Home

Social Media: Guidelines on the policy for employees using social media for non-business purposes 

Jan du Toit

About 17 years ago social media could have been described as printed media, radio and television. That was until we were introduced to the World Wide Web and all the wonderful things that we are now capable of from our desks without having to go to the library, the post office or even having to speak to somebody in person. It cannot be argued that the internet drastically changed the way we communicate and do business. 

During the past 10 years a number of social networks popped up and can best be described as addictive for some users. Facebook seems to be by far the most popular social networking platform followed closely by Twitter with a growing user base. It is reported that there are currently around 4.5 million Facebook users in South Africa, a number that has steadily grown from 3.8 million in 2005. 

These statistics may be good for Facebook, but what does it mean for employers? First of all there is the question of the productivity of employees that access Facebook and other social networking sites during office hours, as well as the associated infrastructure costs. It was recently reported by a well-known electronic communications surveillance service provider that in one company with 600 employees, 79% of the time of the employees were spent on social networking or gaming sites. One can just guess for how much longer that company will be able to do business. 

Another concern is the reputation of the business of the employer, or its employees, as a result of the information published on these sites. During the past couple of years we have seen a number of employees being dismissed as a result of defamatory information that was published on Facebook. In Sedick & another / Krisray (Pty) Ltd [2011] 8 BALR 879 (CCMA), both the operations manager and bookkeeper were dismissed for bringing the company's name into disrepute by publishing derogatory comments about the owner of the company on Facebook. The employees claimed that their right to privacy was breached by the employer by accessing their profiles on Facebook. They further argued that the comments they made did not identify any person or organization and could therefore not have damaged the reputation of the company.

The commissioner noted that in terms of the Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002, “any person . . . may intercept any communication if he or she is a party to the communication, unless such communication is intercepted by such person for purposes of committing an offence”. According to the Commissioner the internet is a public domain and Facebook users have the option to restrict access to their profiles as well as the information that they publish. In this case the dismissed employees did not block access to their profiles and as such any person could have accessed the information that they have published. The admissibility of the employer’s evidence was accordingly not an issue.

Turning to the comments that were posted the commissioner found that former or current employees of the company, that accessed the profiles of the two employees, would have had no difficulty in identifying the person they referred to in their communications. The dismissal of the two employees was therefore found to be fair.

From the above it is clear that a dismissal under such circumstances could be fair, provided that the employer follows the correct procedures and that the evidence used against the employee has not been illegally obtained in terms of the Regulation of Interception of Communications and Provision of Communication-related Information Act. It is therefore very important for employers to ensure that they have policies in place relating to the monitoring and interception of communication in the workplace. In addition to the company’s electronic communications policy it may be necessary to introduce another policy, the social media policy.

The social media policy will establish the principles for employees using social media for official and private purposes when the employee‘s affiliation to the employer is identified, known, or presumed. Such a policy must clearly define “social media” as well as guidelines on how to use these public platforms.

Employees using social media for official purposes should be aware of the following: 

  • The approved social media sites may only be used for officiall purposes.
  • The message that the company wants to bring across to other users must be clearly defined.
  • Postings must be kept legal, ethical and respectful.
  • Employees may not engage in online communication activities which could bring the company into disrepute.
  • Personal details of employees may not be disclosed.
  • Confidential information may not be disclosed.
  • Copyright laws must be adhered to.
  • Only the official approved logo of the company may be used.
  • The information that is published must be accurate and not confidential.
  • Statements to the media must first be approved by the employer.

Guidelines on the policy for employees using social media for non-business purposes:

  • Be clear on the use of company equipment or access to such sites and when this may be done.
  • Remind employees that internet and email communication may be monitored and intercepted as per the electronic communications policy of the employer.
  • Company information must be kept confidential.
  • The company name or logo may not be used on private profiles.
  • Colleagues, managers or information pertaining to the company may not be discussed on such platforms.
  • Employees must be advised to block access to their profiles for other users that they do not know.
  • The code of conduct of the company must be respected and considered as the guiding rule. Explain the consequences of failing to adhere to the social media policy of the company.

Employers are advised to carefully weigh up the benefits of social media against possible reputational damage and the abuse of company time and resources if access to such sites is allowed. Jan du Toit is available to assist in drafting such a policy as well as with disciplinary enquiries and ccma matters. His email address is [email protected] 

 

What does POPI compliance mean?

By Jan du Toit

 

Latest developments – Registration of Information Officers:

 

On 17 May 2021 the Information Regulator’s long awaited online portal went live for the registration of Information and Deputy Information Officers.

 

The Information Officer of a Responsible Party is the person at the head of your company (CEO or MD) or any person acting in such capacity, or specifically appointed by the MD or CEO to be the Information Officer. Registration must be completed before the end for June 2021.

 

The address for the portal is  https://justice.gov.za/inforeg/portal.html   

 

The following information is required to successfully register: 

  • Company name.

  • Company registration number.

  • Company type.

  • Company physical and postal addresses.

  • Company telephone and fax numbers.

  • Information Officer gender, nationality, full name and surname, ID or passport number.

  • Deputy Information Officers same details as per above.

 

POPIA Compliance – what must be done?

With a little more than a month left before POPI becomes fully effective, many employers may find themselves out of time to become fully compliant to amongst other considerations, the 8 processing conditions prescribed in the Protection of Personal Information Act.

 

To be considered compliant the following must be considered and applied in the business of a Responsible Party before 1 July 2021. 

  1. POPI training / awareness sessions for the CEO / MD, managers and others tasked with the company’s POPI compliance project. Have a look on our website for the next POPIA training dates.

  2. Compliance audit to be conducted company-wide per department / division to determine the current processing practices within the organization and to establish what needs to be done to be compliant.

  3. Correction of contraventions as identified, and to introduce reasonable technical and organizational measures to prevent the loss or unauthorized access of Personal Information.

  4. Introduction of Data Subject rights and consent in the business through policies and consent clauses / paragraphs / contracts.

  5. The introduction of a PAIA manual (Promotion of Access to Information Act) that incorporates data subject rights and participation in terms of POPIA. This manual must be published on one of the company’s websites. It is also important to note that the current exemption granted by the Minister of Justice for some business to not have such a manual in place currently, expires at the end of June 2021.

  6. General staff POPI policy and legislation awareness training.

  7. Registration of the company’s Information Officer (the CEO, MD or any person acting in such position).

  8. Follow-up assessment on compliance measures and adherence thereto.

 

It is important to note that no institution, not even the Information Regulator, can “accredit” any Responsible Party in South Africa to be compliant in terms of legislation. Compliance (or otherwise) will only be determined should an investigation be launched by the Information Regulator following a complaint. Should such an investigation confirm a lack of compliance, consequences such an administrative fine not exceeding R10m may follow (which one may luckily pay off in instalments). Further to this those whose rights are infringed upon by a Responsible Party not adhering to the requirements of POPIA, may also institute civil proceedings. Such  proceedings may result in compensation being awarded for loss, as well as aggravated damages determined at the discretion of the court.

 

In terms of section 19 of the Act, the Responsible Party (business owner / employer) is required to introduce reasonable organizational and technical measures to secure the integrity and confidentiality of Personal Information. The organizational measures referred  to above includes inter alia both internal and external policies to introduce the principle of protection of personal information in the workplace, as well as the rights of data subjects.

 

To allow you more time to focus on your business, the author of this article compiled a bundle of detailed policies for your business, ready to use. This includes all relevant forms to be used and a template document with draft consent clauses / paragraphs / rules  to be incorporated into service and employment contracts, job applications, credit and other applications forms, WhatsApp and Facebook groups / pages, and Independent Contractor agreements.

 

Also included is an Operator Agreement as required in terms of section 21 of the Act and a consent letter for existing clients / service providers, to agree to the continued processing of their Personal Information beyond June 2021.

 

The policies bundle includes: 

  • Privacy notice template to be published on your website.

  • Personal information protection policy.

  • Personal information retention policy.

  • Data breach policy.

  • Data breach register - form.

  • Data breach report - form.

  • Data security policy.

  • Data subject access request policy and procedures.

  • Data subject access request forms.

  • Processing agreement with third parties as Operators - contract.

  • Data subject participation - draft consent paragraphs / clauses to be incorporated into service and employment contracts, job applications, credit and other applications forms, WhatsApp and Facebook groups / pages and Independent Contractor agreements

  • Guidelines on the appointment of deputy information officers, inclusive of appointment letter.

 

For only R3750 you can now order you set of POPI policies, ready to use. Contact Jan du Toit for further assistance at [email protected]

 

 

 

 

 

 

 

 

Courses and Workshops

 

                   

Strategic Human Resources Management (HRM) and - Business Partnering

27, 28 & 29 October 2021 (08:30 - 16:00)

Interactive Online Course

Employment Equity Committee Training

27 October 2021 (09:00 - 16:00)

Interactive Online Course

Health and Safety Representative and Committee Training Course

28 October 2021 (08:30 - 16:00)

Interactive Online Course

Managing Day to Day Issues/ Problem Employees Full day workshop

28 October 2021 (09:00 - 16:00)

Interactive Online Course

Managing Poor Performance/ Incapacity

29 October 2021 (09:00 - 12:00) (Fully Booked)

Interactive Online Course

19 November 2021 (09:00 - 12:00)

Interactive Online Course

Management and Leadership Skills

10, 11 & 12 November 2021 (08:30 - 16:00)

Interactive Online Course

Basic Labour Relations

12 November 2021 (09:00 - 16:00)

Interactive Online Course

The OHS Act and the Responsibilities of Management

18 November 2021 (08:30 – 16:00)

Interactive Online Course

AARTO and the Impact on Your Business

19 November 2021 (09:00 - 12:00)

Interactive Online Course

Compensation for Occupational Injuries and Diseases Course

25 November 2021 (08:30 - 16:00)

Interactive Online Course

POPIA: Protection of Personal Information Act

26 November 2021 (09:00 - 12:00)

Interactive Online Course

 

 Our Clients 

 

Android App On Google Play

Android App On Google Play