Using WhatsApp groups for internal workplace communication and marketing purposes has become very popular.
Employers should therefore keep in mind that compliance with the Protection of Personal Information Act (POPIA) must be adhered to when processing personal information on this platform.
Things to keep in mind when using WhatsApp as a communication platform:
- Multiple devices are used for processing information, which information is also stored on each device, such as the employee’s phone gallery;
- WhatsApp content is backed up on servers around the world, which amounts to the trans-border flow of the client’s information;
- Although WhatsApp has end-to-end encryption features, which are safe when enabled, access can still occur by third parties having physical access to a device;
- From the onset, proper procedures must be followed before creating a WhatsApp group, such as ensuring consent was received before adding an individual to a group (unless other justifiable grounds exist).
Steps that the employer can take to limit the risk involved when using WhatsApp as a communication platform.
User awareness training
- Users (employees) must be trained to ensure the proper use of the device and the risk involved when processing a client’s information;
- The focus on the company’s applications and basic security features must be mandatory.
The following list is not exhaustive but contains crucial points that must be addressed during the initial training:
- Review of policies;
- Procedure and Security Safeguard implementation;
- Password protection;
- How to deal with social engineering attacks;
- Proper protection of devices;
- Locking the device;
- Preventing the use of systems by unauthorised users;
- Protecting devices from loss or theft;
- Ensuring the information on a handheld device is necessary;
- Ensuring the information on a handheld device is also stored on the company network, where it is regularly backed up;
- How to encrypt sensitive information;
- User awareness of changes in technologies and security policies should be regularly tested.
Internal Policies
Policies must be implemented in the workplace such as, but not limited to the following:
- Acceptable use policy
This policy directs all company employees in the acceptable use and security of the company’s handheld and internet facilities.
- Handheld & Mobile device policy
This policy establishes rules for the proper use of handheld devices in the workplace to protect the confidentiality of sensitive data, the integrity of data and applications and the availability of services at the company, protecting both handheld devices and their users, as well as corporate assets (confidentiality and integrity) and continuity of the company.
- Physical Security policy
The company premises that include handheld devices and other information technology resources must be safeguarded against unlawful and unauthorised physical intrusion, as well as fire, flood and other physical threats.
- Data retention policy
This policy aims to ensure that necessary records and documents of the company are adequately protected and maintained to ensure that records that are no longer needed by the company or are of no value, are discarded at the proper time.
- Risk management policy
This policy establishes the process for managing risks faced by the company.
- Privacy policy
The purpose of this policy is to establish a Compliance Framework for the company to ensure compliance with the Protection of Personal Information Act 4 of 2013.
Please remember that should an employee share a client’s information with a third party outside of the intended scope, the employer can be held accountable in terms of POPIA.
Need Consumer Protection & POPI assistance? Contact your nearest Consumer Protection & POPI Legal Advisor for expert advice. Alternatively, leave your contact details on our website, and a SEESA representative will contact you.
About The Author:
Douw Krüger started his career at SEESA in 2015. He is currently a Consumer Protection and POPI legal advisor at the SEESA Kimberley branch. He also has in depth practical experience in BEE- and Labour legislation. Before joining SEESA, he obtained his LLB degree in Law and Advance Certificate in Labour Law at the University of the Free State.
Resources:
- Protection of Personal Information Act No.4 of 2013
I went over this site and I think you have a lot of wonderful info, saved to favorites (:.
Thank you for the information, it gave me a new perspective on things.