Work and Play in the Age of Social Networking
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the IAPP Knowledgenet Conference
May 12, 2010
Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada
(Check against delivery)
Good morning. I’ve been asked to speak with you about social networking in the workplace. This is very much a live issue for many organizations – and it’s one that our Office has been grappling with for only the past couple of years.
Social networking has taken off in a way that no one could possibly have predicted.
Nine in 10 young Canadians now regularly socialize online. Sites such as MySpace, Facebook, Friendster, LinkedIn, LiveJournal, Twitter and Bebo have become incredibly popular ways for people to interact with each other online. Well over 40 per cent of Canadians are now on Facebook.
The fact that we’re seeing certain challenges involving social networking and the workplace is not surprising: We’ve got a lot of people living their lives online and a very big part of those lives is spent at work.
The Macmillan English dictionary has already officially recognized the word “dooced” – being fired because of something you have put in an Internet blog.
It seems to me that a big contributor to the problems we’ve seen in this area is the fact that there’s a significant divide between how employers and employees think about the workplace, privacy and social networking.
This morning, I’d like to offer some thoughts on how we can bridge this gap.
First though, I thought that – given the relevance to our main discussion – you might be interested in a short update on our Office’s investigation of Facebook’s privacy policies and practices.
Many of you will remember that our Facebook story began in 2008, when the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic filed a complaint with us.
The investigation was of unparalleled scope and complexity for our Office. We wrapped up the investigation last July and went public with our findings – and the fact that we had not been able to reach agreement on a handful of concerns.
Facebook had 30 days to respond to our recommendations. In the weeks that followed the release of our report, there were extensive discussions and negotiations between our Office and the company.
Finally, in late August, we were able to announce that Facebook had agreed to undertake comprehensive policy and technical changes to address our concerns. What’s more, Facebook pledged that those changes would apply across its global operations – extending the benefits to all 400 million users worldwide.
For us, the most important privacy issue related to the third-party developers of the million-plus games, quizzes and other applications that run on the Facebook platform.
We were extremely concerned that users who downloaded these programs were giving the unknown developers – in some 180 different countries around the world – practically unfettered access to their profile information – as well as that of their Facebook friends.
The company ultimately agreed to retrofit its application platform to prevent third-party application developers from accessing personal information until they obtain express consent from users for each category of information they’re seeking to access. Facebook said it would take a year to complete this retrofit.
Facebook also agreed to other changes that would offer users stronger protections for their personal information, and a more informed and meaningful say over how it is collected, used and disclosed.
In the months that have followed our resolution with Facebook, we’ve been monitoring their progress. While we have seen some very positive changes, the news has not all been good. The company has rolled out a number of changes which have been widely criticized as being privacy invasive.
In January, we received a new complaint, which we are currently investigating. Just last month, Facebook announced another series of major changes that we are reviewing.
What we’ve seen in the last few months represents a significant change in Facebook’s privacy philosophy. Indeed, Facebook CEO Mark Zuckerberg has suggested publicly that the social norm has moved away from privacy towards even more sharing of personal information.
Clearly, as a privacy guardian, we are going to have some concerns when people have fewer options to protect their privacy.
Our ultimate expectation is that people will be able to engage in social networking without relinquishing a meaningful level of control over their personal information.
PIPEDA and the Online World
Our investigation into Facebook provided an important side benefit worth noting.
It demonstrated the effectiveness of PIPEDA’s pragmatic principles-based approach. Building on previous court cases and investigations, this file showed that PIPEDA can apply to the commercial collection of personal information of Canadians by foreign entities, even if they are operating entirely online.
Web 2.0 is still a bit of a wild frontier. And while this frontier territory has found many effective ways to police itself, there are aspects, such as privacy protection, that simply demand the added force of real-world laws.
I would be remiss if I did not also say that we do believe that there is also an onus on individuals to look out for themselves – to be masters, so to speak, of their own data.
But in order to share only the information they want to share – and only with those friends they want to share it with – people need to be able to exercise a meaningful level of control over their personal information. That, in turn, demands that the site provide understandable information about its privacy policies and how to make the best use of privacy settings.
