Facebook privacy has become a major issue in the workplace. Facebook has many benefits and many employees use it in the workplace. It is not just a social tool, and for many employees it is crucial to their work. But there are risks. Employers should carefuly manage the use of social media in the workplace, but at the same time ensure they do not infringe their employees privacy.
Manage the use of social networking websites by your employees properly
Employers may wonder whether they should allow social networking websites in the workplace at all. This is more a commercial question than a legal one. There are many benefits to allowing employees to use social networking websites at work. These websites are becoming increasingly important tools for businesses that deal with people.
- It allows employers and employees to screen one another before signing employment contracts.
- It can be used to help verify the identities of people dealing with each other online, which reduces the possibility of fraud.
- It lets your employees use their network of friends in ways that benefit your organisation.
But, there are also risks posed by social media. Foremost among them are:
- damage to an employer’s reputation (as occurred in these CCMA cases),
- employees divulging confidential information about their jobs, and
- employees spending their paid working hours doing personal things on social networking websites.
Whether the benefits of allowing these websites at work outweigh the risks depend on your organisation’s social media strategy. It may suit some businesses to embrace social media fully and train their employees to use it to promote their organisation and communicate with clients. However, it may suit other businesses to use technical means to block access to social networking websites during business hours. Employers need to adopt the correct approach to a Social Media Policy for their organisation.
Employers also need to manage their email properly and pay special attention to privacy and webmail services, like Gmail, to avoid other problems when dismissing employees for what they say in emails.
Interesting Decisions of the CCMA in South Africa
The CCMA has made two interesting decisions about whether it is unfair for an employer to dismiss an employee for posting intentionally offensive statements about their employer on a social networking website, like Facebook. The decisions are reported under Sedick & another / Krisray (Pty) Ltd
The employees in each case were fairly dismissed, because the Arbitrators held that their privacy had not been infringed when their employers accessed their Facebook posts. The employees had published the statements in the public domain by not restricting their Facebook privacy settings. The CCMA took the view that, their employers were entitled to intercept the posts in terms of South African monitoring law.
These decisions raise the question, how can organisations manage the use of social networking websites by their employees properly?
In the first decision, the employees (De Reuck and Sedick) were employed by a fashion accessories company (Krisray (Pty) Ltd) as an Operations Manager and Bookkeeper respectively.
The company’s Marketing Manager (Ms Coetzee) logged into her Facebook account and navigated to De Reuck’s facebook page, because she wanted to send her a friend request. She was able to see everything on the employee’s Facebook wall without being given access as a friend. This included posts by Sedick and other employees. She was also able to see everything on Sedick’s Facebook wall without being a friend.
Ms Coetzee found offensive comments about the company and its management in posts on the employees’ Facebook walls. Another employee referred to Ms Coetzee and her brother in a post as,
“2 dumb brats runnin a mickey mouse business”
Sedick referred to the Director of the company as,
“a very ugly man with a dark soul”
In the second decision, the employee (Fredericks) also worked for a fashion company, but in this case, as an Administrative Assistant.
The company’s General Manager (Ms Barkett) accessed the employee’s Facebook page, because she had been told about offensive statements posted there. She found the statements in posts by the employee, including some name calling.
The employees in each decision were dismissed by their employers because of the statements they posted on Facebook, but they took the matters to the CCMA to challenge the fairness of their dismissals.
In the first decision, the employees argued that they had not damaged the company’s reputation, because they had not directly referred to the company or anyone who managed it. But, Ms Coetzee argued that the references to the company and its management were obvious. The Arbitrator agreed with her, because the people who were reading the comments would probably have known what and who they were about.
Sedick claimed that she had restricted access to her Facebook wall and argued that Ms Coetzee could have only seen the posts ‘illegally’. She was implying that Ms Coetzee had accessed the posts by logging in as someone else who would have been given access to Sedick’s Facebook wall – in other words, a friend. But, Ms Coetzee had printouts showing that she could see everything on Sedick’s Facebook page (including the offensive statements) and that the ‘add Friend tab’ was still visible. This showed that the employee had not restricted access to her page in any way. So, the Arbitrator dismissed Sedick’s claim. De Reuck conceded that she had not restricted access to her Facebook page at all, but argued that her right to privacy had been infringed when Ms Coetzee looked at the posts.
In the second decision, the employee argued that her Constitutional right to privacy had been infringed when Ms Barkett looked at her posts. But, Ms Barkett argued that the posts could be seen by the general public and that they affected the company’s employees and key customers.
The CCMA’s understanding of Facebook
The Arbitrator in the first decision referred to the ‘Dummies Guide to Facebook’ and focused on how it related to privacy and the public domain. He said:
- Users make a personal profile and set their privacy options.
- Users communicate by posting and responding to messages on their own and each others pages (known as walls in the case of Facebook).
- ‘Privacy’ and ‘friends’ are connected because users can restrict access to their walls to only their friends.
- Posts by users who have restricted the content of their pages to only their friends can only be accessed after that user has received a friend request from another user and accepted it, and then only by that new friend.
- But, anyone can see anything on a user’s page if they have not selected any of the access restriction privacy options (this is important because it opens your Facebook page up to the entire world).
The Arbitrator in the first decision said he had to look at the posts the employees made on Facebook and who they shared them with to decide whether the employee’s rights to privacy had been infringed.
The Arbitrator in the second decision said that the employer had to prove that the employee had broken a workplace rule for the dismissal to be fair. The employer also had to prove that the rule was reasonable, the employee knew about the rule, the rule had been consistently applied by the employee, and the dismissal was the appropriate way of punishing the employee (this is important, because it emphasizes the importance of having policies in place that contain the ‘rule’ and for those policies to be rolled out properly to employees).
The Arbitrator in the second decision drew on the reasoning of the Arbitrator in the first decision. Both decisions were based on section 4(1) of the Regulation of Interception of Communication and Provision of Communication-Related Information Act, 70 of 2002 (RICA) and its definition of ‘intercept’.
Section 4 of RICA allows a person to intercept any communication as long as they are party to that communication, provided that they are not doing so to commit an offence. A party is said to ‘intercept’ the contents of indirect communication, like a public Facebook post, when they look at it (RICA defines ‘intercept’ as “the aural or other acquisition of the contents of any communication through the use of any means”).
The Arbitrator in the first decision held that Facebook is in the public domain by default because the Internet as a whole is in the public domain. But, Facebook members have options to restrict access to their personal page. Any person using the Internet was party to the communications in the posts because De Reuck and Sedick’s had put them in the public domain without privacy restrictions. The employees had accordingly waived their right to privacy in terms of RICA. The posts did serious damage to the company’s reputation in the public domain, because the employees were intentionally publishing offensive comments (insolent enough to justify dismissal) for junior people in the company, former employees and other people to read.
The Arbitrator in the second decision thought along the same lines. He said that anyone with a Facebook account could access another’s page and it is up to users to restrict access to their posts. The employee’s posts were available for the public to see because the employee did not restrict access to her page in any way. The employee knew that what she had posted on Facebook had damaged the reputation of the company and its General Manager in the public domain.
The Arbitrators in both decisions held that the dismissals were fair. The Arbitrator in the second decision went as far as to say that Fredericks had dealt with her employment problems in the wrong way by posting them on a social networking website.
The Arbitrator in the first decision ended off by saying: “If employees wish their opinions to remain private, they should refrain from posting them on the Internet.”
Our comments about Facebook Privacy
Whilst we agree with the decisions of the Arbitrators, we disagree with the way in which they reached those decisions. One could argue that RICA does not apply to these cases, because:
- There was no interception; and, even if there was,
- The messages were intercepted when they were ‘static’ (stored) and not ‘live’ (in the course of being transmitted in real-time).
Section 2 of of RICA contains a general prohibition on interception and reads, “Subject to this Act, no person may intentionally intercept or attempt to intercept […] any communication in the course of its occurrence or transmission.” (our emphasis). Section 1 of RICA defines ‘intercept’ as accessing the contents of a communication and making it available to“a person other than the sender or recipient or intended recipient of that communication”.
RICA only applies if there is an ‘interception’ in the first instance. There was no interception in these cases, because the employees made their messages available to the whole world by posting them on their Facebook walls without restricting their privacy settings. The employers were merely recipients of the messages when they read them. The messages were not made available to anyone other than their recipients, as required by the definition of intercept, because anybody could be their recipient.
The words “in the course of its occurrence or transmission” mean that the communication has to be intercepted in real-time, as it is being transmitted. Section 1(2)(a) of RICA reinforces that interpretation when it says that the Act only applies to an indirect communication intercepted, “in the course of its transmission”.
Messages on Facebook walls are clearly stored communications that have already been transmitted by the time people read them. So, it can be argued that RICA did not apply when the employers accessed the stored messages.
However, had the employees restricted their privacy settings to exclude their employers and had the employers intercepted the messages as they were being posted by some or other monitoring system, the question of monitoring would need to be considered.
Monitoring is generally not allowed under RICA, unless it falls into one of the exceptions, three of which are relevant:
- the person who intercepts the communication is party to it – this was the exception relied on by the Arbitrators in the two decisions to hold that the dismissals were fair, because the employees’ right to privacy had not been infringed;
- one or more of the parties have consented to the communication being monitored in writing – this exception may have been relevant to the Arbitrators, had the employees consented to monitoring in writing; or
- where the employer monitors in the course of business and follows important procedural steps prescribed in RICA (the so-called “business purpose” exception) – neither of the decisions relied on this.
It is lawful to intercept communications under any of these exceptions. So, any company that monitors its employee’s use of social networking websites using any of these exceptions will be acting lawfully. But, it is important for a company trying to rely on RICA to be able to prove that the monitoring fell under one of these exceptions after the fact. For more detailed reading on the subject see our post about complying with RICA. The courts will decide whether monitoring falls under an exception on a case by case basis.
There are many ways to ensure that monitoring your employee’s use of social networking websites falls under an exception.
The best way is to get your employee to consent to the interception of their communications in writing. This could be a standalone document or a clause in an employment contract. One of the major advantages of this way is that it allows you to make sure you are allowed to monitor stored communications.
If you did not get written consent up front, there are other ways that you can legally monitor communications by going through important procedural steps described in RICA. For more information on the ‘business exception’ see our post about the monitoring of communications.