is everyone’s familiar tool for digital conversations that it is increasingly popular within schools for internal communications. Ostensibly, having a communication tool like WhatsApp which allows you to exchange information quickly and efficiently between school departments in a less bureaucratic way than email is a great idea. We at 9ine are constantly reminded to steer away from the pitfalls of “post-boxing” - the practice of sitting happy on an email you have sent, content with not having a reply from the other end because your job here is done. Having a secure and integrated internal communication tool, such as Google Hangouts Chat, is great for driving productivity and accountability for the way we communicate with each other. The use of WhatsApp in schools, however, is not often internally managed by the organisation themselves.
The ease of WhatsApp and it’s common day-to-day use in personal communications is its ultimate downfall for use within the workplace, particularly in schools. People are so used to conversing with friends over instant messaging services, it’s not surprising that this method has crept into how colleagues interact during the working day. The easy ability to share information in real time or capture photographs on your smartphone and share over WhatsApp is just one facet of many crossover issues relating to child protection, data protection and managing personal/work accounts, evidencing paper trails.
9ine provides free, virtual leadership training in the areas of data protection & security and systems in education.
WhatsApp: what's the catch?
9ine advises not using WhatsApp as a method for official internal communication within schools. There are two overlying issues: the first, compliance/business quality management; the second, GDPR.
Any business seeking to be audited for ISO 9001 quality management, would fail. This is because the business, or school, has no lawful way to gain access to the data or information stored or processed by WhatsApp should they need to. This is particularly important for cases which may need to include HR investigations, legal action, defence against a legal claim, or instances that require the ability to demonstrate to external agencies that the school's records are kept in a managed structure.
Staff members are likely to use WhatsApp on their personal devices for personal communication and of course this is not a problem. It becomes a workplace problem when staff members begin to communicate internally with other staff members using their personal WhatsApp accounts, sharing school-related information which could include categories of personal data, such as photographs for example. The ability to create communication groups based on the contacts in your phonebook is a popular function of using WhatsApp. The creation of staff WhatsApp groups that include contacts external to the school, however, presents a further risk to the organisation's data as the school has no control over the sharing or propagation of information outside of their formal structures. An additional security issue is that you cannot control who has access to group chats other than the individual who created the group, so the security is difficult to manage.
Without formal policies adhering to the boundaries of personal/workplace communications, the individuals involved are likely to be sharing a multitude of school information without necessarily realising what they are doing. It’s also likely that this may not even surface as an issue unless there is an incident which brings the underlying risks to fruition. This is when the school might decide to intervene, however if required, they would struggle to argue their right of access to a member of staff's personal WhatsApp account.
One of the major problems here is that, where information related to the school is being shared outside of the organisation, the school themselves have not entered into a controller to processor / data sharing agreement (check out our webinar) with WhatsApp. The agreement lies in the individual’s personal account with WhatsApp instead. Where schools are using other services to process personal data on their behalf e.g. media platforms, MIS, finance systems, under international data protection law (GDPR), they are expected to have these agreements or contracts in place. This is so both parties can evidence the shared accountability and responsibility to the personal data that’s being processed on behalf of the school. Without a lawful basis, the sharing of personal information with third party organisations outside the school is not allowed. In specific circumstances, some governmental organisations may have a legal right to access certain information, however, this must be checked with the data protection lead/team/officer prior to disclosure.
Third Party Access
In terms of the GDPR and WhatsApp, there is a data privacy clash between information processed on staff members personal accounts / devices, and personal data pertaining to the school. The school cannot invoke information rights, such as right of access or right or right to be forgotten with staff personal accounts on WhatsApp. The use of WhatsApp also has additional hidden consequences. By using WhatsApp you are providing your consent for WhatsApp to access your contact list or phonebook in order to provide and use the service. The app profiles your contacts and profiles the conversations between individuals. It then correlates this with Facebook and Instagram and other available data within your phone (cookies, browsing history etc). There are likely to be significant privacy issues with official and usually confidential conversations being profiled by WhatsApp, in addition to the likelihood of the platform also seeking to use the information in those conversations (possibly relating to named people) for its own purposes.
What Can Schools Do?
We advise that schools have an overall Data Protection Policy stating that social media is only to be used for communicating the theme of “community” or advancing the school’s brand, and that social media for internal communications has no lawful basis under the school’s parameters. The school’s stance should state that the use of social media (Facebook, Instagram, WhatsApp, LinkedIn, Dropbox etc.) by school staff for school business purposes, should only be permitted on accounts and profiles which have been approved by the Data Protection Lead/team/officer. Personal accounts should not be used for school business purposes.
A policy is of course useless if it is not followed. Under the requirements of international data protection law, schools are required to demonstrate accountability and have the confidence that any school policies and procedures are followed by their staff. Schools will need to be able to evidence each year where they have provided training to their staff in relation to their data privacy / ePrivacy policies. When it comes to reviewing policies, schools need to ensure they are updated regularly in line with legislative and best practice change, enforcing the high standards expected for the school.
Child protection vs. WhatsApp
When mentioning any data protection concerns in relation to communicating via technology in schools, the crossover with child protection / safeguarding is never too far away. Safeguarding incidents can have a significant impact on students, staff and the school itself and as such, rigorous operational measures need to be implemented. That is why it is important for schools to have the appropriate safeguarding measures in place for identifying, managing and mitigating potential child protection risks. The increased exposure and scope of safeguarding risks brought about by technology and the internet are an area that require ongoing management and review. With risks such as cyber bullying, grooming and radicalisation being presented in online environments, the collaboration between safeguarding personnel and IT teams is increasingly important for ensuring that the available tools are used effectively and any interventions can be planned accordingly.
For the above reasons, WhatsApp communication between staff and students is inadvisable. Online communication with students should only be carried out through a school-approved channel that provides a managed learning environment where all communications are transparent. Schools are expected to have stringent professional boundaries set out in their social media policy to ensure staff understand. The UK’s statutory guidance for schools, Keeping Children Safe in Education, sets out a clear code in reference to professional relationships and the appropriate use of social media, including Facebook, Twitter and WhatsApp.
The school has a duty under data protection law to ensure that the personal data it processes is safe, secure and protected from unauthorised or unlawful processing and against accidental loss, destruction or damage. The use of WhatsApp for internal communication places this duty at risk. Lastly, if a school chooses to continue communicating via instant messaging or other online methods, we'd suggest having a corporate chat platform available.
How Can 9ine Help?
At 9ine, we understand the busy environment of schools and how easy lines of communication are a necessity. We can provide the data protection, child protection and business management support for any of the issues discussed above. Our DPO Essentials subscription service provides outsourced expertise and resources to support your data protection team. We have a suite of best practice documentation for schools, including a social media policy, that supports with evidencing and managing compliance for challenges like the use of WhatsApp for internal communication.
To find out more about 9ine's DPO Essentials: