Establishing Parameters and Protocols around Employee Use of Instant Messaging Tools
By Patricia Yeung, Partner, Howse Williams, Hong Kong


  • While instant messaging (IM) has become the preferred platform for work-related communication, it is easy for users to overlook the legal and disclosure of sensitive information risks associated with it.

  • When crafting communications policies, it is important that employers include guidelines for using IM to ensure that staff are aware of compliance and legal policies.

Instant messaging platforms such as WhatsApp and WeChat are increasingly rendering other forms of communication obsolete. In a business context, most customers and clients now expect an immediate response to their communications from the employees with which they are dealing. These exchanges frequently take place via the employees' personal mobile devices and sometimes outside office hours, and IM platforms are the overwhelmingly preferred medium. IM platforms have therefore become a workplace staple, and most employers regard them as necessary business tools.

While the advantages of IM platforms are obvious, they also carry a number of hidden risks. The perceived informality of the medium, and the expectation of a rapid response, leads to abbreviated and imprecise language. Employees also face increased stress and pressure from having to be constantly "on call", and this can lead to mistakes. One important issue that employers often overlook, however, is the problems that arise when the employer requires access to information that is stored on IM platforms in order to investigate the employee's actions.

The need for such an investigation may be triggered by a complaint or tip-off by a customer, client, or fellow employee, by enquiries from a regulator or prosecuting authority, or (increasingly) by an anonymous complaint. The investigation may concern the employee's conduct towards other employees, alleged failure to comply with company policies, potential misuse of confidential information, or even potential fraud or dishonesty.

There is little statutory regulation concerning the process of carrying out an investigation in Hong Kong, but there are some limitations on what the employer can do. Hong Kong's Personal Data (Privacy) Ordinance (PDPO) restricts access to, and use of, employees' personal data. Employees are increasingly aware of their privacy rights and will sometimes exploit them to avoid detection. They may also destroy information stored on devices (once deleted, information on IM platforms is virtually impossible to retrieve). Some employees will even resort to "losing" their devices. As a result, employers frequently face difficulties obtaining access to information on their employees' personal mobile devices. Investigations can be obstructed or even frustrated because employers have not anticipated these issues. Below are some suggested steps that employers can take to put themselves in a better position when investigating their employees' actions.

Practical steps employers can take to facilitate investigations

By providing employees with the electronic devices (ie, mobile phones and/or laptop computers) necessary for the employee to perform their duties, employers retain a much greater degree of control over the information on those devices. Employers can direct employees to use them solely for work-related matters and communications and regulate the use of IM platforms on them. As the devices remain the property of the employer, employers can demand access to them. Employers can also remotely monitor employees' use of their computer network. This is a very useful method of detecting certain kinds of misconduct.

Employers should still bear in mind that there are limits on the extent to which they can access devices issued to their employees. While they can, for instance, insist on access to chats on work-related matters, they should not attempt to view personal communications or information which is stored on these mobile devices. The monitoring of work devices should be for the purpose of protecting the safety of employees, business assets, intellectual property and other propriety rights.

It is therefore vital that employers have policies in place that regulate the use of devices issued to employees, and that spell out employees' rights of access to mobile devices. This will greatly facilitate the investigation process and reduce the risk of the investigation being obstructed by privacy issues.

Implement bring-your-own-device policy

Some employers do not issue their employees with mobile devices, often due to the cost involved. Employees are expected to use their own devices for work purposes. In this situation, employers should consider implementing a formal bring-your-own-device (BYOD) policy to ensure that protective measures are in place.

The policy should stipulate, among other things, the acceptable use of the relevant device, expectations of privacy and the employer's right of access to the content on the device (including content within IM platforms).

The following provisions may be useful for employers to consider when drafting a BYOD policy

  • Where employees use their personal devices for work-related matters, such devices should be submitted to the IT department for approval and safety configuration.

  • Employees should not be permitted to use an unapproved personal device for work-related matters.

  • In addressing the use of IM platforms for work, employers should define the acceptable use of IM platforms both in the workplace and in client communications.

  • Employers may limit or prohibit certain type of documents or information that employees are allowed to transmit (including sending and receiving) on the IM platforms.

  • Employers should reserve the right to inspect, access or wipe out content on employees' personal devices, to the extent permitted by law.

  • Employers may stipulate a reasonable time limit within which the contents obtained from employees' personal devices may be stored.

  • The use of such content should be confined to the legitimate purpose of protecting the employer's business interests, such as for investigation or litigation.

Dealing with proprietary rights in employment contracts

As a general principle, employers own the intellectual property created by their employees in the course of their employment. Addressing the ownership of such products and materials will reduce the scope for disputes, and most employers include an IP clause in their terms of employment (either in the employment contract or the employment handbook).

