Recent high profile stories have again highlighted for employers the issues that potentially arise from use of social media by employees. There is no doubt that use of technology such as social media provides great opportunities for organisations to project a positive image but it also brings its own risks.
It was recently reported that former Liverpool Football Club's Ryan Babel was fined £10,000 by the Football Association (FA) for an outburst on the popular micro-blogging website Twitter. He posted a mocked-up photo on Twitter of English Premier League referee, Howard Webb, wearing a Manchester United strip following Liverpool's controversial defeat to Manchester United – and wrote: "And they call him one of the best referees. That's a joke."
Babel was fined by the FA for bringing the game into disrepute. Although the comments were clearly his own, they still brought the name of his then employer, Liverpool Football Club, into the media in a negative way.
The balancing act for social media
Over 500 million people are registered on the social networking site Facebook. Employees are also increasingly using other social media platforms (such as Twitter and Linkedin) for business purposes as well as socially.
Employers can be held liable for the actions of their employees where they are "acting in the course of employment". As technology makes our working hours more fluid, the question of where employment ends (and private life begins) is increasingly becoming more difficult to identify. As a result what is within the “course of employment” has been interpreted with a very wide application.
Data protection and security
Employers are under a duty to comply with the Data Protection Act 1998 (the "DPA") if they process personal information. Key to this is that data is held in accordance with the eight data protection principles set out in the DPA. In order to ensure that employees understand what their obligations are, employers need to educate staff and have robust policies and procedures in place on data protection. This is essential to minimising the risk of a high profile data breach. In addition to this, practical security measures need to be in place – use of passwords, encryption on laptops, limited access to certain types of data, for example – to further minimise the risks.
Recently the UK Information Commissioner's Office (the "ICO") investigated allegations that an employee of an official FIFA ticket retailer unlawfully sold the personal data of 250,000 ticket buyers for the FIFA 2006 Germany World Cup on the black market. In this case the ICO concluded that there was not enough evidence that a breach of the DPA had occurred. However in Australia, Vodafone dismissed several employees who allegedly sold the personal details of over four million customers to criminal gangs. The Australian Privacy Commissioner has investigated Vodafone's security systems and processes. On the back of this investigation Vodafone Australia has undertaken to improve its security measures.
Both these cases highlight the importance of having adequate data protection security policies and procedures for employees to follow.
Likewise, use of social media for personal purposes should be dealt with under a suitably robust internet usage policy. One Employment Tribunal decision recently found that two employees were unfairly dismissed for excessive internet usage because the company's policy on this matter was unclear.
Educate and enforce policies
An internet policy might include rules about accessing social media sites at work, information about what monitoring might be undertaken by the employer and an obligation on the employee not to disclose confidential information or make defamatory or discriminatory comments about the company or its customers.
Employers should have sufficiently robust data protection policies and procedures to ensure their organisation, and specifically their employees, comply with their data protection obligations. Key requirements are that personal data is accurate, not excessive and not retained longer than necessary; any processing is fair and lawful; and – crucially – data is kept secure.
If an employee is going to be posting on social media platforms on behalf of their organisation, the provision of training and the implementation of a sound, coherent policy on social media is advisable, no matter what the size of their organisation is.
Many organisations already have social media and data protection policies and procedures in place. However, as technology develops ever faster, many of these may be out of date and should be constantly reviewed and updated.
Employees should be made aware that even comments on their personal profile pages, and posts, which they assume are private, may be at risk of bringing the organisation into disrepute, which could amount to gross misconduct in some severe situations.