Social media & data protection policy v1.0 141112

• 1. 1 DS 061112

2. Contents 1. What is Social Media? Employee guidelines for using Social Media Management guidelines for using Social Media 2. Case Study: Preece v Wetherspoon 3. Using Social Media in the Workplace Social Media Case Law 4. Relevant Policies and Procedures Acceptable Use Policy 5. Data Protection Act Subject Access Requests Breaches, enforcements, penalties 6. Scenarios 7. Summary 2 3. What do you think Social Media is? Company Policy states: Social Media is defined as any mechanism or system that allows individuals the ability to express or share personal views or comments with the Public Wikipedia states: Social Media employ web and mobile-based technologies to support interactive dialogue using social software which mediates human communication A Generic Understanding: Anywhere (usually online) a person can share an opinion that can then be viewed by others in the future. 4 4. Examples of popular social media sites 5 Twitter Facebook LinkedIn Myspace Reddit Yammer Friends Reunited Google + Bebo 5. Other Social Media outlets Most websites include some form of Social Media, even if the site itself exists for other reasons. Some examples are: Comments Online newspapers, BBC news site etc. Blog posts/comments Online opinions Reviews Leaving feedback on products/services Forum posts Chatting in online groups Photo Sharing sites Apps Public chats Recognise any other logos? 6 6. Employee Guidelines for using Social Media Discuss: What type of issues have you dealt with in this area? Or are familiar with? Can you think of any other issues that could cause a problem? 7 7. Employee Guidelines for using Social Media Golden Rule: Dont post any information that could be damaging to our (and potentially your) reputation. Anything that constitutes bullying, harassment or discrimination Posting negative opinions of others online, spreading rumours, e.g. , relating to race, gender, religion etc. Anything that is confidential in nature Leaking information about the company, e.g. Contracts wins/losses etc. Anything that would breach Data Protection laws Any leaks of employees or clients personal or sensitive data , e.g. Employee or Client contact details Anything that breaches copyright laws Any publication of copyrighted materials into the public domain, e.g. Taking information from one company to a rival company for competitive advantage Anything that could damage working relationships with other employees/clients Sharing any sensitive information without relevant consent e.g. Client performance data 8 8. Employee Guidelines/Use of Social Media Continued Anything that can be construed as controversial Pointing out conflicts of interest publicly, courting the media Anything that is dishonest, untrue or misleading Lying about job conditions, company performance Anything with company logos or trademarks (unless authorised) Using logos to lend authority to a web identity, or to joke about or degrade the company image Using your company email address for non work related activities Running personal business, excessive personal emails Anything anonymously that breaches this policy Attempting to hide your identity while committing any of the above breaches of policy 9 The Employees Guide to Social Media has been distributed in your Social Media pack this morning 9. Employee Guidelines Toolbox Talk To help you all ensure your employees adhere to the Employee Guidelines for Social Media, a Toolbox Talk has been prepared for Team Managers to distribute You will need to go through the presentation with all your staff and record completion. The presentation goes through: What is Social Media? Why have a Social Media policy? Employee Guidelines for using Social Media This will be distributed now and must be completed by 30/11/12. Email [email protected] when these are complete so they can be included in the month end report 10 10. Management Guidelines to Social Media Personal Social Media Use at Work: Employees can use the internet for personal use, including restricted use of social networking sites before/after work or during breaks. Personal Social Media Use in Private Life: The company should respect their employees right to a private life and understand that social media networking sites are now part of everyday life However, the company have a duty to ensure that employees are protecting their and our reputation when using social media. Any breach of the company policies could amount to gross misconduct. Any misuse of social media will be fully investigated and could lead to disciplinary action. We reserve the right to monitor internet and email use (Acceptable Use Policy). 11 The Managers Guide to Social Media has been distributed in your Social Media pack this morning 11. Preece v Wetherspoon: the Verdict Ms Preece: Was dismissed on the grounds of gross misconduct: Her actions were deemed to have been inappropriate, in breach of company policy, and identified Wetherspoons specifically She appealed this decision however was unsuccessful and her dismissal was upheld. She then brought a claim to the Employment Tribunal for unfair dismissal. Her claim was dismissed . Reasons: Despite her comments being posted with private settings, they were still in the public domain. Even if she had posted the comments at home not within work, the Tribunal believed that Wetherspoons would have still have had the right to act in the same way. Her right to freedom of expression could be restricted if the comments posted could damage reputation, i.e. her employers. 13 12. Preece v Wetherspoon: Learning Points Key learning points of Preece v Wetherspoon case: It highlights the importance of having a Social Media policy Formalises acceptable and unacceptable behaviours in a changing environment Defining key terms such as blogging and provide examples Ensuring clarity for both parties to ensure understanding Clarify the sanctions if the policy is breached Again, ensuring clarity for both parties Have a clear and concise disciplinary policy listing examples of gross misconduct (MORE ON THAT TOMORROW/NEXT WEEK) Ensuring employees are made aware of unacceptable behaviours and any potential disciplinary sanction Any breaches of policies should be dealt with fairly and consistently so an employer is in a strong position to defend any potential claims. Having a policy in place ensures the company can treat staff fairly and consistently, and ensures staff in all corners of the country are able to apply the policy equally 14 13. Social Media and Employee Misconduct As Social Media can be used at any time inside or outside of work, the human rights of your employees must be considered: European Convention on Human Rights (ECHR) Article 8 provides a right to respect for private and family life. Article 9 provides a right to freedom of thought, conscience and religion. These articles must be taken into account to ensure we cannot irresponsibly intrude into our employees private lives, or tell them what they are/are not allowed to think/believe.; However this must not compromise existing legislation and company policies. 