Data Protection and Social Media in the Workplace
Data protection online is one of the biggest considerations for firms, especially those with a social media presence. Social media is now a huge part of today’s culture; almost one third of the world’s population has an active social media account. Social media is now a crucial part of not only our personal, but also our professional lives.
Facebook, Twitter and LinkedIn, Instagram, etc. are invaluable resources for businesses. A strong online presence can really boost a company’s profile. Many businesses are extremely savvy when it comes to using social media to their advantage. However, social media also presents difficult obstacles for employers.
One example is seen in a recent case in the European Court of Human Rights (the “ECHR”), which held that a Romanian employer did not breach the privacy rights of an employee when it monitored chats on his Yahoo Messenger account. The employee had been directed by his employer to set up the account to engage with professional clients- personal use was expressly prohibited. He was dismissed when his employer uncovered extensive personal use of the social media account. The ECHR found that it was “not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours”.
It is essential for both employees and employers to be aware of the issues that arise regarding the use of social media in the workplace.
Firstly, issues arise in relation to the distinction between personal and professional boundaries. Facebook is perceived as a “personal” social media platform, whereas LinkedIn falls into the category of professional social media.
Professional contacts and activity should remain entirely separate from an employee’s personal life. However, the impending introduction of “Facebook at Work” will create significant uncertainty in this area. Employers therefore need to think carefully about their social media profile. Training for employees is essential, to ensure appropriate conduct online.
Another topical issue is online screening, which is regularly used by employers in Ireland to vet potential employees. Many people worry about the prospect of employers investigating the social media profiles of job applicants. Although there is no legislation preventing a prospective employer from doing so, there are some data protection issues. For example, employers cannot use information from social media to discriminate against potential candidates; an example would be taking photographs or postings which reveal that an applicant has young children or is gay into account during the recruitment process.
According to the May 2015 GMI report, individuals have an average of five social media accounts, and spend around 100 minutes browsing social media networks every day. It is therefore well worth an employer’s time to have a clear policy in place as to personal use of social media in the workplace, to avoid a serious reduction in the productivity of their workforce.
A major attraction to a potential employee for employers is a strong network of business contacts. However, an individual may have restrictive covenants in their existing contract of employment preventing them from using that network of contacts in their new employment, and employers should be aware of this during the recruitment process. Conversely, employers also need to implement policies to prevent employees using business contacts obtained through their employment when their employment terminates.
Another issue that an employer should be very conscientious about is harassment and discrimination between colleagues on social media sites. Employers may be held vicariously liable for acts of bullying, and cyberbullying should be included in risk assessments carried out by employers under health and safety legislation.
Employers can reserve the right to monitor employee activity in the workplace, as they have an interest in protecting their reputation. Furthermore, employers may be able to introduce limited control measures outside of work, and this often causes anxiety for employees. However, it is important that employees are aware of their right to privacy; monitoring activity must be transparent, reasonable and proportionate.
The processing and storing of online information by a company can be tricky, as data protection issues can arise; as a data controller, an employer has responsibilities to ensure that employees’ consent is obtained to use personal data, such as photographs, if it has a social media profile.
Data Privacy Rights in the Workplace
An employee’s right to data privacy in the workplace is not an absolute right; it is balanced with rights such as the right to one’s good name, the right to earn a living and to hold property.
There are 8 principles set down in the Data Protection Acts 1998 and 2003 which should be taken into account by an employer as data controller:
- Obtain and process information fairly
- Keep the images only for one or more specified, explicit and lawful purposes
- Use and disclose the images only in ways compatible with these purposes
- Keep the images safe and secure
- Keep the images accurate, complete and up-to-date
- Ensure that the images are adequate, relevant and not excessive
- Retain the images for no longer than is necessary for the purpose or purposes
- Give a copy of the images to an individual, on request
Boundaries on Data Privacy within the Workplace Legal Case
In Peev V Bulgaria, an individual was employed as an expert by the Prosecutor’s Office in Bulgaria.
Following the suicide of a colleague who had alleged that the chief prosecutor was harassing him, the individual considered resigning, and prepared two draft letters. He ultimately decided not to resign and sent a letter to two daily newspapers making a number of accusations against the chief prosecutor.
One of the newspapers published the letter. On the evening preceding publication, a prosecutor ordered the individual not to be allowed to enter the building as he had been dismissed. The applicant was subsequently informed that that his resignation had been accepted. He later discovered that his office had been searched and the draft resignation letters were missing.
The individual brought a civil action for unlawful dismissal and obtained reinstatement and compensation.
The ECHR concluded that under Article 8 the applicant had a “reasonable expectation of privacy” at least in respect of his desk and filing cabinets. The search of the office was interference by a public authority with his private life.
In Halford V United Kingdom, Ms Halford held the rank of Assistant Chief Constable. When she was refused promotion, Ms Halford commenced claimed that she had been discriminated against on grounds of sex.
She alleged that calls made from her home and her office telephones were intercepted for the purposes of obtaining information to be used against her in the discrimination proceedings, claiming a breach of Article 8 of the Convention.
The ECHR held that conversations made on the telephones in Ms Halford’s office at Police Headquarters fell within the scope of “private life” and “correspondence” in Article 8 (1).
Future Changes to Data Protection
The Article 29 Data Protection Working Party published an Action Plan for the implementation of the new General Data Protection Regulation, which will be in force in 2 years’ time. It provides for enhanced roles for Data Protection Commissioners remaining in the EU, along with enhanced co-operation between national data protection authorities, and stronger enforcement co-operation.
One significant aspect of the new General Data Regulation is the strengthening of the employees’ “right to be forgotten”:
- An employer is obliged to erase an employee’s personal data where requested without undue delay
- Employees will be able to supplement incomplete information held by an employer with a statement
- If the information to be removed under the “right to be forgotten” has been made public, an employer shall take reasonable steps (taking account of technology and cost) to require that links and copies are erased
However, an employee’s “right to be forgotten” will be subject to:
- the right to freedom of expression
- processing required by law, or in the public interest, or for public health
- archiving in the public interest or for historical, statistical and scientific reasons
- the establishment, exercise or defence of legal claims
The General Data Regulation allows fines of up to 4% of the annual worldwide turnover of a company who does not comply with the rights of employees “right to be forgotten”, therefore it is essential that employers are fully up to date with the new legislation.
NOTE: article is for information purposes only; specific legal advice should be taken before relying on information in this article.
If you are an employer seeking advice regarding data protection and freedom of information, or if you are an employee and need assistance in relation to your right to privacy we would be delighted to assist you; contact us at 021- 425184 or via our contact form.
HALPIN & Co. SOLICITORS | Practical Experience, Trusted Advice