Our aim in dealing with all online companies is to underscore that, even when we choose to share portions of our lives with others online, we do not extinguish our rights to control our personal information.
And that is a point I will come back to a little later as we switch gears and turn to our main focus today – social networking and the workplace.
Overview – Social Networking and the Workplace
We’ve talked about how people around the world have embraced social networking as a way to keep up with friends – and make new ones.
Social networking has also become a tool for sharing ideas with colleagues. These sites have become an indispensible tool for professionals to keep up to date with what’s happening in their fields of expertise.
What we’re still trying to figure out is where to draw the line between personal and business. And some people are not doing a particularly job of this!
We’ve all seen the headlines about employees who have failed to figure out the business- personal cross-over ….
Slide: Health Canada employees goofing off online
This story is about dozens of Health Canada employees caught spending much of their time on the job surfing the web, checking personal e-mails, reading news, watching videos or playing online games.
Slide: Facebook Fired: 8 Percent of U.S. Companies Have Sacked Social Media Miscreants
Here, a young woman in the U.K. has written on Facebook about how much she hates her job and her boss. Unfortunately, she’d forgotten that she had added that same boss as a friend. Needless to say, he was not impressed and wrote back:
That “blankety-blank” stuff is called your job; You know, what I pay you to do. But the fact that you seem to be able to “blankety-blank” up the simplest of tasks might contribute to how you feel about it. And lastly, you also seem to have forgotten that you have two weeks left on your six-month trial period. Don’t bother coming in tomorrow.
Slide: Cabin Crew Fired Over Web Slurs
Virgin Atlantic fired 13 cabin crew members who had posted comments on Facebook. Apparently they had called passengers names and claimed the company’s planes were overrun with cockroaches. A Virgin spokesman was quoted as saying: "There is a time and a place for Facebook. But there is no justification for it to be used as a sounding board for staff of any company to criticize the very passengers who ultimately pay their salaries.”
Slide: Nurses fired for posting pictures of patient, sex toy online
I’ll leave it to the headline to tell this story …
Slide: Depressed woman loses benefits over Facebook photos
Here we have a Quebec woman on long-term sick leave from work who wound up having her benefits cut off over some photos posted on Facebook. She says an insurance agent told her the photos of her on a beach holiday and at a Chippendales bar show showed that she was no longer depressed.
Slide: MI6 chief's cover is blown by wife's holiday snaps on Facebook
Then of course, there’s the spy who came in from the beach. You may remember hearing about how the wife of the head of Britain’s Secret Intelligence Service posted their vacation photos onto Facebook – without using any of her privacy settings.
Slide: In your Facebook. Daughter of GM chief Fritz Henderson takes online revenge
Here’s what the daughter of ousted General Motors CEO posted on GM’s Facebook page after her dad lost his job. Her use of the F-word is prolific. Suffice to say, she signs off by promising to “never buy from this godforsaken company ever again.”
Slide: Dion's wife goes rogue?
Stéphane Dion’s wife also turned to Facebook to express her displeasure with the Liberal Party after it replaced Dion with Michael Ignatieff, who scrapped a deal to form a coalition with the Bloc and NDP. Her message – which wound up in the Globe and Mail – says the Liberal party "is falling apart, and will not recover" and goes on to blame "the Toronto elites" for this state of affairs.
Slide: More Employers Use Social Networks to Check out Applicants
What’s hard to find are the stories of all the people who didn’t get a job because a would-be employer checked out their social networking profiles. I suspect that’s become pretty common.
This little sample of the many, many stories out there offer us an idea of the range of workplace privacy issues related to the popularity of social networking sites ….
- The use of social networks by employers during work hours – and how this is monitored. A related issue is the possibility that the use of certain sites could increase the risk of malware and viruses being inadvertently downloaded into the workplace network.
- Employers screening job candidates by checking out their profiles on social networking sites.
- Bosses keeping tabs on what employees are doing in their spare time via social networking sites.
- Companies and bosses monitoring what employees are saying about them – and their customers.
