Consumer messaging apps among project teams: thumbs up or thumbs down?

Whatever you may have heard to the contrary, consumer messaging apps – WhatsApp, Telegram, Messenger – are still widely used as construction site communications and management tools across the majority of UK projects, big and small. WhatsApp is a likely second to Microsoft Office.

But as we enter the golden thread age of information management in construction, the use of consumer messaging apps for site management has fast become one of the riskiest practices in construction.

WhatsApp, for example, is undeniably a brilliant consumer messaging platform, with nearly 2 billion people using it daily to communicate with friends and family, collaborate on social activities, and to share videos, recipes, stories and more. It’s ease of use and simplicity has made it the go-to communications solution, replacing text and phone calls in the personal context. And in recent years, replacing other communications platforms in a professional context.

The blurring of the professional and personal use on consumer messaging apps, hastened during the pandemic as workers were at home, has transported them into the realms of workplace communication, with challenging long-term impacts for many organisations in many sectors.

Earlier this autumn, the US banking sector came under fire from authorities for the use of WhatsApp – or unauthorised messaging apps – within the banking profession. The $2bn fine handed out to some of the biggest brands in banking, is a stark reminder of the critical importance of record keeping in highly regulated sectors. The UK construction sector should take heed of this lesson from across the pond, particularly following the Building Safety Act (BSA). It cannot be long before the same level of scrutiny will apply to organisations operating in the built environment.

Consumer messaging apps have become the de facto communication tool on projects because existing systems are simply not fit for purpose in sharing quick updates to a group of people and easily attaching photos, videos and other media. Construction site teams are typically provided with Microsoft Office products to use for site management, communication and collaboration. In principle, these are fine within the office, but they invariably fall short out in the field or when working with other companies across the supply chain, where those third parties do not have access to your company’s IT solutions.

Many digital communications tools were designed for filling in reports, which only ended up in a SharePoint graveyard, rather than being leveraged and re-utilised for efficiency improvements, risk management and real-time reporting.

For far too long, digital site tools have been too clunky, or too expensive to be adopted at any scale on site. In this tech gap, consumer messaging apps evolved to fill a much-needed role. But we can be clear that reliance on such apps is now a potential risk – of legal or even criminal extent – that can no longer be ignored by those in charge of construction projects.

Using consumer messaging apps to keep abreast of project updates, manage critical works, or organise works, does present potential breaches across a number of critical policy and regulatory areas, including the DPA 2018, GDPR, BSA. In the case of ISO 9001:2105, breaches can impact your organisation’s quality management systems, cyber security and other IT policies.

The key issues of compliance are in these three areas of data management: data storage and portability; data control; and data protection.

Material shared via consumer messaging platforms resides on each individual user’s device and not centrally in a company’s information management system or common data environment.

These consumer apps are not built or designed for integration with other systems for recording keeping. This was highlighted this summer when the Information Commissioner’s Office called for a review into the use of private email and messaging apps within government, referring to the systemic risk in important information being lost or insecurely handled. In this way, it breaches the basics of ISO 9001:2105 and the project’s golden thread in the BSA. So, should anyone leave a project, they take the organisation’s data with them.

In the case of WhatsApp, each user is a data controller in their own right, which conflicts with GDPR – organisations must be able to keep a record of permissions from people whose data is being stored. GDPR compliance is pushed down to each individual user to enforce without giving them the tools to manage as a data owner or processor.

Importantly, on the issue of historic data and record keeping for the golden thread, any WhatsApp user can delete their information at any time, thus invalidating it as an immutable source of a project’s audit trail. The potential to lose critical data is not only very high, it is very likely. We know from our own site experience on major projects as recent as three years ago, that it is an all-too-familiar occurrence.

Not knowing who has legal right to the data, or not having the ability to consolidate all of a project’s data into one central record repository means there can never be one source of the truth. Ideally, every organisation should be able to own and manage their own data, which is only going to become more important as the industry adopts open standards.

Data protection, FOI, Right to be Forgotten and GDPR compliance are grey areas that no company wants to find itself in. Looking beyond the impact of site management via consumer messaging apps, the risk applies across any number of corporate issues, from bullying in the workplace, to contractual or legal disputes, or even data privacy of people unrelated to a project (e.g. local residents, community groups etc).

Communicating or collaborating via consumer messaging apps poses significant risk as each individual user is a data owner in their own right, and responsible for GDPR compliance. In the case of WhatsApp, user data is transferred within the Meta group (Instagram, Facebook etc) to countries such as US, UK, Ireland, Germany, Spain and Singapore and their privacy shield principles are subject to the investigatory and enforcement powers of the US government.

It is key to look at where businesses are based and critically, where project data is stored and processed, to ensure any data complies with a business’s legal obligations or internal governance processes and procedures.

Looking beyond the regulatory environment shaped by the BSA and considering the challenging economic landscape that is on the immediate horizon, organisations operating in the built environment or construction require a level of commercial defensibility and risk management that we, as a sector, are simply not yet capable of navigating – especially when so much data sits in private messaging apps.

The capture, management and security of data is critical to the long-term resilience of organisations operating in the built environment or construction, and failure to comply can have long-term legal and indeed, criminal implications. We must therefore regard the use of consumer messaging apps on sites with a high level of scrutiny and scepticism, lest we miss the lessons from the US, where authorities have underscored the vital importance of trust and record keeping to the tune of $2bn in fines.

Simply put, effective information management will be the measure against which companies will either survive in the coming years, or sail into extinction on a boat emoji.

John Ryan is CEO and co-founder of SymTerra.

Don’t miss out on BIM and digital construction news: sign up to receive the BIMplus newsletter.