Employees need to clearly understand what theyĀ can and canāt shareĀ on mainstream messaging apps
It is vital for employees to understand howĀ to conduct themselves during interactions with regulators. Failure to do so may result in significant consequences for the employer.
The European Commission recently fined a European company after a senior employee deleted private WhatsApp messages during a raid pertaining to a competition law violation. The WhatsApp chat in question was with a competitor and contained business-related information.
This fine illustrates the growing scrutiny on digital communication channels as employees increasingly rely on platforms like WhatsApp for personal and professional interactions. Regulators are recognising the need to adapt their enforcement strategies.
The use of messaging platforms such as WhatsApp and Snapchat, which offer ephemeral or disappearing message features, likely provides a false sense of privacy to employees and managers. Employees may feel more comfortable sharing information or discussing sensitive topics that they might not want to address in a more permanent format, like email.
Similarly, when the regulator is at the door, employees who are hesitant to switch on the shredder can quickly reach into their pocket and hit delete on communications they donāt think their employer will want the regulator to see. As the European Commissionās fine illustrates, the consequences can still be borne by the company.
Financial institutions globally have faced regulatory scrutiny over the use of messaging apps by employees to discuss sensitive matters. There has been a move away from the use of third-party messaging apps on the work mobile phones of employees, a trend not yet seen locally.
In South Africa, a number of regulators and public bodies are empowered to conduct raids, including the South African Police Service, the South African Revenue Services, the Competition Commission and the Information Regulator.
While each authority is subject to different laws governing the powers granted to them, as a general principle, they may enter a firmās premises, seize and/or make copies of documents and collect electronic data that forms part of the investigation. A significant focus of raids is accessing electronic documents, such as those on servers and devices.
If a company fails to comply with its legal obligations during a raid, significant fines and/or criminal penalties may be imposed. As such raids have proven to be effective investigatory tools, it is anticipated that regulators and law enforcement will continue to conduct raids in South Africa (and that their frequency will likely increase).
Be prepared
The best defence is having an effective document management and communication policy that is well known and understood.
The hallmarks of a raid-ready company are the following:
- Employees have clear reporting guidelines, indicating who they must contact in the event of a raid.
- Employees are aware that they cannot delete, destroy, hide or falsify any documents or information during the raid, as this may result in criminal liability not only against the employer but also against the employee. This includes information stored on mobile phones or computers that relate to the business of the employer.
- Employees are provided with training on their rights and obligations during a raid, as well as the manner in which they must act to protect the confidential and legally privileged information of their employer within the confines of the law.
- Employees are aware that any raid must be conducted with due regard to their dignity, as well as their right not to answer questions that may be incriminating, particularly without the assistance of a legal representative. This being said, employees must cooperate with the investigators and answer questions truthfully and to the best of their ability.
- Employers should implement procedures for the disclosure of confidential information. This may include a process that requires employees to disclose to the employer any information that they have been required to disclose by law to enable the employer to take steps to mitigate any harm to its business and/or its clients.
- Employees are aware that they cannot discuss the raid with other employees or third parties unless they have been authorised by their employer to do so.
Employers must take measures to protect the confidentiality, availability and integrity of communications pertaining to their business and may face difficulties if employees routinely utilise messaging apps to conduct business.
Some applications make provision for encrypted messaging, and communication data is typically kept āin the cloud,ā to which employers do not have access. Companies should understand the extent to which employees are using third-party applications in conducting business and appropriately adjust their policies and procedures.
Text |Ā Clare-Alice Vertue, Karl Blom, Siya Ngcamu and Sidrah Suliman
Photography |Ā Diego Cervo
Clare-Alice Vertue is Partner, Karl Blom is Partner, Siya Ngcamu is Senior Associate, and Sidrah Suliman is Associate, all from Webber Wentzel.
For more information, go toĀ webberwentzel.com.
