Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Reputation management vs privacy rights: where do you draw the line?

One of the major reputation risks can come from employees using email and social media to bad-mouth their organization, or to release, often inadvertently, information which the organization would prefer to remain confidential. One of the ways of controlling such information flows is to monitor the email and social media activities of employees, but how far can companies go and remain within ethical and legal boundaries?

In this article, Anne Hughes, a senior associate at Fox Solicitors discusses the issues and provides some advice.

In a world where many are glued to their smartphones and addicted to Facebook and Twitter, there are still a few people (usually those over 20) who want their personal communications to remain private.

Carrying a Blackberry 24/7 means that the line between your work and your private life becomes blurred, and most of us use work email for personal use. iPads are the latest ‘must have’ executive accessory for work and play, and many people don’t think twice about forwarding confidential company documents to their personal email accounts so that they can access them away from their desks. This helps us cram more working hours into our days, and so has an obvious upside for business. But there are downsides too. Sensitive confidential information may be lost or stolen. As staff Tweet about their day, or post comments on Facebook about their boss’s latest antics, their right to freedom of expression and privacy comes into direct conflict with the company’s interests to protect its professional reputation. This has led to a string of employment tribunal cases hitting the news in the past couple of years.

A manager of a Wetherspoons pub claimed that she had been unfairly dismissed when she was sacked for posting negative comments about the pub’s customers on her Facebook page (Preece v JD Wetherspoons plc). She claimed that her right to freedom of expression had been infringed. There was a sigh of relief from many employers when the tribunal decided that Wetherspoons had acted lawfully. Although Ms Preece (the pub manager) had a right to freedom of expression under Article 10 of the European Convention on Human Rights, the tribunal decided that the action taken by Wetherspoons was justified in view of the risk of damage to its reputation. Wetherspoons was in a much stronger position to defend this claim because it had a clear written HR policy which stated that the company may take disciplinary action should the contents of any blog, including pages on sites such as MySpace or Facebook "be found to lower the reputation of the organization, staff or customers and/or contravene the company's equal opportunity policy".

Last year in Northern Ireland, an employee (Mr Teggart) brought a claim against TeleTech UK Limited after being sacked for posting obscene and lewd comments about the promiscuity of a female colleague on his Facebook page (Teggart v TeleTech UK Limited). The comment mentioned TeleTech and was read by the Mr Teggart’s Facebook friends, including some work colleagues. Although the female colleague about whom the comment was posted did not see it herself, she heard about it. In March 2012, the Northern Ireland industrial tribunal decided that Mr Teggart had been fairly dismissed. It did not matter that he actually posted his comments on Facebook in his own time and outside work. The tribunal said that Tele Tech had not infringed Mr Teggart’s rights to freedom of expression and privacy. The reasoning was that Mr Teggart abandoned any right to consider his comments as being ‘private’ when he posted them on Facebook. The right of freedom of expression must be exercised responsibly, and it did not give Mr Teggart the right to make comments which damaged his colleague’s reputation and infringed her right not to suffer harassment.

The difficulty for employers is balancing an employee’s rights against those of others (including other employees and the company itself). There have been cases when tribunals have decided that employers have got it wrong. An employer can be far more confident taking action to monitor, investigate and take disciplinary action against employees if there are clear written policies in place beforehand, so that everyone knows where they stand.

Here are some pointers:

  • The business should have a clear Internet and electronic communications policy for staff, which lays down the ground rules and explains the consequences of failure to comply.
  • Staff should be required to be familiar with the policy and warned that a breach of it will be treated as serious misconduct, which could lead to dismissal.
  • If employees are expected to work away from the office, they should be provided with a secure way of accessing the confidential information needed to get the job done. It’s a constant challenge to keep pace with IT, so that employees are not tempted to find their own practical shortcuts to get the job done. Many employers have invested in software like Citrix, to enable employees to securely log-in to their work desktop remotely. Some employers are now offering employees a downloadable “app” for their personal iPhones, so that they can also securely access their work emails from their phones. The aim is to enable employees to work flexibly (to maximise their productivity) whilst minimizing the risk to confidentiality.
  • If you want to monitor an employee’s use of emails and internet at work, the Employment Practices Code published on the UK Information Commissioner's Office's website is essential reading (www.ico.gov.uk). Do not assume that the company has the right to inspect all communications sent and received (and Internet content accessed) from the employee’s computer and Blackberry just because the devices belong to the company. If the company generally allows (or tolerates) employees using their work computers to send personal emails and to access social networking websites for personal use, there may be a legitimate expectation of privacy in respect of those activities.

If it is discovered that an employee has forwarded confidential information to their personal email account, the company will want to make sure that the information has not been misused or leaked. Often, an employer’s first step is to carry out an investigation (including a forensic IT investigation and an interview with the employee concerned). Then, the company may ask the employee to give written undertakings to confirm that the information has not been misused or disclosed to any third parties. The company can then decide whether disciplinary action is appropriate.

If the company believes that there may be company information stored on an employee’s personal computer or other device, it may wish to inspect those devices and delete the relevant information. This may form part of the disciplinary investigation. However, it is obviously not that simple because most employees will regard this to be a gross intrusion into their privacy. In reality, most of us store a huge amount of personal information and photographs on our personal computers, belonging to us and our families. Any proposed process for inspecting an employee’s personal devices must show respect for their privacy and property. Here are some tips on best practice:

  • Appoint an independent IT expert, who will inspect the employee’s devices only with their consent and under their supervision. Unless the employee gives their consent, the company is unlikely to have the right to inspect the employee’s personal devices without a court order.
  • The scope of the IT expert’s job should be very clearly defined and explained to the employee in advance.
  • The IT expert should enter into a separate confidentiality agreement with the employee, agreeing not to disclose to any third party information belonging to the employee.
  • In return for the employee’s co-operation, the company may be willing to indemnify the employee in respect of any damage to their device, software or personal data (including deletion).

This generation of staff has learnt how to multi-task so that we are almost constantly online. It seems that we are still working-out where the dividing line should be, between work and our private lives. The challenge for employers now is to help staff understand when it is appropriate to switch on and off from work, and when to keep them separate.

Author: Anne Hughes is a senior associate at Fox Solicitors. She advises employers, employees, partners and firms on their full range of employment and partnership law concerns.

Fox is a niche firm of solicitors specialising in the law relating to employment, partnership and discrimination. www.foxlawyers.com

•Date: 6th July 2012 • UK/World •Type: Article • Topic: Enterprise risk management

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here