Privacy and the Social Networking Revolution
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks to employees of the Bank of Canada
September 9, 2008
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Social networking sites can be a wonderful way to connect. They help us to keep up with friends; share ideas with colleagues in our fields of work; and trade information with people who share the same hobbies and interests.
To describe the growth of social networking sites such as Facebook and MySpace as “dramatic” seems an understatement.
Facebook was launched only in 2004, but at last count had well over seven million active users in Canada alone. Around the world, active Facebook users double every six months. Nine in 10 young Canadians now regularly socialize online.
These sites have become an indispensible tool for professionals such as economists to keep up with their subject expertise. In fact, you run the risk of becoming out of date if you don’t follow and participate in online discussions.
My own Office uses a blog to encourage this kind of debate about privacy issues. I know the World Bank and International Monetary Fund also have blogs which allow users to post comments.
Along with the many benefits they offer, social networking sites are also raising important privacy issues – and will no doubt continue to do so as they evolve over the coming years.
One key issue is where to draw the line between personal and business.
As employees, we need to be mindful of our obligations to our organizations when we comment on online blogs or post information on our profiles. What we say online – even on a Saturday or Sunday – can have implications in the workplace. This is no doubt particularly true if you happen to work for a central bank.
More and more often, we see people getting stung by the privacy perils implicit in going online with their personal lives – not to mention the personal lives of others.
A social revolution is underway and we are still struggling to figure out the appropriate rules of engagement in this new digital age.
They say that what happens in Vegas stays in Vegas. But, as one newspaper columnist recently wrote, the same can definitely not be said of social networking sites. What happens on Facebook or MySpace often doesn’t stay there.
Personal information posted to these kinds of sites often winds up being used in unexpected ways. Would-be employers, bosses, parents, teachers, university administrators and others are using social networking sites to check up on people.
And this is coming as a surprise to people who assume that what they post is private. People have been fired, missed out on job interviews and academic opportunities, and been suspended from school for instant messages, wall posts and other messages they mistakenly thought were like private conversations with friends.
A few headlines offer a picture of the kinds of things that are happening …
- A young mother in the UK signed up with a social networking site as a way to share family photos and news with friends. She didn’t realize that her profile was available to anyone within a three million-member London network. Her photos and personal information wound up being posted to a sex website.
- A judge was apparently appalled when he was presented with photos of a young man charged in a serious drunk driving crash enjoying a Halloween party in a prisoner’s uniform labelled “Jail Bird.” The prosecutor used the photos – taken from a social networking site – to portray the U.S. college student as unrepentant. It didn’t help the young man’s case that the photo was taken while a woman seriously injured in the crash was still recovering in hospital. He was sentenced to two years in prison.
- A first-year computer engineering student faced disciplinary action after officials at Toronto’s Ryerson University discovered he’d been running a study group on a social networking site.
- Oxford University administrators have also logged onto social networking sites in search of evidence to discipline students for over-exuberant partying.
We have also seen cases where what’s posted online on personal time winds up having a major impact in the workplace.
In fact, we already have an English word to describe being fired for an online activity. The Macmillan English dictionary defines the word “dooced” as “having lost your job because of something you have put in an Internet blog”. The term was coined by a Los Angeles web designer who lost her job after writing about work colleagues in her personal blog.
We have seen a number of cases, in Canada and elsewhere, of people getting fired or facing disciplinary measures for their online activities.
In British Columbia, a principal got into trouble after posting naked holiday photos of himself to the Internet. The mother of a student at his school had stumbled across them and took offence.
Several young employees at the Farm Boy grocery chain were fired after posting derogatory comments about the stores and its customers online.
Meanwhile, recruits with the Canada Border Services Agency got into trouble after posting photos of themselves drinking in uniform and making highly inappropriate comments related to their jobs.
I’ve heard it said that the online world brings new meaning to “letting it all hang out.”
A number of the CBSA employee postings were too offensive to share. But to give you a flavour of the types of things posted, here are a couple of examples:
- One recruit posted her answers to a personality test – admitting that she’d cheated on a test; smoked pot; and “felt like killing someone.”
