HR technology special 5/7: Do employers need a social media policy at work, or just common sense?

HR departments are finding themselves responsible for holding a mountain of personal data online, where it is less secure than under lock and key in a filing cabinet.

But the Data Protection Act must be observed, not only for employees, but also for job applicants and agency and contract workers.

Employers have to safeguard confidential commercial information, such as trade secrets and customer lists - and intellectual property, such as patents, copyrights and certain types of designs. All of these can be vulnerable to viruses, fraud and negligence.

There is also the potential for brand damage caused by the inappropriate use of social media and loss of information to competitors when employees switch jobs.

Ann Bevitt, employment partner at law firm Morrison & Foerster, explains: "A massive amount of confidential information can be stored on something small and copied within seconds, whereas 10 years ago somebody wanting to steal a database would have to print it out.

"Truly confidential information is protected by common law, but, for the other less black-and-white areas, restrictive covenant agreements should be used in the contract of employment to regulate what employees can and can't do, post-employment."

Legal experts stress that restricted covenants must be specifically tailored to be effective and when employers feel they don't work it has often been because they have tried to use blanket ones. Nevertheless, employers can also have reservations about enforcement issues.

Gillian Dixon, group HR director at media organisation CN Group, says: "I am not convinced of the value of restrictive covenants generally for the majority of roles. The covenants can be hard to enforce because obtaining the hard evidence that someone has shared information illegally can be very difficult."

But Jonathan Maude, employment partner at law firm McGuire Woods, points out that in the vast majority of cases when it has been suspected, his firm has managed to find evidence of covenants being broken.

"You would also be amazed at how stupid people can be. They often email substantial amounts of data to themselves and don't realise they have left an electronic trail. Even if they have downloaded material onto a memory stick, it can be traced," he says.

Steve Grant, senior computer forensic consultant at legal technology provider Kroll Ontrack, is shocked at the number of technology-linked intellectual property cases he has been asked to handle recently and points out that employers should be using software programmes that are available for monitoring the transfer of information from laptops and other mobile devices.

He adds: "We are finding data transfer issues are arising much more from laptops than from mobile devices, but I personally think it will start happening more from the latter, unless companies put in place monitoring to limit use or are in a position to audit use of company data."

The increased use of mobile devices has made it necessary for HR directors to revisit media policy wordings, which have often stipulated that employees shouldn't bring 'personal laptops' to work - iPhones and iPads have been blurring the boundaries by including many of the functions that have traditionally been done by computer.

John Enstone, partner at law firm Faegre Baker Daniels, believes the trend towards employers allowing staff to access company systems via their own mobile devices is largely irreversible, because it saves employers money and suits the wishes of many employees.

He explains: "Originally, employers tried to impose a degree of uniformity about equipment that could be used, but this all fell down in the past five years with the advent of iPhones and iPads, and even companies who pride themselves on having the most secure practices are having to accommodate these devices. You have to live with the times and, although some firms try and prohibit use for business purposes, it doesn't work. Most try and prevent personal use during working hours, but many employees continue with personal use with the knowledge of their employer.

"We tell HR directors if they want the most out of staff they will have to accommodate their wishes by allowing the use of iPads and other tablets and accepting that this lessens security to a degree, and that they will have to police this by making sure employees understand and acknowledge that confidential information is more exposed."

When it comes to use of social media, few issues are arising from community platforms that companies use internally for knowledge-sharing. But legal experts warn HR personnel accessing facilities such as Facebook and Linkedin for recruitment purposes to be aware of the risks of unlawful discrimination if they take into account information about pregnancy, race, religion and sexual orientation.

Lawyers are also commonly urging HR teams to draw up specific social media policies to make sure employees understand they are responsible for what they create via personal social media use.

Simon Rice-Birchall, employment partner at law firm Eversheds, says: "Making very unpleasant comments about the boss, or being racist are, in my opinion, grounds for dismissal, even if the employer has no official policy, while at the other end of the scale, comments about colleagues that could be vaguely offensive are hard to police, whether you have a policy or not. But in the middle, there are a whole group of things that, depending on what the social media policy says, will influence a tribunal. So having a policy is essential for these."

