Purpose of social networking will determine whether businesses have data protection responsibilities, says ICO

Out-Law News | 06 Jun 2013 | 3:28 pm | 3 min. read

Businesses that encourage staff to use social networks for commercial purposes are subject to UK data protection laws, the Information Commissioner's Office (ICO) has said.

The watchdog said that even if employees express personal views when passing comment on individuals via social media, the fact those staff are doing so for commercial purposes will mean that their processing of personal data must be fair and lawful in line with the Data Protection Act (DPA).

An exemption to the application of the DPA - where personal data is processed for the purposes of an individual’s personal, family, or household affairs, including recreational purposes - would not be said to apply in those circumstances, the ICO said. This is known as the 'domestic purposes' exemption and is set out in Section 36 of the DPA.

"The domestic purposes exemption cannot apply to the processing of personal data done by organisations through social networking sites," the ICO said in new guidance it has issued on the application of data protection laws to social networking and online forums. (17-page / 304KB PDF) "This is still the case even if an organisation gets a member of its staff to do the processing for it through their personal networking page. This is because the employee is acting on behalf of the organisation and the processing is for the organisation’s corporate or organisational purposes, not for the purposes of the employee’s personal, family or household affairs."

"The ICO would consider it poor practice for an organisation to encourage or allow employees to use their own personal networking pages for corporate purposes. If an organisation does decide to use social networking sites then it must ensure that it complies with the DPA," it said.

In its guide the ICO set out examples where comments made by staff on social networks that involve the processing of personal data could be said to fall within the domestic purposes exemption. It said that whether or not an employee is prompted to comment on industry matters, or whether they comment "purely in a personal capacity", will determine whether the business is responsible for ensuring data protection laws are being complied with.

"[One example is where] a company has a website and decides that it will improve customer relations and awareness of its products if it sets up a social networking account and asks its senior staff to post messages commenting on the latest developments within the industry," the ICO said. "Some of these messages comment on the actions of high profile business leaders within the industry."

"In this situation, although senior staff may express a mixture of corporate and personal views, the messages aren’t being posted for recreational or domestic purposes. They are part of the company’s marketing strategy and are being posted for corporate purposes. The senior staff members are posting as part of their job and section 36 does not apply," it added.

"[Another example could be where] an employee of the same company has a keen personal interest in the industry in which he works. He isn’t asked to post messages on behalf of the company but he follows the Managing Director’s posts from his home computer and Smartphone. He has strong views on the actions of a particular figure within the industry, and posts a comment in response to one of his Managing Director’s messages on this subject," the ICO said.

"Here, the employee is acting purely in a personal capacity. Although the subject matter is related to his work he hasn’t been asked to post messages on behalf of the company and he is acting out of his own personal and recreational interest," the watchdog said.

The ICO said that the purpose of the processing of personal data, and not the nature of the information itself, determines whether or not the domestic purposes exemption applies. It said that individuals who use one social network account for both their work and personal lives "ultimately ... need to make sure that any posts that that aren’t made for purely domestic or recreational purposes comply with the DPA".

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that new guidance should prompt companies to place tighter controls on the use of social networks by staff.

"The ICO's guidance makes it clear that even unauthorised posts by employees on social networks can put companies on the hook for data protection compliance," Wynn said. "Firms would be required to meet the requirements of the DPA even where posts express a personal opinion if the comment pursues a commercial purpose. Previously businesses may have argued that the personal opinions of their staff about others fell within the domestic purposes exemption, but the ICO makes it clear that this may not always be the case."

"Businesses need to be more careful than ever about who they authorise to use social networks and train staff and have clear policies about what would be considered unacceptable use," Wynn added.