14. ITAC HR Forum – Managing employee use of social media applications Dan Michaluk 17 September 2009
Editor's Notes
Thank Bruce Thank Tanya Hicks Morley Management lawyers I worked at a software company So have developed a practice strong on information management and privacy
Here’s an outline of the presentation Three parts Lots of time… Like questions 10 slides of substance purposely Happy to entertain questions as we go
With prospective employees, the issue is about background checks My view When… … information is related to suitability for the job … not discriminatory … the practice is fine There are risks So put in controls This lists the key privacy issues How many of you employ people in BC, Alberta and Quebec? How many employ people in the federal sector? Who knows why I asked? Legislation is uniformly based on fair information practices Here are the fair information practices background checks hit upon
Ontario employees have no statutory privacy rights! Collecting publicly-available personal information is not unlawful under the common law So are you home free? NO!!! This represents a human rights compliant hiring model Application forms have no information related to a discriminatory ground (required in Ontario) Can gather a little more context at an interview… but generally interview questions are structured to avoid gathering information about protected personal characteristics Then you can do a background check Collect information about prohibited grounds…. but must go to an individual’s ability to conduct the essential job duties Think about how this gets messed up if a line manager Google's candidates at phase 1? Get all sorts of information, some linked to protected personal characteristics How are you going to justify your decision? You’ve “poisoned” your information base
So…. Here are the best practices Sample criteria -has the candidate made public comments about our industry? -has the candidate made public comments about us? Who thinks drinking and carrying around is relevant? What kind of positions?
So what if you find something? How many of you would hire the employee without discussion? With discussion? Let’s say you’re going to have a discussion Before hire? After hire? Best is before Gives a better argument that compliance with your expectations was a condition of employment Memorializing the conversation in the contract/hire letter is prudent Do you see why a policy might help? Sheldon’s going to discuss policy
With current employees, the main issue is about misconduct The easy cases are the ones where the only difference in the misconduct is the medium through which it is perpetrated You all have policies … to protect information … to promote a discrimination and harassment free work environment For some reason employees fail to draw the link Draw it for them Be fair Be transparent about your expectations This includes when you publish things to your 500 FaceBook friends!
This is just a reminder that social media is only one information security risk Should have a comprehensive risk-based approach to managing CI Social media is probably a significant risk point now It’s not hard to address Listed other low hanging fruit If you’re going to look at the currency of your policies look at how they address these things
Use me for example… …I represent Hicks Morley …I keep my own blog …What if I gripe about the service I received at a company when a colleague is trying to land a big retainer? … What if I comment on a client’s loss? Two legal duties -(Implicit) duty of loyalty and fidelity -(Usually) express duty to avoid conflicts of interest More “public” the job is the more chance for conflict Policy will set general rules and specific approval procedures Does anyone care to share examples?
June - application to certify a $600 million claim against CIBC dismissed Court held that the claims could not proceed as a class The compliance problem remains because the rules are strict… (Ontario) … You must pay for “work” … You must record hours of work … You must pay OT for work beyond 44 hour threshold … Doesn’t matter if you pay salary (imputed hourly wage above 44) … Deeming rule… deemed to be work if it is performed even if not authorized Policy based on presumption about control over work Doesn’t fit the professional model well But… … Exemptions are narrower than you think … True managers, IT professionals There are others who think and behave as professionals, work independently and receive a salary who are not exempt
Why am I raising this in a social media presentation? Is it work? What do you think? Highly contextual test… More about whether an employer benefits Failure to expressly assign is generally not a defence Watch how your policies frame social media use Is it a private activity that you are setting rules to abide by Or are you creating something that will prejudice a claim that this is work If it is work Is the employee exempt? Solution calls for monitoring of work… may not fit with use of social media
Anyone here from an ISP or telecom provider? “Take downs” are a big deal now Departing employees are often the culprit Once they’re gone you have no contractual leverage over them So the game changes The stakes rise My suggested approach… …Make bona fide threats …Make genuine threats and follow through Credibility is especially important if you have an ongoing relationship with your antagonists