Summary and implications

Increasingly, employees use social media forums such as Twitter, Facebook and LinkedIn and increasingly such use blurs the distinction between personal and working life. Earlier this month, the Press Complaints Commission (PCC) ruled that a civil servant’s comments on Twitter regarding her work and personal life were ‘public’ and, therefore, ‘published’. This follows a number of other cases ranging from using information on Facebook in recruitment decisions to ownership of forums’ contact lists.

There are wide-ranging implications for your business from employees’ use of such media – and steps you can and should take to safeguard your business. The starting point is to communicate to employees and other staff the organisation’s clear and comprehensive policy on use of social media forums. This should outline the following:

  • Reputation and image: set out clearly whether and to what extent you allow employees to comment on their working life in cyberspace. A customer-focused business will reasonably prohibit any derogatory comments about customers. A manufacturing or retail organisation will want to avoid any and all ‘Ratner jewellery’-like comments.  
  • Confidential information: your staff need to know what information is confidential – this is good practice not only in relation to social media forums. Make sure you update guidance on confidentiality regularly since, once information is in the public domain, you may not be in a position to claim confidentiality again.  
  • Contact lists: make clear who owns contacts lists, wherever they may be stored.  
  • Discrimination, harassment and bullying: you can be held vicariously liable for comments your employees make online. And, as you know, compensation for unlawful discrimination is unlimited. Make sure your equal opportunity training covers social media forums and put in place effective safeguards to reduce the risk of such claims.  
  • Employees’ privacy and data protection: you need to strike a balance between monitoring employees’ use of social networking and respecting their right to privacy. Whether you use information from a social network to make recruitment decisions, monitor employees’

conduct or terminate the employment, you must comply with UK laws on data protection and privacy.  

“A good name, like good will, is got by many actions and lost by one” (Francis Jeffrey)  

No employer wants to be at the epicentre of the next social networking-blunder media flurry. British Airways diffused the embarrassment of staff who branded passengers “fat and smelly” on Facebook and was quick to dismiss those involved. The Department of Transport did not fare much better when one of its civil servants criticised government policies on Twitter, thus breaching the constitutional impartiality of the Civil Service (see box).

If you do not already have a ‘communication’ policy in place, now is the time to introduce one. Set out clearly what you do and do not allow your staff to say about your business, their role, their personal life, their colleagues, your customers, contacts and the like. Although your policy ought not to be limited to social media forums, it should refer to them expressly. Ideally, you should include some live and poignant examples and, if you have not done so before, consider running face-to-face or online training for your staff. The more you highlight your expectations, the more likely it is that employees will comply with them. And, if they don’t, a clear policy gives you greater justification in disciplining staff or lawfully terminating their employment.

Once confidential information is made public, you are unlikely to be able to protect it  

Organisations often go to great lengths to protect confidential information: in service agreements, on a day-to-day basis and in settlement arrangements. Once confidential information is published, its confidential nature is often lost forever. Bearing in mind how quickly and widely information can be transmitted in cyberspace, you must make clear what information is confidential, forbid its external communication, and establish and communicate clear sanctions for doing so (including, where appropriate, dismissal). Limit access to confidential information on a ‘need to know basis’ and, as far as possible, use your IT systems to intercept certain communication and transfer of confidential information before it makes its way on to an external site.  

Secure ownership of all client and contact lists – wherever they originated from  

Contact lists are often an invaluable business asset. Frequently, they are a hybrid creature which contains some names that ‘belong’ to the organisation and others that, at least in the employee’s mind, ‘belong’ to the individual. This is often the case with various contact management systems and LinkedIn contact lists. It is advisable to:  

  • Restrict use of the business communication systems, hand-held devices such as iPads and blackberries, as well as email functions for business purposes only;  
  • Include contractual terms to the effect that contact and client lists, however and wherever devised, belong to the employer;
  • Properly communicate these restrictions to employees. If you fail to do so, on departure employees may be allowed to take personal information with them, thus watering down the protection afforded to your business.

In this context, In Pennwell Publishing v Ornstein the High Court found that contacts kept on the employer’s computer system belonged to the employer, even though the employee had established some of these contacts before joining the company.

Employers can be vicariously liable for discriminatory or harassing conduct by employees: whether in the office or in cyberspace

There are numerous instances where an employer could be vicariously liable for discriminatory conduct by an employee. Examples often relate to an employee posting inappropriate remarks, comments or pictures, whether during or outside working hours, whether using work PCs or not, and whether the posting is made on the employer’s network or on a social media forum.

A comprehensive prohibition against such conduct is often expressed in equal opportunities policies and ought to be backed up with training, IT ‘blocking’ measures and disciplinary action as appropriate.

Monitoring and tapping into employees’ cyber communication ought to be compliant with data protection and privacy laws

How do you police your employees’ use of social networking sites while ensuring compliance with the Data Protection Act 1998 and employees’ right to privacy under Article 8 of the European Convention on Human Rights?

The Information Commissioner has published detailed guidance on what employer may or may not do when monitoring employees’ conduct. At the very least, you ought to make clear to employees to what extent you will monitor their usage of social networking sites. You will also have to adjust your procedures in relation to private communications (e.g. where employees have adjusted their privacy settings in such a way as to make it clear that the information is not intended to be in the public domain). Finally, if you come across information classified as sensitive personal data, do not use or otherwise process it without the employee’s consent.

On the issue of privacy, the PCC’s Twitter decision goes some way to help employers: employers may access tweets since they are not classified as “private” information. Although employees may still seek to rely on article 8 of the Human Rights Convention, the scope of protection is fairly limited (see our August 2010 briefing).