16 14. Potential Negative Impacts in the Workplace While there are many advantages to social networking in the workplace, ( building a wider contacts network, opening communication channels), there are also potentially negative impacts, such as: Drop in productivity with excessive use of social media Reputational damage by personal views being construed as Company opinions Operational damage by leakage of confidential information Recent improper use has led to this policy being drawn up along with the guidelines. 17 15. Social Media Case Law: Flexman v BG Group The Current Situation: The dispute over Mr Flexmans profile led to his resignation following a breakdown in his relationship with senior executives. In October 2012, the tribunal found BG Groups delay in dealing with the case, and the failure to address a grievance complaint brought by Mr Flexman, meant he was fully entitled to quit in June 2011 and claim constructive dismissal. It found the firm guilty of a serious breach of contract. A second hearing will take place in November to determine Mr Flexman's compensation. A BG Group spokesman said: We are aware of this initial ruling and are studying the reasoning in detail as well as examining all options open to us in line with the legal process. 19 16. Relevant Policies & Procedures The following policies all relate to Social Media use in the workplace. A Social Media Pack containing these policies has been emailed to all Managers this morning: IT Acceptable Use Policy Disciplinary Procedures Social Media Policy Managers Guide to Social Media Employee Guide to Social Media 22 17. Acceptable Use Policy Acceptable Use Policy documents are handed out during induction of new starters. These documents must then be signed on an annual basis and submitted to the Site Security Liaison Officer. The company expects that its computer facilities to be used in a professional manner. E-mail and internet is provided at its own expense and for business purposes only Any personal use by company employees, temporary staff, sub-contractors, contractors or third parties must not interfere with the normal business activities of the company and should not involve solicitation, personal profit and must not potentially embarrass the company. Material that could be considered offensive must not be accessed, viewed, downloaded, uploaded, copied, stored, printed or transmitted using company computer systems. When using these technologies, employees are representing the company. Corporate email and internet activities can be traced back to an individual within a company, and both the company and the individual will be held responsible for defamatory or illegal content. 23 18. Acceptable Use Policy Management Responsibilities All Managers are responsible for ensuring employees, contractors and third party users: Are properly briefed on what is considered acceptable use prior to being granted access to sensitive information or information systems Are provided with any relevant guidelines to show expectations of acceptable use Are advised to fulfil the acceptable use policy Continue to have appropriate skills and qualifications necessary to comply with the policy Are provided with the maintenance cover and technical support for the computer and IT departments approved associated equipment Are provided with the software required to enable the Employee to carry out HisHer duties Are protected by ensuring compliance with license agreements for any software provided to carry out their duties Policies must be signed at induction and submitted to the Site Security Liaison Officer. 24 19. The Data Protection Act The Data Protection Act (DPA) 1998 defines UK law on the processing of data related to a person who can be identified from that data. The DPA controls how personal data of a data subject is: used by data controllers or processed on their behalf by data processors. Data Subject: An individual who is the subject of personal data Data Controller: A person who determines the purposes for which, and the manner in which, data is processed (now and in the future) Data Processors: Any person who processes the data on behalf of a Data Controller 26 20. The Data Protection Act Types of Data under the Data Protection Act Personal data is any information which can identify an individual. This includes any expressions of opinion about the individual. Sensitive personal data includes the individuals' race, ethnic origin, sexuality, religion, health, trade union status, political beliefs or criminal record. There are 8 Principles to follow under the DPA when dealing with Personal (and Sensitive) Data 27 21. Data Protection: 8 Principles The key principles for personal data are that they will be:- 1. Processed fairly and lawfully 2. Processed for specified and lawful purposes 3. Accurate and up to date 4. Adequate, relevant and not excessive 5. Only held for as long as necessary for the purposes requested 6. Processed in accordance with the rights of data subjects, e.g. individuals have the right to have data about them removed 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage 8. Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 28 22. Data Protection: Elearning New Elearning module available, to be completed by latest 21st December To ensure all staff can adhere to our Data Protection policy. This is Data Protection, AND Code of Conduct 2 Will chase both up as they are both mandatory for all employees. Details of how to locate and complete both the Data Protection and the Code of Conduct 2 elearning modules will be emailed out this afternoon/tomorrow morning with initial completion data (Data protection likely to be 0%), and updates will be sent out weekly, the same way as the first set of modules were chased. Supervised elearning sessions will also be arranged again, if required. 