- Another posted a photo of a gun he expected to use on the job.
All of this became public when a former border guard called up the CBC. The whistleblower was disgruntled because he hadn’t been kept on by the CBSA – he complained to the CBC that he’d been passed over in favour of younger, cheaper recruits.
These kinds of postings are clearly not something an employer wants to see – and certainly not splashed all over the national news.
In the old days, a disgruntled employee would go to the bar to let off steam about a bad boss, a company decision or a difficult customer. A few people heard the complaints and that was the end of it.
Enter the world of social networking. Workplace complaints now get aired online – available for anyone, anywhere in the world with an Internet connection to see. What is posted can be seen by co-workers, bosses, people you do business with from other organizations, clients and so on. There is a very real potential of signification damage to the reputation of an individual or an organization.
As I said earlier, the popularity of social networking sites it blurring the line of where the personal ends and business begins.
The challenge of addressing the new workplace issues raised by social networking sites is made more difficult by the fact that young people and their bosses often view online privacy in entirely different ways.
This point was made clear in new research conducted by a team of researchers at Ryerson University’s Privacy and Cyber Crime Unit and funded through my Office’s contributions program.
The researchers surveyed young people and spoke to officials from a range of organizations. They found a major disconnect – a new digital divide – between a generation of young Canadians and a generation of managers and executives for which young Canadians work.
Young Canadians believe in “network privacy” – that personal information is considered private as long as it is limited to their social network. But organizations believe information posted online is public and deserves no protection
Another interesting finding is that online “socialisers” are for the most part oblivious to the risks – including career risks and identity theft – to which they are exposing themselves.
The researchers noted that, for organizations, the policy direction regarding social networking is “still quite murky.” For the most part, organizations do not have policies, practices or guidelines in place that explicitly govern the use of online social networks by their employees.
After reviewing their survey results, the Ryerson researchers developed a number of recommendations for organizations. These include:
- Develop an understanding of online social networks and their role in the culture and communication behaviour of young Canadians.
- Develop clear rules and guidelines about the use of online social networks at work and home based on principles employees will accept.
- Support these policies with appropriate tools and enforcement.
- Do not actively seek information from online social networks for recruitment and selection processes.
We are beginning to see organizations react to the issues raised by social networking.
Guidance for Employees
In the federal public service, employees must respect the Values and Ethics Code for the Public Service, which says they must “arrange their private affairs so that public confidence and trust in the integrity, objectivity and impartiality of government are conserved and observed.”
Some departments have also adopted their own employee conduct codes offering more explicit guidance on off-duty conduct and other issues. Under the Federal Accountability Act, all federal departments will have to develop their own codes of conduct.
Treasury Board is currently developing a code of conduct framework, which is expected to be ready by the end of this year. Departments will then be able to use the framework to develop their own codes.
The framework is an opportunity for Treasury Board to offer some explicit guidance on social networking to departments.
I understand the Bank of Canada is an independent entity and that you develop your own policies on issues such as ethics. However, your organization would undoubtedly be interested in what Treasury Board develops.
Bank of Canada employees – like federal public servants – are serving Canadians.
You have a responsibility to manage your personal affairs in a way that avoids real or perceived conflicts of interest or harms public confidence in your organization. You also have a responsibility to ensure you do not create the impression that a personal comment is the official position of your organization.
The CBSA is one of the federal departments which has already developed a code of conduct for employees. It advises that, while off-duty conduct is usually a private matter, it could become a work-related matter if, for example, harms the agency’s reputation.
The media reports on the online behaviour of CBSA recruits prompted the Agency to provide employees with more specific guidance on what is and is not acceptable when they go online, even in their personal time. The guidance included a reminder that “inappropriate behaviour by employees on such web sites could result in administrative and/or disciplinary action.”
The social networking phenomenon is a new issue for employers and many organizations are only beginning to consider how to respond.
It would be impossible for any guideline to list every single type of posted comment that is and is not acceptable, but this kind of guidance offers employees something to think about when they are online.
By way of example, IBM was one of the first companies to offer employees some guidance on appropriate conduct when social networking. Among the points it makes are:
- Don’t provide the proprietary information of IBM or another company.