- Another issue is that more and more companies are using social media to promote themselves online and to scan for what people are saying about their products. My own office is a big user of social media tools to get out our messages about privacy – we blog and we Tweet. This type of use likely doesn’t raise any privacy issues.
The Digital Divide
What we saw in many of the stories that I’ve just clicked through is a major disconnect between employee thinking and employer thinking.
Indeed, some very interesting research done by Ryerson University’s Privacy and Cyber Crime Unit – and funded through our Office’s contributions program – confirmed that young people and their bosses often view online privacy in entirely different ways.
The researchers surveyed young people and spoke to officials from a range of organizations. They found a significant “digital divide” between a generation of young Canadians and a generation of managers and executives for which young Canadians work.
Young Canadians believed in “network privacy” – that personal information is considered private as long as it is limited to their social network.
But managers believed information posted online is public and deserves no protection.
It seems to me that this divide has become more important as sites such as Facebook shift from what was originally often promoted as a closed, private environment where friends talk with friends towards an open environment linked to a multitude of outside sites and parties.
To the extent that users are not fully aware of this shift, there are implications for use of such sites in the workplace and by potential employers.
We see users misunderstanding the privacy risks in an environment that promotes disclosures because it feels intimate and is immediate. Many users still don’t appreciate the full ramifications of what can happen to personal information once it is posted online.
The fact that social networking is used for work and for fun further blurs the line of what’s acceptable – and can get people into trouble.
Let’s take a look at some of the specific issues more closely …
Using Social Networks at Work
Should an employer allow employees to use social networking sites at work?
Some companies block access to all social networking sites at work. A study for the IT staffing firm Robert Half Technology found that just over half of U.S. companies have banned workers from using Twitter, Facebook, LinkedIn and MySpace while on the job.
My personal take on this – speaking as a mother of four 20-something kids – is that the young people you’re trying to attract to your organization aren’t going to be particularly fond of that kind of policy. In their world, social networking sites are as essential a communications tool as the telephone.
However, there are clearly some risks.
One study found that employee productivity drops 1.5 percent at companies that allow full access to Facebook.
There’s also a growing concern about hackers using sites like Twitter and Facebook to infect computers with malware.
And if employees are freely using a social networking site at work, does it increase the risk that they will inadvertently share a corporate secret?
Finally, if an organization does allow employees onto social networking sites, will it monitor that use to ensure it isn’t interfering with work?
From a privacy perspective, what’s important is that you make clear to your workers what is allowed and what you will be doing to check on whether those rules are being followed.
Our Office has developed a fact sheet on Privacy and Social Networking in the Workplace that offers guidance on the issues an organization should be thinking about. The fact sheet is on our website.
A few points to keep in mind:
- Employees should know that, subject to existing workplace policies and rules, some organizations monitor their employees’ social networking sites.
- Employees should be aware that when using social networking sites in a workplace context — including a site hosted by their employer — their personal information can be collected, used and disclosed by the employer. This could include off-duty comments and postings about workplace issues or that may otherwise reflect on the employer.
- Employers should view tracking existing employees through personal or work-based social networking sites as a collection of personal information that may be subject to applicable privacy legislation in their jurisdiction.
Facebook Background Checks
Increasingly, our Office is receiving calls from Canadians who are concerned about the employer – or a potential employer - checking their Facebook profile or running their name through Google to see what comes up.
There’s actually a group on Facebook called, Employers Using Facebook as a Background Check is Wrong!!
Surveys of businesses do show that a rapidly growing number are now looking at Facebook profiles instead of simply relying on a CV and reference checks.
A 2009 U.S. poll found that 45 percent of employers reporting using social networking sites to research job candidates. More than one-third did not hire a candidate because of what they found online – inappropriate photos, references to drinking and drug use, or negative comments about a former employer.
The Personal Information Protection and Electronic Documents Act (PIPEDA) covers employee-employer relationships in the context of federally regulated sectors such as transportation and telecommunications.
While we haven’t yet investigated a complaint involving surreptitious social networking background checks, my feeling is that PIPEDA would prevent this kind of collection of personal information.
