Old-school company intranets are like soooo boring. Why not juice things up? Sure, we’ll keep the one-directional content (employee policies, company announcements, etc.), but let’s add a dynamic platform for employee interactive training modules, capturing employee responses and quiz results. Why stop there – how about a message board for employees, to turn dull company communications into an energized conversation? And in today’s mobile world, shouldn’t we enable remote access from anywhere our employees happen to be, 24/7? What could possibly go wrong?
Well … a whole lot will go wrong, unless the company first applies an information governance perspective. So let’s ask a few questions to explore what information risks and compliance issues are at play.
What information is involved, owned by whom, and in whose custody?The site’s information includes (1) company policies and announcements; (2) training content and employee responses; and (3) employee message board posts. Such information likely will not include information specifically protected under law, such as PII. But site information may otherwise be sensitive or business confidential; it may include official company records; and it could be discoverable in litigation. While the company policies and communications clearly are owned by the company, there should be similar clarity about company ownership of all content submitted by employees. The company needs the right to access and disclose such information, and employees should have no reasonable expectation of privacy in their submitted content. If the site is cloud-hosted, there must be clarity about data ownership. Contract terms with the host should also clarify responsibilities and allocate risks on each of the points below. The company should do appropriate due diligence in selecting the host, obtaining reasonable assurance of the host’s capability to perform. Ongoing service provider oversight is also prudent.
What privacy requirements and risks are involved?There’s no business need for this site to contain employee PII, and posting of such protected information should be avoided through warnings to employees (upon initial registration, session login, or posting) not to disclose sensitive personal information on the board. The company can also use an administrator to watch for such content while otherwise screening posts.
What data security requirements and risks are involved?The intranet site could be a security vulnerability, largely due to remote access. While the expected content is not ultra-sensitive, the site could be an entry point for a broader incursion. The company should establish appropriate access controls, including a username and password for each individual employee, to be reliably terminated once the employee leaves the company. Sharing of site login information with outside parties must be prohibited, and employees should only access the portal through a secure internet connection. And appropriate architecture should reasonably segregate the site from the rest of the company network. If the site is externally hosted, the security posture of the third-party host must be addressed though selection due diligence, contract terms, and oversight.
What operational requirements and risks are involved?The site will now have more burdensome traffic for training module interaction and message board use. Performance requirements must be identified and met. If the site will be externally developed or hosted, contract terms should clearly specify performance requirements for such matters as upload capability, use and storage capacity, and disaster recovery restoration.
What labor and employment requirements and risks are involved?Employee activity on the site, such as when the training modules are used, could create wage and hour issues under the Fair Labor Standards Act. The company should use policies and training to address which activities on the site are compensated and when use of the site is expected. Employee access to the site while on leave could lead to exposure under the Family Medical Leave Act. Policies and supervisor training should clarify that employees on FMLA leave must not be required to do work, including use of the site and its training modules. Site access can also be removed for employees on such leave. Message board postings that are discriminatory, harassing, defamatory, threatening, or create a hostile work environment will create workplace exposures. Policies should define prohibited content, authorize disciplinary action, and be consistently enforced. Administrative screening or monitoring for content policy violations is also important, with the company providing both notice of such screening and training for those performing it. An anonymous reporting and whistleblower procedure for suspected violations of the policy and workplace laws is also a consideration. If the workforce is susceptible for unionization, the intranet message board could become a prime vehicle for organizing. Message board control policies can also create exposures under the National Labor Relations Act, through impermissible restrictions on employees’ ability to discuss wages, hours, conditions of employment, or union organizing efforts, regardless of whether the workplace is currently unionized. Use policies and any administrative screening of content must be handled in a way that does not affect or restrict an employee’s rights under NLRA Section 7 to participate in protected concerted activity.
What records & information management requirements and risks are involved?Record-worthy site content must be retained for as long as legally required and business-valuable, consistent with the company’s Retention Schedule. Different retention periods will likely apply to company policy content, training content, individuals’ training results, message board posts, and rejected posts. The site’s systems must be capable of applying differential retention rules and ensuring effective, timely disposal. And back-up processes should not unnecessarily prolong the overall retention of the content. To avoid confusion between policy versions, printed copies of intranet-housed official policies should bear a legend such as: “Paper copies are uncontrolled and not the official version of this policy. This copy valid only at the time of printing.” If the site is third-party hosted, contract terms should address data ownership; integrity, availability, and disaster recovery restoration; compliance with the company’s retention rules for both active and back-up data; and protocols for handling of the information once the service provider relationship ends.
What litigation preservation and discovery repercussions and risks are involved?The company’s legal hold process must apply when needed to the site’s information, so that retention rules can be superseded by applicable legal holds. And the logistical means of preservation must be established, avoiding over-preservation and ensuring timely preservation in an appropriate data format. If a third party hosts or administers the site, the information may nevertheless be deemed to be in the company’s “control” for preservation and discovery purposes. Contract terms should ensure that the company’s directions are followed when content must be preserved under legal hold; that the host can avoid overly broad preservation; and that the information can timely be obtained by the company in the desired review format, at appropriate cost.
This is an abbreviated exercise of the IG perspective under U.S. law, but you can see how it surfaced a variety of issues, requirements, and risks. Significant value may indeed be realized by this social media intranet initiative. But that potential value must be balanced against information compliance, cost, and risk. The IG perspective helps your company make an informed decision on how such issues will be handled, before the initiative gets a green light.