Employee privacy: business use of social media
As such, it is very likely that employees' personal data will be used as part of this process. For example, an employer may have 'updates' used for promotional purposes in which they wish to name individuals or provide other personal data. In these circumstances, employers should be aware of how their employees' personal data is being used on social networking sites, as well as data relating to clients or third parties.
Use of Employees' Personal Data
Storage of employees' personal data taken from a social networking site without the individual's consent may amount to unlawful processing of data. An employer should, therefore, be careful about what information they keep, how it is stored and for how long it is kept.
Where the employer wishes to use the personal data of one of their employees on their social network site, they should always seek the consent of that person before putting the information online.
Use of Clients' Personal Data or Data from Third Parties
During the course of their employment, employees may become privy to personal information about clients or other third parties. It must be made clear to employees that any such information must not be broadcast via social media sites or accounts (whether such accounts or profiles belong to the employer or the employee) without the consent of the relevant individual.
Training should be given to all employees and the employer should create a robust, and well communicated, policy dealing with the use of social media by employees. This should set out the restrictions placed on communications made via social media, and the sanctions for failure to comply with the terms of the policy.
The End of the Employment Relationship
Employers should remain mindful of, and have appropriate policies in place to deal with, their continuing obligations under the DPA after the employment relationship has come to an end. These obligations apply equally to information either collated via or held on social media sites or accounts.
Key Action Points for Employers
Bearing in mind the issues outlined above, the three key actions for employers looking to minimise the risks of breaches of the DPA when using social media should be:
- Ensure your data protection policy adequately deals with the challenges created through the use of social media;
- be transparent and clear in your communications to future, current and former employees regarding the use, storage and holding of their personal data; and
- train your employees on the terms of your data protection and social media policies and make them aware of your obligations as a business as well as their own obligations as employees with access to personal data of others.