PIPEDA puts up some barriers both in terms of consent, but also with its accuracy principle.
Often employers don’t even tell candidates that these checks are taking place.
However, some organizations are becoming more upfront about this practice – and they are seeking consent. In some cases, they’re even asking permission to go looking for data that has been deleted from social networking sites.
Ian Kerr, a privacy specialist at the University of Ottawa, says some of his students applying for jobs at law firms are being asked to sign waivers providing consent to having those firms go look at the job candidates’ existing profiles. But the waivers also provide consent for third-party application providers to “scrape” information from a social networking site’s backstage. This would provide access to deleted information as well as data such as what the user has clicked on.
The power imbalance means a university student looking for her first job can hardly say no to a request like that.
A word of caution: Consent is not a magic bullet under PIPEDA. The collection must be reasonable. In other words, would a reasonable person consider it reasonable for the employer to look at a candidate’s personal profile in order to determine whether they are suitable for a job?
Using online searches to learn more about job applicants may become a problem if it substitutes for more formal and thorough reference checks.
Employers and recruiters should be aware that social networking pages may well contain inaccurate, distorted or out of date personal information about job applicants. They need to be cautious about relying on such information.
Employers and recruiters should also guard against using personal information gathered from social networking sites – or any other online source – in a discriminatory manner against a job candidate or existing employee.
Monitoring Employee Posts
All of those cautions also apply to any monitoring of existing employees via social networking sites.
Again, I would stress the need for employers to develop guidelines and codes of conduct related to the use of social networking sites. Specifically, employers should address:
- Whether the organization permits the use of personal or employer-hosted social networking sites in the workplace;
- If using these sites is permissible, in what context and for what purposes may they be used?
- Whether the employer monitors social networking sites;
- What legislation applies to the collection, use or disclosure of personal information in the workplace;
- What other rules may apply to the use of social networking sites in the workplace (collective agreements; other relevant legislation);
- The consequences of non-compliance with the policy; and
- Any other existing policies about the proper use of electronic networks with respect to employee privacy and handling confidential information.
Employers should inform employees in plain language why it’s important to keep some personal and corporate information – about themselves, their co-workers, clients and the organization – confidential or undisclosed.
Similarly, employers need to exercise judgment and abide by applicable privacy and other legislation if they decide to collect, use or disclose personal information from social networking sources.
A good, clear policy can also help to address that digital gap I referred to earlier – the vastly different perceptions of privacy that workers and their bosses may have.
Despite all of the horror stories we’ve heard about people being fired or disciplined for what they post online, there appears to be a continued lack of individual awareness about the nature of social networks.
There is nothing private about going online – a message we stress in our public education materials. Even if you use privacy settings (which many people don’t), what you post can be shared. It will be archived. It’s out there. It will be there for a long, long time.
The best advice I can offer to employees and would-be employees is this: If you don’t want your boss to see something, don’t post it.
Social networking information may seem transitory and informal, but once personal information is posted online it gains permanence — and can be circulated and searched by others.
Good judgment is crucial on an Internet that never forgets.
When I was talking about our Facebook investigation earlier, I told you that we were guided by the important principle that when we choose to share portions of our lives with others online, we don’t give up our right to control our personal information.
The same message applies within the context of social networking and the workplace – but there are obviously differences and more of a balancing act is required.
Workers are entitled to a private life. For the most part, what they do on their own time is private – and none of the boss’s business.
But I do think it’s fair to tell employees that there will be consequences for “private-time” activities which have a negative impact on an organization. Individuals have rights, but so do employers.
There needs to be a frank discussion between management and employees about the nature of these sites and the potential for workplace issues.
Workplace cultures vary – public comments by employees may be acceptable in one organization and not another. Management should not assume that employees will innately understand what is and is not OK to say online.
We’ve already made some progress on these still relatively new privacy issues – many organizations do have policies in place; many bosses are talking to their workers about what is and is not appropriate.
But it’s also clear that we’re not quite there yet. We are still trying to understand the new societal rules of the road in this new social networking world. Stay tuned.
- Date modified: