Instant messages (IMs) are an increasingly popular method of workplace communication, allowing team members to communicate with each other in a more informal way in 'real time'. Examples include Whatsapp, Slack, Flock, Lync, Skype, Facebook Workplace, Yammer, Google Chat, Telegrams and Signal and there are many others besides.

There are a number of advantages to IM systems and some employers, particularly those in the technology, finance and retail sectors, have either embraced the technology or accepted it as a reality of their business model. But the blurring of workplace and social communication tools is not without risks for employers. There are a number of key steps employers should take in order to protect both their business and their employees and co-workers.

Make a decision

First and foremost, employers will need to decide whether they want to adopt IM technology.

If you don’t want it in your business, you need to spell this out to employees. Employers who sit back and stay silent on this are running risks – with a workforce that is increasingly au fait with IM tech, and a younger generation who have grown up with this technology as a way of communicating, employers have to be alert to the risk of their staff using IM channels for work or work-related matters in the absence of an instruction otherwise.

Check your tech

Because of the nature of IMs and the way in which they have been used, IM technology can be less secure that other more traditional methods of communication, such as emails. If you decide to implement IM technology, or alternatively if you decide to tolerate its use, you should look at the tech involved. Key security risks include vulnerability to viruses, hacking and inappropriate use of shared information, and you should consider these carefully when selecting a workplace IM provider.

Similarly, you will need to take steps to keep your security protections up to date. If staff use their own devices for work purposes, or you operate a BYOD policy, you will equally need to remind staff to keep their spyware and security software updated.

Data protection and General Data Protection Regulation 2016 (GDPR)

When selecting your workplace IM system (hardware and software), do also consider the data protection implications. Aside from a duty of care owed to employees and others whose data you process, GDPR and the UK's Data Protection Act 2018 impose clear obligations with regard to the processing of personal data. This would include the processing, storage and review of IMs as well as providing the right of individuals to access such personal data amongst other individual rights. Data transfers are a particular sensitivity, as a number of the larger workplace IM providers are US-based – so do check the terms and conditions in place for such providers.

Employers will need to ensure that such systems are operated and maintained in a compliant manner, and that appropriate notifications are made. Compliance with data protection legislation is an important consideration, particularly in light of the significant sanctions under GDPR.

Informality v workplace-appropriate: "it's private" and "it's just banter"

Work-related IMs can give the impression that conversations or posts on such platforms are in some way private or confidential, despite the workplace connection, and employees are often under the impression that IMs are somehow subject to different rules.

As result employees may be less appropriate that they would otherwise be on more traditional workplace communications systems such as emails – the general principle being the less formal the medium, the more informal staff may be.

There is a balance to be struck between encouraging staff to communicate openly whilst behaving appropriately. Employers should remind staff that the messages will be recorded on the company's servers, and make clear what you consider to be inappropriate conduct.

"It's just banter" is the explanation no HR team wants to hear. A good rule for staff to apply is that it is only fun if everyone is (genuinely) laughing – if it doesn’t meet this test, don't type it. Workplace IM systems should not be the place for employees to rank their colleagues in order of attractiveness, comment on the appearance of colleagues, or speculate about their love lives (not that they should be doing this anyway) and this should be spelt out to employees on a regular basis.

Educating staff and ensuring participation

Having selected your workplace IM system, you will need to think about how to encourage staff to use it – after all, if half your sales team are using IMs and half are using traditional emails, this may create more problems that the system solves.

Some staff members may not be as comfortable using IMs as others, so you will need to provide training and support to ensure that team members are not inadvertently excluded. Similarly, consider how to deal with deliberate exclusivity and 'underground' groups. As with a verbal conversation, team members who are not part of a group may feel excluded and this can lead to further management issues. On the basis that this is a workplace system, any inclusion / exclusion should be for work-related reasons only.

Practicalities – do you want IMs to replace emails?

Consider what you want to staff to use IMs for and how you want them to approach this. Is it intended that all communications should be done via IMs, or will IMs only supplement email messages? Do you want to encourage staff to structure this in projects, in order to streamline communications? How will you manage IM 'noise'? Whichever approach you take, communicate this clearly to staff.

Support staff in using IMs

Employees may feel overwhelmed or become easily distracted by constant pop-ups, and it can become difficult to focus (or get staff to focus) on the tasks at hand. They are also more likely to engage in lengthy conversations (more common with IMs which can feel more like a conversation as compared to emails, for example, which are naturally more stilted).

Guidance to staff on how to use IMs and the features of the tech you choose will help in supporting staff to manage and get the most out of IM tech whilst limiting these risks. Features such as status messages, blocks, mute buttons and so on are key in managing team interactions. If staff warn of feeling anxious or stressed, consider IM management as one aspect of supporting them.

Employee management

Lync, Whatsapp and Slack messages, amongst others, are increasingly put forward as evidence in grievance and disciplinary processes. The basic principles here are (i) if you can't control or monitor messaging tools, you may still be responsible / liable if it relates to the workplace, (ii) if you don't tell staff not to do something, it is difficult to discipline them for doing it, and (iii) if you don’t tell staff you are going to collect and use information in a particular way, you will find it difficult using that information in that way.

If you already have policies which set out acceptable / non-acceptable behaviour (eg Equal Opportunities / Disciplinary, IT and Comms or Internet / Email Usage policies), simply remind staff that these policies apply to IMs. You need to make clear to staff that breach of these policies using IMs may be treated as a disciplinary offence, and that IMs may be used as evidence in employee management processes.

Underground groups and inappropriate conduct

We have seen a growing number of claims where the employee claims they were excluded from an IM group where inappropriate comments, porn or other unsuitable matter was shared. Employees in general do not understand the potential consequences and liability that attaches to such behaviour where the conduct takes place on a private phone and outside office hours – discrimination law doesn’t draw any such distinctions.

Even where the employer has no knowledge or access to such messages, the employer may also be deemed liable. Employers owe a duty of care to their employees, and if the conduct complained of has an impact on the working relationship between staff (which it invariably does) this can become a workplace matter that an employer has to manage.

Create a "no bystander" culture

If inappropriate conduct occurs on a personal phone or a limited Whatsapp group, for example, an employer relies on proof of inappropriate behaviour in order to take action.

Employers cannot force staff to hand over their personal phones as part of an investigation, and whilst it can draw inferences from their refusal to do so, the impact of this is limited. Employers need to work to create an environment or culture where staff are willing and feel able to call out inappropriate conduct and provide their employer with sufficient grounds to investigate, whilst guarding against tit for tat and witch-hunt type behaviours.

IMs are evidence

Unregulated IM systems are the Wild West of staff communications. As a general rule, IM messages can potentially be evidence as far as employment tribunals and courts are concerned. The difficulty for employer comes in seeking disclosure of relevant messages.

  • If IMs are communicated using a company system, with a clear policy that states such messages may be disclosable as evidence etc., such messages should be relatively easy to access and retrieve.
  • Where IMs are sent using personal devices and/or not using a work-sanctioned IM system, the employer is unlikely to be able to retrieve or force employees to provide such data, particularly in the absence of a clear IM policy. Employees have a right to privacy, and may have an expectation of privacy based on staff handbooks, terms of use and other employer communications.

Employers could find themselves in a position where they are required to provide these communications, but cannot obtain them without breaching their duties towards other employees. Where employees routinely use Whatsapp, employers should note that this is an encrypted form of communication which adds to the complications.

Subject access requests

If you implement an IM system, it is likely you would be expected to search this as part of a subject access request, which is why it is important to impress on staff what you expect of them. From a compliance perspective, employers should take into account the need for quick access to IMs and historic IM conversations – both in order to investigate complaints and incidents, and to respond to subject access requests. Failure to comply would fall within the higher tier of fines under GDPR, irrespective of any other sanctions that may apply.


It is possible to monitor IMs provided that you (i) can identify a legal basis on which to process messages in this way, (ii) do so in a matter consistent with data protection legislation (which includes appropriate security protocols and restricted access), and (iii) tell staff you are going to do so and inform them of the potential consequences such as disciplinary action.

Confidential information

Given the security and other risks identified about, employers should encourage staff not to use IMs to discuss confidential or sensitive information. This is particularly the case for regulated employers. Not only is there a risk of a leak or that old conversations could be hacked, but the reputational and regulatory implications of this happening could be serious. Employers will have limited defences unless they can show they took steps to instruct employees not to do so.

What steps should employers take?

To give employers a better position from which to (i) use such communications as evidence, (ii) discipline employees for inappropriate IM use, (iii) manage data protection risks, and (iv) protect their reputation, employers should:

  • consider their approach to workplace-related IMs
  • where relevant, select an appropriate workplace IMS system
  • have a clear policy on the use of IMs in or related to the workplace and update terms of use and acceptable use policies for work devices, setting out the employer's position and approach
  • provide appropriate training to staff
  • ensure that managers, supervisors and HR teams have received appropriate training in relation to handling complaints and issues arising in relation to IMs
  • ensure that key policies (including disciplinary and equal opportunity policies) are communicated regularly to staff and easily available whether on an intranet, in a handbook or elsewhere.