But HR consultants tend to take a somewhat different view. Both Gareth Jones, managing director of Brubaker HR and Matt Alder, founding director of MetaShift, don't feel social media policies are necessary, emphasising employees merely need to be advised to be sensible when talking about the company and to comply with their existing contract of employment.

Brubaker HR's Jones says: "It's the messenger that's getting shot. Any firm with these issues has engagement problems, so it's good they are coming out and can be addressed. Previously employers had ignored engagement problems unless there had been a fuss, but now they are increasingly going to be forced to accept social media and try to fix the problem rather than the message."

Adriana Murray, UK & Ireland HR director at healthcare telecommunications provider Tunstall Healthcare, sides more with the lawyers, pointing out that her organisation tries hard to understand employee feelings via an annual employee engagement survey and through bi-weekly or monthly meetings between employers and line managers.

She explains: "We don't feel it is realistic to turn a blind eye to comments on social media. It is not about shooting the messenger. It is about creating the appropriate level of communication lines in which they can actually talk about their feelings for their business and their colleagues. We would prefer it if they expressed themselves in the channels already provided."

Although lawyers acknowledge that technological developments cannot be completely future-proofed, they recommend both reviewing contracts of employment annually to ensure they remain modern and relevant and regular monitoring of developing technology in the marketplace - ideally, at least quarterly.

Two developments already appear destined to make their presence felt in the future. Richard Manley, company commercial solicitor at law firm Maxwell Hodge, feels many HR departments may be considering implementing e-crime policies that give details of procedures to follow in the event of hackers accessing information. There is also widespread agreement that larger organisations will soon start using the cloud to cut costs and that the communal usage involved will increase security risks.

Michael Ball, employment partner at law firm Gateley, explains: "Using the cloud means you are storing what can be sensitive data off premises in the control of someone else, but users tend to be fairly aware of the risks and to draw up clear agreements with cloud providers. I don't think larger businesses have gravitated to the cloud yet and SMEs who use it tend to be in the technology sector and therefore quite savvy.

"It is not a burning issue for large employers yet, although logically they will evolve to the cloud to cut costs. But we are probably talking about a five-year time period and they are likely to do it with their eyes open."

As with most aspects of technology, HR directors will rely heavily on their IT departments to provide the necessary risk analysis and security information about the cloud. The final management decision about implementation is also likely to involve legal and finance departments.

Social media policy pays off

In August 2011, employee benefits provider Personal Group, which already had a broad electronics communications policy, decided to draw up a specific social media component spelling out 10 do's and don'ts of usage. It was introduced via three different communications meetings involving all 160 UK staff; examples were given from the press of where social media had gone wrong.

Use of smartphones and iPads had been increasing and there had been cases of staff writing things on Twitter and Facebook that were contrary to what they had been telling their employer. One employee, for example, had told the HR department they were off sick, but posted information to their friends that suggested otherwise. The individual was spoken to about the issue, but no disciplinary action was taken.

Beth Johnston, HR director at Personal Group, explains: "It made us think that people didn't realise the far-reaching implications of what they were doing and needed to think about their behaviour. I know from the feedback received that people have taken a lot of these messages on board and they now think twice, which is all we would hope for.

"We accept that people will use social media, as it is the future, but we need to ensure they are using it in the best way possible."

Case law: tribunal quashes Facebook dismissal

A Leeds employment tribunal hearing on 24 May 2011 resulted in Mrs EA Whitham succeeding in her complaint that she was unfairly dismissed by her employer, Club 24 - trading as Ventura. The respondent was required to pay a basic award of £1,800 and a compensatory award of £12,740.

In September 2010, while employed as a customer services team leader, Whitham had posted on her Facebook page, after work: "I think I work in a nursery and I do not mean working with plants." The message, and a couple of others that followed, could only be viewed by about 50 Facebook friends, but these included two colleagues, who brought them to the attention of management.

The tribunal concluded that the "decision that the claimant should be dismissed was outside the band of reasonable responses", but suggested that, because Whitham's conduct was blameworthy and culpable, her compensation amount should be reduced by 20%. Both parties agreed.