Monitoring Staff Use of Social Networks: The Human Rights Implications


According to a recent FOI request made by BBC Radio 5 live, last year there was a rise in the number of UK council staff suspended after being accused of breaking social media rules. Many employers, both in the public and the private sector, now monitor staff use of social media within the office environment. The possibilities are endless but care must be taken not to overstep the legal limits.

All employers have to respect their employees’ right to privacy under Article 8 of the European Convention on Human Rights (ECHR).  This means that any surveillance or monitoring must be carried out in a manner that is in accordance with the law and is necessary and proportionate (see Copland v UK (3rd April 2007 ECHR))

A January 2016 judgment of the European Court of Human Rights show that a careful balancing exercise needs to be undertaken when applying the law (Barbulescu v Romania (application 61496/08). In this case, the employer had asked employees such as the applicant to set up Yahoo! messenger accounts for work purposes. Its policies clearly prohibited the use of such work accounts for personal matters. The employer suspected the applicant of misusing his account, so it monitored his messages for a period during July 2007 without his knowledge.

The employer accused the applicant of using his messenger account for personal purposes; he denied this until he was presented with a 45-page printout of his messages with various people, some of which were of an intimate nature. The employer had also accessed his private messenger account (though it did not make use of the contents).

The applicant was sacked for breach of company policy. When he challenged his dismissal before the courts, his employer relied on the print out of his messages as evidence. He argued that, in accessing and using those personal messages, the employer had breached his right to privacy under Article 8 ECHR.

The Court accepted the applicant’s privacy rights were engaged in this case. However the employer’s monitoring was limited in scope and proportionate. It is reasonable for an employer to verify that employees are completing their professional tasks during working hours. Key considerations were:

  • The emails at the centre of the debate had been sent via a Yahoo Messenger account that was created, at the employer’s request, for the specific purpose of responding to client enquiries.
  • The employee’s personal communications came to light only as a result of the employer accessing communications that were expected to contain only business related materials and had therefore been accessed legitimately.
  • The employer operated a clear internal policy prohibiting employees from using the internet for personal and non-business related reasons.
  • The case highlights the need for companies to have a clear internet and electronic communications policy and the importance of such a policy being communicated to employees.

When monitoring employees, the employer will inevitably be gathering personal data about employees and so consideration also has to be given to the provisions of the Data Protection Act 1998 (DPA). The Information Commissioner’s Office’s (ICO) Employment Practices Code, includes a section on surveillance of employees at work. In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee, suspected of fraudulently claiming to be sick, had breached the DPA.

Compliance with the DPA will also help demonstrate that the surveillance is human rights compliant since protection of individuals’ privacy is a cornerstone of the DPA. Of course the data protection angle will bite harder when the new EU Data Protection Regulation comes into force in 2018. Failure to comply could lead to a fine of up to 20 million Euros or 4% of global annual turnover.

Act Now has a range of workshops relating to surveillance and monitoring both within and outside the workplace. Our products include a RIPA polices and procedures toolkit and e-learning modules.

Data Protection, the Law and Social Media: Keeping Your Boat Afloat

 [ File # csp10560861, License # 2907340 ]
Licensed through in accordance with the End User License Agreement (
(c) Can Stock Photo Inc. / buchachon

Paul Gibbons writes…

Social media have been good for me. Without my FOIMan blog and Twitter feed, I would never have been asked to deliver training for Act Now Training, or indeed offered many of the wonderful opportunities that have come my way in the last few years. I’ve made a whole new career off the back of them. Not only has my profile been raised by my use of these tools, but I’ve been able to learn from a whole range of knowledgeable people online – expanding my awareness and horizons way beyond anything I’d have considered possible just five years ago.

But even if I remove my FOIMan cape for a moment, social media has had a significant impact on me. I keep in touch with old friends via Facebook. My CV is widely available to hundreds of business contacts via LinkedIn. Before I book a holiday or dine out, I check Trip Advisor. If I want to know how decisions are made by my local council or indeed the Ministry of Justice, I can submit an FOI request via WhatDoTheyKnow. With an election on the way I can find out my MP’s voting record by consulting TheyWorkForYou, and perhaps write to them to ask what their position is on a particular issue. If I feel particularly strongly about that issue I might add my details to an online petition. Social media in their many forms pervade our lives. Many of us would be lost without them.

And it’s not just individuals that are becoming reliant on it. These tools provide novel ways to engage with the people who use them. Businesses have not been slow to exploit them for marketing and public relations purposes. Politicians – often accused of being remote from their electorate – have, with varying success, used them to speak directly to parts of that group. Academics conduct surveys, then disseminate their research, both via social media. A recent study found that 40% of students use social media as their primary form of communication with lecturers. Journalists also use it to research and report on stories. No television broadcast is complete these days without a hashtag allowing the viewers to interact. The police have used them to investigate or prosecute criminal acts. Central government encourages civil servants to embrace Twitter as a tool to communicate about public policy and gain insights into people’s reaction to it. Local government too, has found social media a productive way to interact with local citizens. We’re only beginning to see the ways in which social media can benefit our businesses, government, work and lifestyles.