- Ask permission to publish or report on conversations that are meant to be private or internal to IBM.
- Make it clear that you are speaking for yourself and not on behalf of IBM.
- Be aware of your association with IBM in online social networks. If you identify yourself as an IBMer, ensure your profile and related content is consistent with how you wish to present yourself with colleagues and friends.
The British government also recently issued employee guidelines on online postings when discussing government business. I found one piece of advice particularly helpful: “You should participate in the same way as you would with other media or public forums such as speaking at conferences. “
Creating a Policy
It seems to me that it is a good idea for organizations to help their employees understand the potential workplace consequences of what they do on the Internet.
Guidelines should be as clear and specific as possible about the organizations expectations about employees’ behaviour online.
Organizations should also be transparent about how they will monitor employees’ online behaviour.
The guidelines could also describe the consequences for posting something which, for example, could be damaging to the organization’s reputation.
A policy which is upfront and clear should eliminate a majority of problems.
Striking the Right Balance
I am a strong supporter of freedom of speech and I am – obviously – passionate about people’s right to privacy. For the most part, what people do on their own time is private – and none of the boss’s business.
But I do think it’s fair to tell employees that there will be consequences for “private-time” activities which negatively impact on an organization. Individuals have rights, but so do employers.
That said, there is no need to over-control what employees do outside of working hours. People have a right to a life, which may well include time spent on social networking sites.
Organizations need to carefully consider how they are going to monitor the online postings of their employees. They need to respect people’s right to privacy.
It would be unreasonable, in my opinion, for a boss to routinely check on what employees are posting on their social networking pages. An organization that actively monitors all of the Internet activities of its employees clearly has too much time and money on its hands.
However, it probably would be appropriate for a boss to go take a look at a profile if a potential problem that involves the organization is brought to her attention. An organization must protect its reputation.
A related issue is the monitoring of how much time employees spend looking at social networking sites while at work. Productivity issues are obviously a concern to organizations.
While we have not dealt with a complaint dealing with this kind of monitoring, I think some of our investigative findings in other types of cases could apply here.
For example, we’ve told companies thinking about installing video cameras other surveillance measures in the workplace to consider a four-part test:
- Is the monitoring demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Is the loss of privacy proportional to the benefit gained?
- Is there a less privacy-intrusive way of achieving the same end?
If you do monitor the sites employees are looking at and how much time they spend there, you should tell them.
Workers do not check their privacy rights at the office door. Workplace privacy is an important part of the basic autonomy rights of individuals.
Some surveillance in the workplace is required – and is acceptable. Employers have the right to know whether workers are doing the job they are paid to do.
Still, employers must find ways of weeding out the bad employees without shattering the dignity and privacy rights of the good employees – who make up the vast majority of the workforce.
There appears to be a lack of individual awareness about the nature of social networks. There is nothing private about going online.
Even if you use privacy settings (which many people don’t), what you post can be shared. It will be archived. It’s out there. It will be there for a long, long time.
The best advice I can offer is this: If you don’t want your boss to see something, don’t post it.
This rule of thumb obviously applies to anything work-related – such as photos of someone drinking while in uniform or criticizing the organization they work for.
But I also think people need to consider the potential implications of posting other types of material which aren’t covered by a workplace code of conduct but might reflect badly on them and potentially harm their career advancement. Good judgement is crucial.
My Office is working to help people avoid privacy problems by providing guidance on protecting personal information on social networking sites.
Our new youth privacy site offers practical advice.
Social networking sites can be an extremely useful tool for any organization in the business of knowledge transfer. They can help generate ideas and discussion. For example, they can help economists at the Bank of Canada exchange ideas with academics and economists with other organizations. There are a lot of advantages.
However, there also needs to be a frank discussion between management and employees about the nature of these sites and the potential for workplace issues.
Workplace cultures vary – public comments by employees may be acceptable in one organization and not another. Management shouldn’t assume that employees will innately understand what is and is not Okay to say online.
Social networking is a new phenomenon. We’re still trying to understand the new societal rules of the road in this new world. This is an issue that is not going to go away.
- Date modified: