Home

Think twice before you tweet

By Samiksha Singh, Director, Employment, Cliffe Dekker Hofmeyr

 

In the age of social media, the line between business and personal interests is blurred and it has become increasingly important to evaluate the potential consequences not only on your personal profile but also on the profile of the brand, institution or company that you associate yourself with.

 

Social media has recently been set ablaze with controversial and inappropriate remarks and the consequences have been far reaching.

 

In the employment context, while there are several cases which confirmed the fairness of dismissals of employees who made disparaging comments about their employers or colleagues on social media, the recent events raise the question as to whether an employee can be appropriately disciplined and possibly dismissed for making inappropriate remarks on social media even if the remark is not related to his or her employment.

 

Can inappropriate conduct on social media, which is not related to the employment of the author, constitute misconduct outside the workplace?

 

While it may not be the conventional nature of an act of misconduct, the age of social media and technological advancement has changed the way in which we communicate and engage with other individuals and with the public. In his South African Social Media Landscape Report, 2014, Arthur Goldstuck, states that:

 

“Employees active in social media are becoming brand ambassadors for their respective brands, often outperforming the brands themselves on social media…”

 

It is important to note that the ‘brand ambassadors’ of a company are not confined to a list of the marketing and public relations employees of the company but every employee of the company becomes a brand ambassador as they in some way or the other publicly display their association with the company. For instance, employees who update their Facebook or LinkedIn profiles to indicate their employment with the company, display their association with and are brand ambassadors of the company much in the same manner as employees who deal directly with customers and the public as outlined in the course and scope of their employment.

 

Accordingly, while employees should ensure that they positively influence public perspective in order to take the brand of their employer forward, employers must take proactive steps to ensure that they are protected from any actual or potential reputational damage caused by inappropriate or unsavoury remarks made by their brand ambassadors. The moment that a comment or remark is posted online, there is no turning back. Posts can be shared instantaneously and screen shots of posts are generally saved for future use. Therefore the ability to delete unsavoury posts and even the author’s account, does not create a guarantee that the actual post will be deleted from virtual or actual reality.

 

According to many of the UK Judgments relating to social media misconduct, the Courts have held that it is not necessary to prove actual damage to the reputation of the company, but that it will be sufficient to show that certain remarks have the potential to cause reputational damage.

 

There are no reported Labour Court judgments in South Africa which deal with the dismissals related to online misconduct outside the workplace. Our Courts will therefore look to the precedent set by the tribunals and Courts in the UK and the decisions by the UK courts will set the trend on how our Courts deal with this new but rapidly advancing issue.

 

In the case of Weeks v Everything Everywhere Ltd ET/2503016/2012, the UK Employment Tribunal was required to deal with an unfair dismissal dispute which arose out of the employee’s misconduct on social media. While the misconduct related to comments about the employee’s workplace and colleagues (these similar cases have already been dealt with by the CCMA in South Africa), the Judge made an important comment about privacy and online misconduct as follows:

 

“many individuals using social networking sites fail to appreciate, or underestimate, the potential ramifications of their ‘private’ online conduct. Employers now frequently have specific policies relating to their employees’ use of social media in which they stress the importance of keeping within the parameters of acceptable standards of online behaviour at all times and that any derogatory and discriminatory comments targeted at the employer or any of its employees may be considerable grounds for disciplinary action. There is no reason why an employer should treat misconduct arising from the misuse of social media in any way different to any other form of misconduct.”

 

It is therefore highly likely that our Labour Courts, in addition to following the UK case law on social media misconduct, will follow our own case law in respect of misconduct committed outside the workplace. In the matter of City of Cape Town v SA Local Government Bargaining Council & Others (2011) 32 ILJ 1333 (LC), the Labour Court upheld the dismissal of a senior employee who was found to be party to the fraudulent issuing of a drivers licence. The Labour Court found that the dishonest conduct of the employee went to the heart of the employment relationship and was essentially destructive of the employment relationship.

 

Employers are advised to implement stringent social media policies which deal with all eventualities relating to online behaviour and to ensure protection against potential or actual reputational damage to the company.

 

For more information please contact Samiksha Singh at

Article published with the kind courtesy of Cliffe Dekker Hofmeyr www.cliffedekkerhofmeyr.com

 

The Protection of Personal Information


By Jan du Toit, Senior Consultant, SA Labour Guide

 

After more than seven years in the making, President Ramaphosa announced last year an effective date of 1 July 2020 for the Protection of Personal Information Act (POPI), Act 4 of 2013. “Responsible Parties” only have approximately 5 months left until 30 June 2021 to become compliant in full.

 

The duration of a typical POPI compliance project will differ from one business to another depending on the nature and size of the business, as well as the Personal Information processed by a Responsible Party. Business owners are therefore advised to, without delay, embark on a compliance project to meet the deadline.

 

Even though the Protection of Personal Information Act is welcomed by most, it has been long overdue and will require business owners (“Responsible Parties” in terms of the Act) to process Personal Information according to 8 processing conditions as set out in the Act.

 

The purpose of the Protection of Personal Information Act is in essence found in the title of the Act; to protect the Personal Information of “Data Subjects”. It gives effect to ones right to privacy as enshrined in the Constitution but also provides balance in terms of the right to privacy weighed up against the right to access to information.

 

The Act regulates the manner in which Personal Information must be processed and provides protection and recourse to those whose rights are infringed. Further to this, the Act makes provision for the establishment of an Information Regulator. Advocate, Pansy Tlakula has already been appointed as the Information Regulator a couple of years ago and has done a great deal of work in establishing her office.

 

Before I get into more detail about the eight processing conditions, it is important to note that the Act is “definitions driven”. It is therefore of utmost importance to first highlight some of the definitions found in the Act for readers to better understand the eight processing conditions.

 

The first definition is that of “Personal Information”. Personal Information is widely defined in the Act and includes, but is not limited to, information relating to an identifiable living natural person or a juristic person (“Data Subjects”), such as:

  • Race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, believe, culture, language, birth

  • History - education, medical, financial, criminal, employment

  • Identifiers – number, symbols, e-mail address, physical address, telephone numbers, location, online ID or other assignment to a person such as a unique identifier (in example a student or patient number)

  • Biometric information – physical or psychological behavioural characterization, blood type, fingerprints, DNA analysis, retinal scanning, voice recognition

  • Personal opinion views or preferences

  • Correspondence implicitly or explicitly of a private and confidential nature

  • Views or opinions of another individual\

  • The name of the person with other information or the name alone

 

The second definition of importance is that of “processing”. The processing of Personal Information includes but is not limited to any operation/activity or any set of operations, whether automated or not, concerning Personal Information. It includes:

  • Collection / receipt / recording / organizing / collation / storage / updating / modification / retrieval / alteration of Personal Information

  • Dissemination by means of transmission distribution or making available to others.

  • Merging / linking / restricting / degradation / erasure / destruction of Personal Information.

 

A Responsible Party can either be a public body, private body or any other person or persons, domiciled in South Africa and that determines the purpose and means for processing of Personal Information.

 

Throughout the entire lifecycle of Personal Information in any business, eight processing conditions must be adhered to. The eight processing conditions are summarized below:

 

Condition 1 – Accountability. The Responsible Party must always ensure that the conditions set out in Chapter 3 of the Act and all the associated measures are complied with.

 

Condition 2 – Personal Information must be collected and processed lawfully in a reasonable manner that does not infringe the privacy of a Data Subject. The Personal Information may only be processed if it is adequate, relevant, and not excessive.
Personal Information may only be processed if the Data Subject consented thereto. Alternatively, where it is necessary to do so for the conclusion or performance of a contract, an obligation in terms of law, to protect the legitimate interest of the Data Subject, or to pursue a legitimate interest of the Responsible Party.

 

A further requirement is that the Personal Information must be collected directly from the Data Subject.

 

Condition 3 requires that Personal Information must be collected for a specific explicitly defined and lawful purpose related to a function or activity of the Responsible Party. Such Personal Information may not be retained any longer than necessary for achieving the purposes for which the information was collected and/or subsequently processed.

 

Condition 4 prohibits the further processing of Personal Information unless such processing is compatible with the initial purpose of collecting the information.

 

Condition 5 requires that Responsible Parties must take reasonable, practicable steps to ensure that Personal Information is complete, accurate, and not misleading. Such Personal Information must also be kept up to date, taking into consideration the purpose of the Personal Information.

 

The nature and purpose of the Personal Information will dictate as to how often such Personal Information must be updated.

