Best Practice Update

Using WhatsApp in Schools

Using WhatsApp in Schools

This article is about the use of WhatsApp as a communication tool in schools and recent vulnerabilities. It discusses school staff using WhatsApp as a communication method for school business.

We are sometimes asked by staff whether it is OK for staff to be in a WhatsApp group for important school messages. Staff often wish to use it because it is an easy way to communicate and a platform that a lot of people are familiar with.  It is also free. There are issues around this:

  • Non staff members can easily be added
  • All personal mobile numbers can be seen by everyone in the group
  • Someone needs to take responsibility for removing staff from the group that have left school
  • There is no user access control
  • Use of personal devices for school business

The ICO called for a review into the use of private email and messaging apps within government as there is a lack of controls:

WhatsApp says is should not be used for business; it is against their terms and conditions. Although WhatsApp have a business app, this is for businesses to link with their customers (ie the public), not designed for private chat within an organisation:

This article highlights the lack of user management that can create security issues:

WhatsApp has previously been fined for data breaches:

More recently there has been a warning from Action Fraud about a takeover scam of Whatsapp accounts :

Our advice would be to always try to minimise any risk, so consider the following:

  • Systems owned by an organisation would have the relevant security measures in place to protect against hackers and cyber attacks. See our best practice area: Information & Cyber Security.
  • An organisation would have the appropriate user controls measures in place for accessing the data appropriate to a person's role in the organisation. See our Info/Cyber Security Checklist.
  • An organisation would have a backup of any data.
  • An organisation is required to have access to all data in the event of a Subject Access Request. This is much simpler when all business communication is either in the organisation's cloud or devices.  See our best practice area: Subject Access Requests.
  • Organisational systems are monitored and so any inappropriate use can be checked and controlled.
  • WhatsApp may not be the best tool for more formal communication of for conveying official school policies or announcements and could lead to confusion or miscommunication.
  • There is a risk of an individual's private information or confidential data being on everyone's personal device that are in the group - an organisation has control over it's own devices.

Internet Matters offers a WhatsApp social media guide.

Information about whether WhatsApp is safe for children is covered by the NSPCC: Is WhatsApp safe for my child?

If you have been a victim of fraud or cyber crime, report it to Action Fraud or 0300 123 2040, and possibly your DPO, depending on the cyber crime.