While instant messaging (IM) has become the preferred platform for work-related communication, it is easy for users to overlook the legal and disclosure of sensitive information risks associated with it.
When crafting communications policies, it is important that employers include guidelines for using IM to ensure that staff are aware of compliance and legal policies.
Instant messaging platforms such as WhatsApp and WeChat are increasingly rendering other forms of communication obsolete. In a business context, most customers and clients now expect an immediate response to their communications from the employees with which they are dealing. These exchanges frequently take place via the employees' personal mobile devices and sometimes outside office hours, and IM platforms are the overwhelmingly preferred medium. IM platforms have therefore become a workplace staple, and most employers regard them as necessary business tools.
While the advantages of IM platforms are obvious, they also carry a number of hidden risks. The perceived informality of the medium, and the expectation of a rapid response, leads to abbreviated and imprecise language. Employees also face increased stress and pressure from having to be constantly "on call", and this can lead to mistakes. One important issue that employers often overlook, however, is the problems that arise when the employer requires access to information that is stored on IM platforms in order to investigate the employee's actions.
The need for such an investigation may be triggered by a complaint or tip-off by a customer, client, or fellow employee, by enquiries from a regulator or prosecuting authority, or (increasingly) by an anonymous complaint. The investigation may concern the employee's conduct towards other employees, alleged failure to comply with company policies, potential misuse of confidential information, or even potential fraud or dishonesty.
There is little statutory regulation concerning the process of carrying out an investigation in Hong Kong, but there are some limitations on what the employer can do. Hong Kong's Personal Data (Privacy) Ordinance (PDPO) restricts access to, and use of, employees' personal data. Employees are increasingly aware of their privacy rights and will sometimes exploit them to avoid detection. They may also destroy information stored on devices (once deleted, information on IM platforms is virtually impossible to retrieve). Some employees will even resort to "losing" their devices. As a result, employers frequently face difficulties obtaining access to information on their employees' personal mobile devices. Investigations can be obstructed or even frustrated because employers have not anticipated these issues. Below are some suggested steps that employers can take to put themselves in a better position when investigating their employees' actions.
Practical steps employers can take to facilitate investigations
By providing employees with the electronic devices (ie, mobile phones and/or laptop computers) necessary for the employee to perform their duties, employers retain a much greater degree of control over the information on those devices. Employers can direct employees to use them solely for work-related matters and communications and regulate the use of IM platforms on them. As the devices remain the property of the employer, employers can demand access to them. Employers can also remotely monitor employees' use of their computer network. This is a very useful method of detecting certain kinds of misconduct.
Employers should still bear in mind that there are limits on the extent to which they can access devices issued to their employees. While they can, for instance, insist on access to chats on work-related matters, they should not attempt to view personal communications or information which is stored on these mobile devices. The monitoring of work devices should be for the purpose of protecting the safety of employees, business assets, intellectual property and other propriety rights.
It is therefore vital that employers have policies in place that regulate the use of devices issued to employees, and that spell out employees' rights of access to mobile devices. This will greatly facilitate the investigation process and reduce the risk of the investigation being obstructed by privacy issues.
Implement bring-your-own-device policy
Some employers do not issue their employees with mobile devices, often due to the cost involved. Employees are expected to use their own devices for work purposes. In this situation, employers should consider implementing a formal bring-your-own-device (BYOD) policy to ensure that protective measures are in place.
The policy should stipulate, among other things, the acceptable use of the relevant device, expectations of privacy and the employer's right of access to the content on the device (including content within IM platforms).
The following provisions may be useful for employers to consider when drafting a BYOD policy
Where employees use their personal devices for work-related matters, such devices should be submitted to the IT department for approval and safety configuration.
Employees should not be permitted to use an unapproved personal device for work-related matters.
In addressing the use of IM platforms for work, employers should define the acceptable use of IM platforms both in the workplace and in client communications.
Employers may limit or prohibit certain type of documents or information that employees are allowed to transmit (including sending and receiving) on the IM platforms.
Employers should reserve the right to inspect, access or wipe out content on employees' personal devices, to the extent permitted by law.
Employers may stipulate a reasonable time limit within which the contents obtained from employees' personal devices may be stored.
The use of such content should be confined to the legitimate purpose of protecting the employer's business interests, such as for investigation or litigation.
Dealing with proprietary rights in employment contracts
As a general principle, employers own the intellectual property created by their employees in the course of their employment. Addressing the ownership of such products and materials will reduce the scope for disputes, and most employers include an IP clause in their terms of employment (either in the employment contract or the employment handbook).
The IP clause should expressly extend to anything which employees create that is stored on a mobile device, including the contents of an IM platform. This will again facilitate the investigation process by reducing the scope for employees to object to handing over documents and material stored on their device.
Draft a formal agreement with customers/clients regarding IM platforms
It is highly desirable for employers to have an expressed agreement with their customers and clients which sets out the basis upon which communication via IM platforms will be used. Ideally, the employer should try to limit the extent to which it is legally bound by these kinds of communications, but in practice this may be difficult (and some businesses use WhatsApp and WeChat to enter formal contracts). It should nevertheless be possible to regulate what kind of communications and information can be transmitted.
In the context of an internal investigation, having this kind of agreement in place will assist employers in identifying unusual or inappropriate communications. It will also mean that customers and clients are more likely to notify employers about any questionable communications or conduct.
Important points to consider before commencing an investigation against an employee
Investigations should be kept confidential in order to protect employees' personal data. Maintaining confidentiality will also reduce the risk of employees becoming aware of the investigation and deleting or tampering with information (such as WhatsApp or WeChat messages) from their mobile devices.
Preservation of evidence
It may be advisable to require employees to handover their personal devices at an early stage in order to prevent the loss of evidence. Where this potentially involves accessing employees' personal data, there will need to be an arrangement to ensure that this is protected.
In cases of suspect misconduct, it may be necessary to monitor employees' communications (including their chats on IM platforms). Employers should ensure that the relevant policies are in place to permit this, and that the monitoring does not breach employees' privacy rights.
Internal investigations can take an unexpected turn, and employers may encounter unfamiliar and difficult issues. It is prudent to involve in-house counsel or external lawyers in the investigation, to ensure that the investigation does not become derailed by (among other things) allegations of breach of privacy laws. The additional advantage is that communications in relation to the investigation are generally protected by legal professional privilege (and therefore do not need to be disclosed to employees). This could be particularly important for employers engaged in a complex investigation that involves sensitive business information.
僱主最好與顧客和客戶訂立明確協議，闡明透過即時通訊平台進行對話的各項原則。在理想情況下，僱主應盡量限制在法律上，受此類通訊約束的範圍，但在現實環境中，這卻談可容易（有些企業使用 WhatsApp 和微信來簽訂正式合約）。儘管如此，僱主應可以規管傳送的訊息類別。
調查必須保密以保護員工的個人數據。保密還可減低員工在得知調查后刪除或篡改其流動裝置訊息（例如 WhatsApp 或微信訊息）的風險。