29 23. Subject Access Request Individuals are have the right of access to their personal data within reason by submitting a subject access request. Requests must be in writing and a fee may be required (normally 10) which must be paid up front. We must respond within 40 days from the date that the request is received. If a request is made in the NOC: If anyone wants to raise a Subject Access Request, discuss their requirements with them, as often they will require specific information that can be filtered, e.g. across date ranges or relating to specific matters , rather than having to find and supply everything about the employee. Searching for data: Find emails and manual files across relevant date ranges using specific senders and recipients and the use of initials, employee numbers and nick names. 30 24. Subject Access Request Which of the following would be personal data that may need to be used to comply with a subject access request? The individual requesting the data (the data subject) is Jane Roe who has worked for the company for 3 years. An email to Jane Roe regarding their internal application? Yes, this is personal data An email to everyone in one team about their performance/sales figures including for the data subject Jane Roe? If all team members figures are included, then no. If the email just shows Jane Roes data, then yes A reference provided to Jane Roes prospective new employer? No, as she is not the recipient of the email Details of a recent grievance raised by Jane Roe whereby she has requested for all data relating to her employment? Yes, this is personal data 31 25. Withholding data from Subject Access Requests Withholding Data Reasons to withhold data are as follows:- Legal correspondence for the purpose of seeking advice Confidential management planning Any without prejudice discussions and negotiations Confidential references, if the data subject is not the recipient Prevention and detection of crime Relating to corporate finance Third Party Data If a data controller needs to disclose information relating to another individual who could be identified, they are not obliged to comply with the request unless:- The other individual has consented If it is reasonable to disclose without consent (details can be kept anonymous) 32 26. What is a Breach of Data Protection? Which of the following could potentially constitute a breach of data protection:- A copy of an employees 121 performance review notes being left face up on a managers desk in the office? Copies of work orders/Documents on the fax machine/Printer? Salary details for senior management/directors being shared with company employees? An email from a manager to his/her team summarising performance statistics? An employee discussing a colleagues recent disciplinary meeting details whilst on the telephone on the train? Accessing company policies as an employee? 33 27. Top Ten Tips for Complying with Data Protection Check who is in the email trail when forwarding/replying to all Use an appropriate volume and tone whilst on the phone Collect documents from the printer immediately after printing Consider thin meeting room walls who can hear next door? Keep passwords secret and do not write them down Password control Use different letters, numbers and symbols Keep laptops securely locked and store them out of sight when not in use Report the loss of any IT equipment immediately Consider the location of where you carry out work on your laptop, e.g. train Lock your computer whenever you step away from your desk 34 28. Data Protection Enforcement & Penalties Assessments made by the Information Commissioner Enforcement notice Court order to comply Compensation damage and distress Right to prevent processing if likely to cause substantial damage or distress Right of rectify, block, erase or destroy Monetary penalty notice The maximum fine is 500,000. 35 29. Scenarios A member of your team has reported that one of their colleagues seems to always be on Facebook during work, and is updating her profile with pictures of shoes, clothes etc. that she is copying over from the Selfridges website. Theyve asked if something can be done as the contract is so busy. What would you do? One of your colleagues in the business has seen an email chain whereby earlier in the email you have been described by a member of your team as an incompetent waster. How would you handle this? 36 30. Scenarios On Monday morning a staff member approaches you over something they have seen on facebook over the weekend. Two colleagues have called him/her something which could be perceived as discriminatory. What action would you take? A trade union rep has complained that one of their members who is an employee has found documentation by their manager relating to staff performance in their local cafe. How would you handle this? 37 31. Summary 1: Social Media You should now be able to answer the following: What is Social Media? Provide some examples of Social Media sites? Why we have a Social Media policy? And you have the policies and guidelines you and your team are expected to follow from now on. Question: What will you do differently now in relation to your own use of Social Media? 32. Summary 2: Data Protection You should now be able to answer the following: Who are Data Subjects, Controllers and Processors? What Personal Data and Sensitive Personal Data is? Know the 8 principles for dealing with Personal/Sensitive Data? Know how to action a Subject Access Request? And you have a copy of the policy to allow you and your team to adhere to Data Protection policy Question: What will you do differently now in relation to your use of Data? I.e. ensuring it is Protected 33. Actions for You! All policies relating to this presentation have been sent via email this morning. You need to ensure you have an awareness of issues that may arise as a result of the introduction of these policies You need to hold a buzz session to distribute to Toolbox Talk to your staff detailing the Social Media policy and its effects. This has been written for you and emailed to you. This Toolbox Talk needs to be distributed to all operational staff by 30th November. You and your staff need to complete the new Data Protection and the new Code of Conduct 2 Elearning modules chase emails will be sent out regularly as per Sustainability/Code of Conduct 1. Both these modules must be 100% complete by 21st December. 34. Thank you for your time QUESTIONS ? 35. Appendices: Policies and Procedures Managers: Click attachments to open and print the relevant policies. IT Acceptable Use Policy Disciplinary Procedures Social Media Policy Managers Guide to Social Media Employee Guide to Social Media 42