A little birdy told me … A cautionary legal tale

Let’s imagine you work at a company called TFH. You’re a sophisticated company selling popular products (it really doesn’t matter what). You want a new salesman. You’ve interviewed a number of candidates. Your preferred candidate is Sam Starr. He has all the right academic and work experience credentials. You have told him he’s in, you’ve prepared an offer letter and are just finalising terms.
One evening at home, the telly’s boring and you land on Facebook. You decide to search for Sam on Facebook. You discover that he has no security settings on his Facebook page so you can see all of his activity and photos.

Is it appropriate to look?
The mere act of looking at Sam’s page, given he has no barriers in place, probably does not in itself cause any issues. The problem is what you do with any information you find out. What you have accessed is his personal data (which you cannot process without his consent or fulfilling some other legal ground justifying your actions) – and is quite possibly also sensitive personal data – which carries extra protection and cannot usually be accessed lawfully without specific express informed consent. Either way, the person has to know what you are going to do with their information on each occasion you may process it, in order to give valid consent to the data being used for those purposes.

You decide to have a look at the site and see several photos of Sam dressed as a woman.

What should you do?
Ah! That wasn’t quite what you’d expected. Now you wish you hadn’t looked. What if you decide to print a copy of the page and give it to your boss? What if you send a link to the page to the head office in Texas so that they can take a view on what to do next? Both responses would be processing sensitive personal data and would be unlawful. Breach of the Data Protection Act (DPA) can give rise to fines (payable potentially personally by directors of a company) of up to £500,000. In certain circumstances, the directors or officers of a company can have personal criminal liability. The Information Commissioner’s Office (ICO) which enforces the DPA takes a particularly dim view of sending data – without subject consent – to a jurisdiction abroad where safeguards may not be as stringent as within the EU.

The ICO produces an Employment Practices Code which gives guidance in all these areas but is, to put it mildly, a long read at 96 pages – available on www.ico.gov.uk.

ICO guidance is that vetting of this type should only be carried out in very limited circumstances with informed consent of the subject and having given the individual notice of this (see box of DPA issues).

The simple legal answer to this question is “do nothing”. Only in the most narrow circumstances could it possibly be justified to withdraw a job offer because a person is a cross-dresser (whether in the workplace or at home – and whether that person would formally classify themselves as transsexual or not).

You send an email to the US attaching a copy of the page with the line “OMG maybe we should think again; Sam seems to be Samantha at weekends…”

Aside from the DPA, if you chose to reject Sam having seen his page, you will clearly need to explain to him why he won’t get the job. Why have the positive noises suddenly gone quiet? Disappointed candidates will want to understand the reasons for their rejection. Whilst on Facebook this may be hard to track, if a candidate gets wind that your decision not to proceed was based on a “protected characteristic” – ie their age, disability, gender, marital status, sexual orientation, religion/belief, race/ethnicity/nationality they may well launch a claim for discrimination under the Equality Act, for which potential damages are uncapped. The email here would need to be disclosed in any proceedings and is perfect evidence for a disgruntled candidate that their lifestyle – maybe their sexuality – was the reason for the rejection.

What if you tell recruits that you may check social media sites as part of the recruitment process?
That’s a step in the right direction, but you would also need on your application forms to make clear what may happen to information you obtain as a result of those searches.

In the end, any search of this kind – whether with the subject’s consent or not – is fraught with legal risk. Obtaining candidate consent may look like a fairly offputting bit of small print. Candidates with, for example, unusual lifestyles or strong religious beliefs/practices may be deterred from applying as they would not want an employer to see personal information about them, and may suspect that it would affect a recruitment decision. If a person did apply but was rejected, knowing that you had looked at social media sites may well lead the candidate to conclude that the rejection was for a personal reason – which often translates into legalese as a discriminatory reason.

You do eventually offer Sam the job and he accepts. He starts work and is a star performer, far outdoing other salesmen in his team. He has brought in a lot of money to the company. However, one day Sam’s manager comes to see you and says that Sam spends a huge amount of time during working hours on the internet and that his colleagues are finding it irritating. You ask your IT team to look at the records and it appears that Sam is spending over two hours every day looking at his Facebook page and posting messages on Twitter.
Was it right to ask IT to monitor? How much is too much? What if it’s not affecting his work product, but is having an impact on the working environment?

IT may monitor internet usage to ensure compliance with legal obligations (eg to check employees are not visiting unlawful sites and, arguably, to ensure they are fulfilling their legal contractual obligations to get on with the job in working hours). To give maximum flexibility, you should have an IT policy which includes a provision allowing for monitoring at any time and tells employees clearly that browsing on work equipment may not be private. You should also put firmly off limits any browsing of potentially offensive material – not just because it’s inappropriate usage but may also be seen by colleagues on screens or printers (uh-oh – paper evidence).

Many companies physically block access to social media sites during working hours, or entirely, on work IT equipment. A policy spelling out what is and is not permitted is a first step to ensuring good order but must be consistently applied to be credible. An employee who is disciplined for abuse of IT resources and wasting company time – as Sam may be – could legitimately push back on a disciplinary sanction if the CEO, who is subject to the same policy, is known to watch the cricket online on summer afternoons.

Bear in mind that any modern IT policy worth its salt must encompass personal IT kit such as iPhones, iPads, iPods, BlackBerries, etc. The most draconian environments may ban employees from using these at all in the office (although bear in mind that employees may need to be contacted in emergencies, so if you don’t allow personal kit to be used, you may have to be more relaxed about personal use of company equipment), or restrict their usage to a bare personal minimum. Policies may allow personal kit to be used for business, in which case you will need to ensure you have monitoring control to protect confidential information and check your trade secrets have been expunged at the expiry of the employment relationship.

Savvy salesmen may use Twitter, Linked-in and Facebook to win business – in which case the dividing lines should be spelt out even more clearly as to what is and is not permitted. Time limitations are unlikely to assist – it will be the substance of the usage and the power to monitor and control this – which will be key.

When you look at Sam’s tweets, you see that most of them are derogatory comments about TFH, his manager and other colleagues. In addition, he aims a lot of comments at one of his female colleagues, Sophie – these are complimentary rather than derogatory.

What should you do?
If you have a robust IT policy, Sam should understand that his tweets and Facebook postings are not private and can be viewed by others, including his colleagues and, potentially, customers. There are significant issues in relation to bringing the company into disrepute as well as a potential breakdown of trust and confidence between Sam and TFH – both of which could (and arguably should) be relied upon to take disciplinary action against Sam.

In relation to the tweets about Sophie, it is likely that TFH would be vicariously liable for Sam’s actions in any potential harassment claim brought by Sophie. Even if Sam is tweeting on his own time (and hopefully without instructions from his bosses), his behaviour could be deemed to be within the course of his employment, putting TFH squarely in the frame. In order to minimise its risks, TFH should take prompt action against Sam and make it clear to him that his behaviour is not acceptable.

Next time…. Sophie hears about the tweets and wants Sam fired…. TFH gets some unwelcome interest on YouTube following an employee planking prank.… TFH has to make redundancies and has a dilemma about how to break the news…. Sam pockets his redundancy pay and takes his Linked-in client list to a competitor….