However, as with most things, there are downsides. There are the trolls lurking not under a bridge but under assumed names on Twitter, ready to spread their malice. It’s easy to get carried away and post in haste – repenting at our leisure. Just as social media can make careers and boost reputations, it can destroy them overnight. It empowers individuals, and many companies and public bodies have been keen to use it to give a human face to their corporate image. But those same individuals can use it intentionally or not to disfigure that public face. They can disclose confidential information more easily, expose the business to liability for breach of copyright or defamation, and breach the Data Protection Act by discussing personal matters relating to clients, customers or colleagues.

Don’t believe me? Take the social worker who posted information on Facebook about a child protection court case she was involved in, potentially allowing the family to be identified. Or the companies at the centre of Twitter storms. Or sued for using a photographer’s images without permission. In a recent post on my FOIMan site, I highlighted an academic who posted internal correspondence relating to an FOI request on WhatDoTheyKnow, in the process potentially damaging the institution’s reputation, relationships with their colleagues, and almost certainly causing their employer to breach the Data Protection Act’s first data protection principle (to handle personal data fairly and lawfully) in the process. Even those organisations whose employees should know better have had to take disciplinary action: between 2009 and 2014, 519 disciplinary actions were taken against police officers for social media related transgressions, and the Crown Prosecution Service reported that nine of its staff had been disciplined for similar reasons over that period. Not for nothing has the Ministry of Defence warned its employees that “Loose Tweets Sink Fleets”.

The temptation in the face of this litany of institutional and individual disaster is to adopt the ostrich position. Ban your employees from using social media altogether. Avoid their corporate use. This won’t work. For a start, you will miss out on all the benefits highlighted at the start of this piece and more. But besides, it’s way too late for that. Pandora is not just out of the box but is running the show. You could impose contractual obligations on your staff requiring them not to use social media, or at least not to discuss their work there. If you do though you may find yourself losing staff who choose to work for a more progressive employer. In any case, it may be too late, as the Kent Police and Crime Commissioner discovered when she appointed a 17 year old to the post of Youth Police and Crime Commissioner.

You can’t stop your customers or the public writing about you on social media, but if you’re not using it, you’ll only find out what they’re saying about you too late. You’ll have no way to react to adverse comment online save through the traditional media which may not go to press until your business has collapsed clothed only in the tatters of its reputation.

So if you can’t avoid the risks of social media altogether, what can you do? The next best thing is to mitigate those risks. Like any other tool that you use, you need policies setting out acceptable use. You need to secure your most valuable and sensitive information. You need to raise awareness of your policies and legal restrictions so that your employees understand what they are allowed (or even encouraged) to do using social media, and also what they shouldn’t do – and what the consequences of doing it will be.

Where can you find out more about the risks that social media poses to your organisation? Or indeed the opportunities it offers? What should you include in a social media policy? Do you need to keep records of your social media use, and if so, how?

Well, social media itself will offer many solutions if you’re brave enough to jump in. But if you want a guide, my new training course on Data Protection, the Law & Social Media will provide answers to the questions above, and will point you to resources to help your organisation and its employees use social media effectively whilst avoiding the pitfalls. The course runs for the first time in Manchester on 20 April, and in London on 22 April 2015, and can also be run as an in-house course for your Data Protection, Communications and other staff. Get in touch with Act Now Training now for more details or book through their website.

How not to write a social media statement.

It’s the coming thing – having a social media policy. Cases such as Wetherspoons vs Preece illustrate the value of having one but there’s good ‘uns and inevitably bad ‘uns.

A family member recently accepted a job in a ski-ing company and they included the following in their T & Cs about Social Media. What do you think of it?

So a young person who’s going out with his mates for a few beers after work needs to seek legal advice before letting alcohol pass his lips in case he says something he wasn’t planning to say about his employer.

You can imagine two young thrusting lawyers sitting in  a bar.

  • “What’s your line then?”
  • “I look after unwittingly defaming people on social media”
  • “Business good?”
  • “Never better”

Do you commit libel? Sounds a bit strong.., Do Drivers commit speed? Do shoplifters commit shoplifting.

How can you tell you’ll unwittingly do something? Or to  really screw it up how can you tell you’ll wittingly do something?

You can’t express your views while you are employed by this company (but it’s only seasonal so by Easter you can say what you want again (Err… no. This contract forbids you from speaking out for the remaining 75 years of your life (my family member is one of those lucky people who will live to be 100)

The final sentence is just plain bizarre. I’d better not sign this contract in case I’m in breach of it…

Who writes this rubbish? I know, of course, but I can’t possibly tell you as I might unwittingly say something I might regret for nearly a century.

%d bloggers like this: