As digital communications become central to workplace investigations, organisations face a growing challenge: how to balance the need for transparency with the legal rights to privacy. In our recent webinar, Behind the Screens, legal expert Christine Young and digital forensics specialist Jim Vint unpacked the complex legal landscape surrounding WhatsApp, Signal, and other messaging platforms.
The legal landscape: what employers need to know
Christine Young, Partner at Herbert Smith Freehills Kramer LLP, highlighted five key legal risks when accessing digital messages on personal devices:
- Record keeping
Messages on personal devices aren’t stored on company systems, making it difficult to maintain a reliable audit trail – especially in regulated industries. - Data protection
Employers lose control over how data is stored, used, or deleted when it sits outside their infrastructure. - Confidentiality
Sensitive business information on personal devices may be exposed or mishandled without the employer’s knowledge. - Reliability of evidence
Messages can be edited, deleted, or selectively shared. Without a full audit trail, it’s hard to verify authenticity. - Regulatory risk
Organisations can face fines for failing to retain or monitor off-channel communications. Christine cited Morgan Stanley’s £5.4 million fine by Ofgem for failing to record WhatsApp messages exchanged by traders.
Privacy rights vs. business needs
Employees often cite Article 8 of the European Convention on Human Rights (right to private life) when resisting access to personal messages. But as Christine explained:
“Just because someone says ‘this is private’ doesn’t mean it’s off-limits. If it’s a business communication, or relevant to an investigation, employers may have a legitimate interest in accessing it.”
The key is proportionality. Employers must:
- Limit searches to what’s necessary
- Use the least intrusive method
- Clearly document the rationale and process
Practical guidance for investigators
Jim Vint, Managing Director at Secretariat, added that many messaging platforms use peer-to-peer delivery, meaning messages exist only on the devices themselves – not on servers. This makes traditional preservation tools ineffective and increases the need for forensic expertise.
“The earlier you bring in forensic experts – internal or external – the better. They help validate data, preserve metadata, and maintain chain of custody.”
Christine also stressed the importance of having clear policies in place:
- BYOD (Bring Your Own Device) policies
- Privacy notices explaining how data may be accessed
- Training for managers and employees on acceptable use
Takeaway for employers
To navigate the legal risks of digital evidence:
- Update your policies to reflect modern communication tools
- Train your teams on privacy, proportionality, and data handling
- Engage legal and forensic experts early in the investigation process
- Document everything to protect against future challenges