Posted by Daniel J. Solove
The frequent use of social media by employees has created a new domain of risk for employers – employees who reveal confidential or sensitive information or who otherwise say things that damage their institution’s reputation or create strife with their colleagues.
For example, in the healthcare context, in a number of widely-publicized incidents, employees revealed confidential information about patients on their blogs and social network profiles. For example, according to a Boston Globe story, an emergency room physician posted data online about the patient. The physician thought that it was safe to post about as long as she did not include the patient’s name. But others could identify the patient. There are numerous recent cases where hospital staff have posted photos and other information about patients online.
Despite the dangers, roughly two-thirds of hospitals still do not have a social media use policy, and I suspect a very large percentage lack any training about appropriate social media use by employees.
Beyond healthcare, another survey [link no longer available] found that of all types of employers, only 23% have a specific social media policy; 17% have “informal guidelines” and only 10% have social media training for employees.
I recommend that employers should have a social media policy. Such a policy is important to provide clear guidance to employees about how they can avoid creating severe problems by their use of social media.
I also believe it is important to train employees about the dangers of inappropriate social media use. Employees might make anonymous comments and think they are untraceable. They don’t realize the severe legal consequences that can follow from disclosing confidential information or for spreading gossip and rumor about others. Good training can go a long way toward reducing the risk of employees making foolish mistakes with social media. A policy will not be effective unless employees know about it and understand the importance of following it and the consequences of not following it.
But before developing a policy or launching a training program, it is very important to be aware of the pitfalls.
When creating a social media policy, one might think that all that is required is to try to put down on paper some common sense rules. But many rules that seem quite sensible can actually run afoul of the National Labor Relations Act (NLRA). The NLRA deals with union activities, provides certain limits on the kinds of policies and discipline employers can impose. The NLRA can apply to both unionized and non-unionized employers. Employers need to be aware of how to avoid trouble with the NLRA.
Under the NLRA Section 7, employees (whether unionized or not) have a right to engage in “concerted activity” to complain about workplace conditions and other issues pertaining to the terms and conditions of employment. An employer can violate the NLRA if it has a social media policy will reasonably chill employees in exercising their Section 7 rights.
In August 2011, the National Labor Relations Board (NLRB) and the U.S. Chamber of Commerce issued reports. In January 2012, the NLRB issued a second report and in May 2012 it issued a third report. These reports contained summaries of several cases where employer social media policies were found to be overbroad and in violation of the NLRA. And in September 2012, the NLRB found that Costo’s social media policy was overbroad.
Although the cases don’t provide very clear rules for employers, they do provide some degree of guidance. The NLRA gives employees some latitude in saying vulgar and damaging things if pertaining to Section 7 activities. One key is that the expression must be part of concerted activity and not just an individual outburst. This means that employees who merely raise workplace gripes to friends or family aren’t covered. Employees must use social media to raise workplace complaints with other employees. Moreover, they must be complaining about the workplace terms and conditions. Merely insulting people or the company, or revealing confidential information, is not covered.
The most important take away from the NLRB guidance is that policies must be clear that employees may engage in Section 7 activities. Otherwise, broad language that restricts disparaging comments, defamatory comments, or vulgar comments might be construed by employees to apply to Section 7 activities and be deemed by the NLRB to chill such activities.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security