Privacy Advisor

Global Privacy Dispatches- Canada- Social Networking

November 1, 2008

By Terry McQuay, CIPP, CIPP/C

Social networking in the workplace

In a speech to employees of the Bank of Canada, Privacy Commissioner Jennifer Stoddart discussed the use of social networking and its impact on the workplace.

Ms. Stoddart noted that social networking sites can be an extremely useful tool for organizations, but there needs to be a frank discussion between management and employees on the nature of these sites and the potential for workplace issues.

There have been a number of cases, in Canada and elsewhere, where employees have been fired or disciplined as a result of their online activities, the commissioner noted. Social networking sites create the very real potential of significantly damaging the reputation of an individual or an organization. For example, if a disgruntled employee airs workplace complaints online, anyone in the world might see the comments and create an unfavourable impression of the organization.

Ms. Stoddart noted that research funded by her office's contributions programs found that young people and their bosses often view online privacy in entirely different ways. This, she said, creates a challenge when addressing the use of social networking sites in the workplace, and is compounded by the fact that, for the most part, organizations do not have in place policies, practices, or guidelines that explicitly govern their employees' use of online social networks.

Researchers studying this dichotomy created a number of recommendations for organizations:

  • develop an understanding of online social networks and their role in the culture and communication behaviour of young Canadians;
  • develop clear rules and guidelines about the use of online social networks at work and home based on principles employees will accept;
  • support these policies with appropriate tools and enforcement;
  • do not actively seek information from online social networks for recruitment and selection processes.

Overall, the researchers concluded that organizations should create policies and guidelines governing use of social networks in the workplace that are:

  • as clear and specific as possible about the organization's expectations about employees' behaviour online;
  • transparent about how they will monitor employees' online behaviour; and,
  • describe the consequences for posting something that, for example, could be damaging to the organization's reputation.

Ms. Stoddart noted that IBM was one of the first companies to offer its employees guidance on appropriate conduct when engaged in social networking. Among that company's recommendations:

  • don't provide the proprietary information of IBM or another company;
  • ask permission to publish or report on conversations that are meant to be private or internal to IBM;
  • make it clear that you are speaking for yourself and not on behalf of IBM;
  • be aware of your association with IBM in online social networks. If you identify yourself as an IBMer, ensure your profile and related content is consistent with how you wish to present yourself with colleagues and friends.

The commissioner noted that it is fair to tell employees there will be consequences for "private-time" activities that negatively impact an organization, but cautioned against over-controlling what employees do outside of working hours. She also said that organizations need to carefully consider how they will monitor the online postings of their employees. It would be unreasonable, for example, for an employer to routinely check on what employees post to their social networking pages; however, it might be appropriate for an employer to look at a profile if a problem that involves the organization is brought to their attention.

Ms. Stoddart said that although her office has not dealt with a complaint about the monitoring of an employee's social networking activities, findings from other types of cases may be relevant when considering monitoring. She suggested a four-part test for determining whether to monitor:

  • is the monitoring demonstrably necessary to meet a specific need?;
  • is it likely to be effective in meeting that need?;
  • is the loss of privacy proportional to the benefit gained?; and,
  • is there a less privacy-intrusive way of achieving the same end?

The commissioner said that if employers do monitor their employees' online activities and time spent online, they should let employees know that, while they don't check their privacy rights at the door, some workplace surveillance is required and acceptable.

Terry McQuay, CIPP, CIPP/C, is the founder of Nymity, which offers Web-based privacy support to help organizations control their privacy risks. Learn more at www.nymity.com.