In a radically different working world, the use of social media platforms (such as WhatsApp) in the workplace has dramatically increased, bringing with it real risks to transparency and accountability. 

In the recent case of FKJ v RVT and others [2023] EWHC 3 (KB), the High Court refused to strike out a claim for misuse of private information which was brought by an employee against her former employer. The court considered the extent to which there can be a reasonable expectation of privacy in private WhatsApp messages that had been found at work and how these should be dealt with in the context of ongoing legal proceedings. 

The facts

The claimant, who had been employed by the second and third defendants in early 2017, brought tribunal proceedings against the first defendant (a managing partner and her supervisor) after she was dismissed in late 2017 for misconduct. The claimant brought claims of sex discrimination, unfair dismissal and wrongful dismissal. 

Her former employer successfully defended the claims by relying on a host of private WhatsApp messages that were obtained prior to the issue of proceedings against it. The tribunal held that the evidence had “played a large part” in their findings where there was a direct conflict of evidence. The messages undermined the credibility of the claimant and spoke to the fact that the alleged sexual misconduct was either consensual or not “unwanted”. The WhatsApp messages contained information about the claimant’s professional and private life, including information about her health and sex life which had been sent between her partner and her best friend over the course of several years. 

The Claimant decided to pursue the defendants for what she regarded as a breach of privacy in accessing her WhatsApp messages. The defendants were first put on notice of a misuse of privacy information claim (MPI) in 2019 after the claimant discovered that the defendant was in possession of the WhatsApp messages. The claimant argued that her former employer had hacked into the app via a computer-based WhatsApp web and scanned the QR code, thereby giving the first defendant access to her entire WhatsApp messages. The first defendant argued that the messages had been discovered on the claimant’s work laptop when it was examined to try and establish whether she had made an attempt to log on following her dismissal. The first defendant also argued that he had received further copies of WhatsApp messages through letters sent by an anonymous source. 

The outcome

The High Court was invited to rule on the defendant’s application to strike out the claimant’s claim for MPI and grant summary judgement on the second and third defendant’s counterclaim for abuse of process.

The defendant’s applications were dismissed after the Court determined that the applications were “without merit” and in some cases, “not worthy of serious consideration”. Master Davison found that the WhatsApp messages that were sent between the claimant, her partner and her best friend were private messages and the claimant would ordinarily have had a reasonable expectation of privacy that could not reasonably be contested. 

What constitutes private information?

The Court held that the fact that the private information had been held on the claimant’s work laptop did not affect the expectation of privacy. The Court regarded the defendants’ argument that the claimant could not have had a reasonable expectation of privacy of confidence in relation to material saved or downloaded to her work laptop during work hours. 

What does UK data protection legislation say about private information?

The UK General Data Protection Regulation (UK GDPR) requires that personal data are obtained, held and processed fairly and lawfully. It also provides individuals with increased protection in relation to how their personal data is used by a data controller (for example, an employer). In the case of FKJ v RVT and others, the Court also considered the relevance of the WhatsApp messages to the Tribunal proceedings and the lack of justification for the retention or use of the messages. 

While the decision in FKJ v RVT and others is an interim one, it speaks to the private status of WhatsApp messages and gives employers an indication of what steps to take in an employment context. Employers need to acknowledge that communications can be private, even when stored on a work device. We recommend that employers:

• Consider how long to keep personal data for. The UK GDPR stipulates that you should not keep data for longer than you need it and, in any event, you will need to be able to justify how long you keep it for. You should also consider how, and to what extent, you will have access to and monitor company and personal data contained on employees' personal devices. UK data protection law requires you to process employee data in a lawful, fair and transparent manner. As a matter of best practice, we would recommend updating your data protection policies, including your privacy information notices, data retention policy, data breach policy and your ‘Bring your own device' policy;
• Undertake a review to assess the security and access controls in place in relation to platforms such as WhatsApp, reviewing what access employees have to WhatsApp on work devices and what security measures you have adopted to secure personal data (for example, two-factor authentication or limiting remote access). This may involve limiting what access is granted to platforms such as WhatsApp on work devices;
• Ensure that the use of personal devices at work adheres to the data minimisation principles as set out under UK GDPR. If, as an employer, you have access to data on your employees’ personal devices then you will need to make sure that the monitoring is proportionate to the desired aim(s). Alternatively, you may want to consider putting in place steps to ensure that personal data and company data are kept separate. Personal data that is stored on a work device should be limited to what is directly relevant and necessary to accomplish a specific purpose. Reviewing and implementing security measures will also help mitigate the risk of data breaches; and
• Update your employee handbook to ensure your internal policies reflect the relevant compliance requirements. There may be some overlap between your ‘Bring your own device’ with your company’s IT and communications policy but ensuring that your policies are regularly reviewed and making employees aware of their obligations will help demonstrate your company’s data protection compliance. 

If you would like assistance in relation to your company’s data protection compliance or if you require advice on employment law-related issues, please feel free to contact me or a member of our Employment Law team directly. 

Alternatively, if you would like to stay up to date with our latest articles, legal updates and events, join our data protection hub by going to: https://prettys.co.uk/join-data-protection-hub.