The IP clause should expressly extend to anything which employees create that is stored on a mobile device, including the contents of an IM platform. This will again facilitate the investigation process by reducing the scope for employees to object to handing over documents and material stored on their device.

Draft a formal agreement with customers/clients regarding IM platforms

It is highly desirable for employers to have an expressed agreement with their customers and clients which sets out the basis upon which communication via IM platforms will be used. Ideally, the employer should try to limit the extent to which it is legally bound by these kinds of communications, but in practice this may be difficult (and some businesses use WhatsApp and WeChat to enter formal contracts). It should nevertheless be possible to regulate what kind of communications and information can be transmitted.

In the context of an internal investigation, having this kind of agreement in place will assist employers in identifying unusual or inappropriate communications. It will also mean that customers and clients are more likely to notify employers about any questionable communications or conduct.

Important points to consider before commencing an investigation against an employee

Investigations should be kept confidential in order to protect employees' personal data. Maintaining confidentiality will also reduce the risk of employees becoming aware of the investigation and deleting or tampering with information (such as WhatsApp or WeChat messages) from their mobile devices.

Preservation of evidence

It may be advisable to require employees to handover their personal devices at an early stage in order to prevent the loss of evidence. Where this potentially involves accessing employees' personal data, there will need to be an arrangement to ensure that this is protected.


In cases of suspect misconduct, it may be necessary to monitor employees' communications (including their chats on IM platforms). Employers should ensure that the relevant policies are in place to permit this, and that the monitoring does not breach employees' privacy rights.

Legal advice

Internal investigations can take an unexpected turn, and employers may encounter unfamiliar and difficult issues. It is prudent to involve in-house counsel or external lawyers in the investigation, to ensure that the investigation does not become derailed by (among other things) allegations of breach of privacy laws. The additional advantage is that communications in relation to the investigation are generally protected by legal professional privilege (and therefore do not need to be disclosed to employees). This could be particularly important for employers engaged in a complex investigation that involves sensitive business information.


                                    • 儘管即時通訊(instant messaging,IM)已成為職場上的首選平台,但用家很容易忽略當中的法律和敏感資訊洩漏風險。

                                    • 因此,僱主制定通訊政策時,應包括即時通訊平台的使用指引,確保員工清楚了解相關守則和法規。

                                    WhatsApp 和微信等即時通訊平台正逐漸淘汰其他通訊方式。在現今的商業世界裏,大部份顧客和客戶往往希望得到員工的即時回應。雙方經常透過個人電話商討事項,有時在非辦公時間仍要繼續討論,即時通訊平台於是大受歡迎,成為職場上常用的溝通媒介,許多僱主更視之為工作的必要工具。



                                    事實上,香港幾乎沒有法規監管公司調查員工行為的過程,但僱主可以採取的行動有限。香港《個人資料(私隱)條例》(私隱條例) 限制查閱和使用員工的個人數據,由於員工逐漸意識到自己的私隱權利,因此有時會濫用權利以避調查。他們可能銷毀儲存在裝置上的訊息(一旦刪除即時通訊平台上的訊息就幾乎無法恢復);有些員工甚至報稱「丟失」裝置。凡此種種均令僱主措手不及,要查閱員工個人流動裝置的訊息實在舉步維艱,整個過程可能受阻,甚至受挫。不過,僱主亦可參考以下建議,好讓自己調查員工行為時處於更有利位置。










                                    • 如果員工將其個人裝置用於工作之上,則該裝置應交由資訊及科技部門批准和檢查安全配置。

                                    • 員工不應將未經批准的個人裝置用於工作相關事宜。

                                    • 僱主應界定員工在辦公室以及與客戶通訊時使用即時通訊平台的可接受情況。

                                    • 僱主可限制或禁止員工在即時通訊平台上傳送(包括發送和接收)某類文件或訊息。

                                    • 在法律允許的範圍內,僱主應就查看、索取或清除員工個人裝置上的內容保留權利。

                                    • 僱主可以訂下合理時限,儲存員工個人裝置上的訊息內容。

                                    • 使用此類內容應僅限於保護僱主的合法商業利益,例如調查或訴訟。





                                    僱主最好與顧客和客戶訂立明確協議,闡明透過即時通訊平台進行對話的各項原則。在理想情況下,僱主應盡量限制在法律上,受此類通訊約束的範圍,但在現實環境中,這卻談可容易(有些企業使用 WhatsApp 和微信來簽訂正式合約)。儘管如此,僱主應可以規管傳送的訊息類別。



                                    調查必須保密以保護員工的個人數據。保密還可減低員工在得知調查后刪除或篡改其流動裝置訊息(例如 WhatsApp 或微信訊息)的風險。







                                    Establishing Parameters and Protocols around Employee Use of Instant Messaging Tools
                                    PR 20 January, 2023