25 Jul 2008
You have been poked, high-fived and had a ninja sent after you - Facebook, privacy and the workplace
Employers wishing to look at information contained on the Facebook profiles of employees or potential employees should keep in mind the limitations on the collection of personal information under the Privacy Act.
To limit the liability of the organisation for any misconduct carried out by employees on Facebook, employers should review relevant existing organisational policies to ensure that they cover Facebook usage.
For the uninitiated, Facebook is an extremely popular online social networking site where individuals can communicate with "friends". Facebook is just one of a number of other social networking sites which use similar Web 2.0 technology; other sites include MySpace and Bebo. Communication on Facebook can take the form of sending a private message, posting a public message on your friend's "wall" or doing a range of actions such as poking, high-fiving or even sending a ninja. Individuals can include a large amount of content about themselves on their profile page, including photographs, contact information and updates about their activities. Users can also join groups of like minded users to discuss common interests. Groups are as diverse as official sites of large corporations such as BP, Dell, and Vodaphone or as quirky as the "Vegemite goes in the cupboard, not in the fridge" group. There are many groups which include content which could be construed as offensive, scandalous or possibly, even defamatory.
Facebook has very sophisticated privacy options available to individual users. Individuals are provided with a range of options for who can see a profile and contact information. Access can be limited to no-one, only friends, friends of friends or to the public at large.
Issues for employers
Social networking sites are staggeringly popular and can easily engage users for a long period of time. The Sunday Times estimated that there are approximately 62 million users of Facebook worldwide who are each averaging 28 minutes a day on Facebook. This popularity obviously presents issues for employers as to how they control the time that employees spend looking at content such as photographs of cats eating imaginary corncobs on the "The cats that play with invisible stuff appreciation group".
A number of companies have set up official social networking sites on Facebook for their staff to use. These sites are often accessed by direct invitation only and only accessible by employees or ex-employees of that firm. Other organisational sites have what appear to be officially sanctioned groups which are open to all users on the Australian network. There are also unofficial sites created by employees of particular organisation not necessarily with that organisation's official sanction, for example "The *Unofficial* Department of Water Group" (WA).
While inter-organisational social networking has many positive benefits such as ease of information sharing, relationship building across teams and increasing staff morale, the danger for employers lies in the flipside of these positives, such as the sharing of the wrong type of information (such as confidential information or malicious gossip) and inappropriate social conduct such as bullying, harassment or even stalking.
Another issue is the use of Facebook by employers to screen appropriate job candidates or even snoop at the personal activities of existing employees. A poll published by the UK magazine Personnel Today stated that approximately 27 percent of companies in the UK check social networking sites to check information regarding potential employees in the recruitment process.
The ease of posting photographs or other personal information on Facebook by an individual or friends of that individual has the potential to post a range of personal material about a person that an employer would otherwise not be able to access. The impact that one's personal life can have on a person's professional profile, particularly in the face of material that is publicly available on the internet, has been given a lot of media attention recently when photographs that appeared on the Facebook profiles of members of the Australian swimming team were published by various newspapers. The photographs pictured swim team members drinking and partying. The swim team was the focus of media criticism in relation to the inappropriateness of these role models seemingly endorsing a culture of binge-drinking. Swim team members were asked by Swimming Australia to remove any potential embarrassing pictures from their Facebook profiles.
Before snooping on an employee's profiles it is important to remember that such action would constitute collection of personal information under the Privacy Act 1988 (Cth).
For a Commonwealth Government agency, there are limits to such collection set out under Information Privacy Principles 1 - 3. Relevantly, under IPP 1, personal information should not be collected in unlawful or unfair means and should only be collected if that information is necessary for or directly related to a lawful purpose of the agency collecting the information. The collection of personal information may breach these obligations in some circumstances as the collection of information about an employee or potential employee may not be directly relevant to the recruitment and human resources functions of the agency.
This would depend of the type of information collected. Information regarding whether an individual has been chased by a werewolf or is a member of a group that likes fluffy, pink, stripy woollen scarfs would be unlikely to be construed as relevant to the functions of a collecting agency. However, information that an individual has been publishing information in breach of the Public Service Act 1999 would be relevant. Due to the questionable reliability of information published on Facebook, a potential issue may also arise under IPP 3 where an agency is under a duty to take reasonable steps to ensure that information collected is up to date and complete.
For an organisation which is covered by the National Privacy Principles there are similar limitations for collection of personal information about prospective employees. This limitation does not extend to existing or former employees due to the employee records exemption provided by section 7B of the Privacy Act. However, this exemption only operates in respect of acts and practices directly related to the employment relationship so employers should ensure that they only collect information from Facebook with a relevant nexus to the employment relationship.
Review relevant policies
Employers need to be aware of the existence of social networking sites and the possible implications that they pose for their organisation. We recommend that employers review their existing relevant policies, such as internet usage, privacy and confidential information and human resources policies to ensure that they cover this type of communication.
An employer may also wish to turn their mind to the issue of whether their organisation should wish have an official or un-official group exist on Facebook or another social networking site and whether there needs to be access control extended to such a group. They group may also need to be monitored in order to ensure that inappropriate material is not posted.