Most organisations have implemented a policy governing the use of IT. This includes that staff must not use corporate IT for personal reasons, nor personal IT for corporate reasons.
The Information Commissioner's Office looked into this failure to compartmentalise communications issue recently. It identified concerns about such use during the pandemic. Department of Health and Social Care ministers and staff were making extensive use of private correspondence channels. The ICO recognised the value of using WhatsApp and private emails. But it warned that the DHSC didn't have appropriate organisational or technical controls in place to ensure effective security and risk management. One example it gave was that the DHSC didn't know which third-party servers were being used to hold personal data.
The ICO reprimanded the DHSC under UK GDPR. It now requires improvements to processes and procedures around the handling of personal info. It is also pushing for the government to set up a separate review. This should identify how to benefit from new technologies while protecting data.
Private businesses don't face the same requirements as government over freedom of information or transparency. But private businesses must keep data secure. This is a timely reminder that businesses should beware of and prevent the use of private messaging for work.