 

Condition 6 addresses some of the rights of Data Subjects, such as the right to be informed by the Responsible Party before information is collected. The purpose of collecting and from where Personal Information will be collected must be disclosed to the Data Subject.

 

A Data Subject is entitled to the details of the Responsible Party and to be made aware of the consequences of not making Personal Information available to the Responsible Party.

 

Should it be required that Personal Information be collected and processed in terms of legislation, the Data Subject must be made aware accordingly.

 

As per Section 72 of the Act, the Data Subject must be advised if Personal Information will be transferred across the borders of South Africa. Under such circumstances the Data Subject is entitled to first be made aware of legislation in other countries that provides adequate protection of the Personal Information. In the absence of legislation, whether there are any binding corporate rules in place, alternatively a written agreement that offers adequate protection for the Data Subject, concluded between the Responsible Party and he third party.

 

Condition 7 requires that Responsible Parties must secure the integrity and confidentiality of Personal Information by taking appropriate reasonable, technical and organisational measures, to prevent loss or unlawful access of Personal Information under the control of a Responsible Party.

 

In this regard the Responsible Party is required to identify all reasonable and foreseeable internal and external risks, and to establish and maintain appropriate safeguards. Compliance with such safeguards must be regularly audited and measures updated if so required.

 

Condition 8 deals with the rights of Data Subjects and participation. In terms of condition 8, Data Subjects have the right to establish whether Personal Information is held by a Responsible Party and to have it corrected or destroyed if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or have been obtained unlawfully.

 

Responsible Parties are also further required to introduce Data Subject rights and participation in their PAIA (Promotion of Access to Information Act) manuals.

 

Responsible Parties are also not permitted to send direct marketing material to Data Subjects without their written consent as per from 4 four of the regulations of the Act.

 

Other important considerations in terms of the Act are that a Responsible Party may be issued with an administrative fine of up to R10 million for its non-compliance with the Act. Additionally, Data Subjects have the right to sue Responsible Parties and under specific circumstances, the Information Officer of the Responsible Party may be imprisoned.

 

Each Responsible Party must register an Information Officer (the head of the organization or a person acting in such capacity) with the Information Regulator. The Information Officer may appoint deputies to assist with ensuring compliance within the business.

 

From the above, it is evident that a POPIA compliance project is not something that should be undertaken without a solid understanding of the Act.

 

Our subscribers, a.k.a. “Responsible Parties”, are invited to attend our online POPIA presentations to better understand the Act and to ensure compliance. In-house training can also be arranged on request.

 

The author of this article is also available to assist employers with compliance projects in the form of awareness sessions, gap analysis, policy development / implementation and staff awareness.

 

For further information pertaining to training, readers are invited to visit www.labourguide.co.za or to contact Jan du Toit at .

 

 

 

 

 

Courses and Workshops

 

                   

 

AARTO and the Impact on Your Business

07 May 2021 (09:00 - 12:00) (Fully Booked)

Interactive Online Course

21 May 2021 (09:00 - 12:00)

Interactive Online Course

Basic Labour Relations

13 May 2021 (09:00 - 16:00)

Interactive Online Course

POPIA: Protection of Personal Information Act

14 May 2021 (09:00 - 12:00) (Fully Booked)

Interactive Online Course

28 May 2021 (09:00 - 12:00) (Fully Booked)

Interactive Online Course

04 June 2021 (09:00 - 12:00)

Interactive Online Course

Managing Poor Performance/ Incapacity

20 May 2021 (09:00 - 12:00)

Interactive Online Course

The OHS Act and the Responsibilities of Management

20 May 2021 (08:30 – 16:00)

Interactive Online Course

Management and Leadership Skills

26, 27 & 28 May 2021 (08:30 - 16:00)

Interactive Online Course

Managing Day to Day Issues/ Problem Employees Full day workshop

27 May 2021 (09:00 - 16:00)

Interactive Online Course

Employment Equity Committee Training

28 May 2021 (09:00 - 16:00)

Interactive Online Course

COVID-19 Workplace Compliance Health, Safety and Claims Management Course

03 & 04 June 2021 (08:30 - 13:00)

Inter active Online Course

Health and Safety Representative and Committee Training Course

10 June 2021 (08:30 - 16:00)

Interactive Online Course

 

 Our Clients 

 

Android App On Google Play

Android App On Google Play