Grey matters ethical dilemma: Message received

Rob, an investment manager, becomes concerned after receiving a confidential work-related document via social media. What should he do?

grey-matters_1920
We are currently recruiting for members to join the Disciplinary Panel and Appeals Panel.

Should you wish to register your interest please send a CV and cover letter to standards@cisi.org

Rob is an investment manager who has recently joined AB International Investing, a mid-size fund management organisation, where he works directly with clients to help them achieve their financial goals.

Rob’s firm has recently made the decision to downsize its office space, so many of the staff are now based remotely and travel to the office once or twice a week. Working remotely, Rob and his team now schedule more video calls with clients and use certain platforms to share information securely.

One morning Rob receives an email from his client Kiran asking for an urgent callback. Kiran is six hours ahead of Rob and needs to speak to Rob before the end of her working day. Rob tries to send Kiran a video call link, but it does not go through as his internet connection is slower than usual. He notices a missed call from Kiran on both his business and personal phones. The signal on his business phone this morning has also been inconsistent, so he calls Kiran back from his more reliable personal phone.

While on the call, Rob notices that he is having internet server issues, his emails are not being updated and he cannot access any client information remotely. Kiran needs to send him a signed document containing confidential data urgently. Rob tries to restart his laptop while on the phone, but as Kiran is on a deadline, she decides the best way to get Rob the data is to send it to his business phone directly via WhatsApp. The attachment comes through after a few minutes and Rob downloads the form, saves it, and emails it to his colleague for filing.

Kiran decides the best way to get Rob the data is to send it to his business phone via WhatsApp

The next month Rob and his colleagues are invited to a ‘lunch and learn’ held by the data protection team at his firm. The meeting focuses specifically on dealing with clients in the new remote settings. The data protection officer says that information must be recordable and auditable, which Rob and his team are familiar with, and speaks about the various types of data breaches.

Rob considers his interaction with Kiran the prior month and whether he is in breach of the FCA Senior Managers and Certification Regime (SMCR) ‘acting with due care and diligence’ and ‘observing proper standards of market conduct’, which is also part of his professional body Code of Conduct.

Rob’s tensions continue to rise as he reads about a competitor’s firm stating that they were victims of a data breach. The press release states that those impacted will be contacted in due course and measures have been put in place to ensure it does not happen again. Rob is feeling anxious and speaks to a colleague about his communication with Kiran. He is advised to speak to his manager.

Following the firm’s internal speak up protocol, he raises the issue with his manager, and his manager replies reassuringly, “WhatsApp is encrypted, and I get sent stuff like that all the time! Do not worry about it, and nothing needs to be reported to anyone – so let’s keep it between us”. Rob is meant to be feeling better about the situation after speaking up but on checking his professional body’s SMCR toolkit, Rob still feels uneasy. He does not know if it warrants further action.
Readers were asked what Rob should do next (voting is now closed). The options were:

  1. Agree with his manager. The data transfer over WhatsApp took place over a month ago. There is nothing more that can be done right now.
  2. For his own peace of mind, Rob should ask Kiran if she deleted the document on her WhatsApp to ensure there will be no further data issues.
  3. Rob should speak to the data protection officer casually without giving any specific details, as he does not want to be seen to be contradicting his manager.
  4. Rob should report his manager to the data protection officer, as he knows something does not feel right and his manager’s inaction is incorrect.
This dilemma appears in the March 2022 edition of The Review magazine. The CISI's opinion and voting results will be published in the September 2022 edition.
Published: 16 Dec 2021
Categories:
  • Wealth Management
  • Training, Competence and Culture
  • Integrity & Ethics
Tags:
  • WhatsApp
  • grey matters ethical dilemma
  • Covid-19
  • Code of Conduct

No Comments

Sign in to leave a comment

Leave a comment