How Safe Are Your Social Media Contacts from a Departing Employee?

business-contacts

What would you do if an employee resigned and took all your LinkedIn contacts with him?

Who owns those contacts anyway?

What if the contacts list contained many good customers of yours and your former employee is going to a direct competitor?

What do you do if your former employee will not give you log in details to one of your social media accounts?

A further complicating factor is when the employee uses his own phone, computer, tablet device for work purposes.

Once he’s gone from the employment do your contacts disappear too?

This new, thorny question of who owns social media accounts and contacts has become increasingly important in the world of work and business.

Need some pointers about how to protect yourself and your business?

Firstly, let’s take a look at the situation in the UK because this is a new area and there is no specific case law in Ireland which has dealt, yet, with ownership of social media contacts.

We can take some guidance from the UK, though.

Whitmar Publications Ltd v Gamage, a UK High Court case from 2013.

This case shows that courts are likely to find that contacts in an employer’s LinkedIn account belong to the employer, even if the account may have been maintained by employee on behalf of the employer, and that courts may grant injunctions where former employees attempt to misuse such contact information following the end of the employment relationship. Even though the former employees had no written contract the employer was able to rely on the implied duty of good faith and fidelity which the employees had breached in taking steps to set up the rival business.
(Source: Shepherd+Wedderburn).

Another case worth looking at is Hays V Ions, a 2008 UK High Court case.

Mr Justice Richards last week ordered Mr Ions to disclose his LinkedIn business contacts requested by Hays and all emails sent to or received by his LinkedIn account from Hays’ computer network.

A Hays spokesman said: “Hays values its database of client and candidate information. Along with the consultants who work for us, it is the cornerstone of our business. Information theft is a serious issue and we will not hesitate to take appropriate action to protect our data.

“Over the course of the past 24 months, Hays has brought a number of claims against former employees and competitor agencies to protect its business interests. As advances in social networking sites and technology generally become more and more sophisticated, so too are the legal strategies necessary to protect our data.
(Source: The Telegraph)

It is important to recognise that this is a developing area and many of these decisions will be very fact specific to the particular case.

In deciding these types of cases concerning ownership of contacts, factors that Courts are likely to consider are:

  • Who created the account?
  • When?
  • Who maintained it?
  • Are the contacts in it predominantly personal or business related?
  • Does the contract of employment make reference to ownership?
  • Was the employer logo or branding used in creating the profile for the account?

How to Protect Your Business

  1. Put an express term in the contract of employment dealing with this issue viz who “owns” the account;
  2. Have a social media policy which deals specifically with the contacts issue;
  3. If employee maintains account make it a contractual term that you have log in details at all times;
  4. Ideally, you should create (or have created) the account;
  5. Define trade secrets and confidential information in your contract of employment to include social media contact details;
  6. Have a robust restrictive covenant clause in your employment contract which covers contacting clients or employer contacts through social media channels.

In summary, a well drafted contract of employment and social media policy will protect you and your business in respect of your valuable contacts.

Your social media policy should not just deal with your contacts, though. There are other serious issues which should be included, such as inappropriate use of social media by your staff.

I will deal with this in a separate article as it is a growing area due to the proliferation of social media channels.

The 8 Rules of Data Protection in Ireland

8-rules-data-protection

It’s an easy mistake to make, you know.

You might be a data controller.

Let me explain.

Everyone has strong rights when it comes to the data that is held on them thanks to the Data Protection Acts.

And it is up to the data protection commissioner to ultimately uphold those rights if they are breached by the employer.

All businesses and institutiions should be concerned about data protection and the Data Protection Acts 1988 and 2003. These 2 acts attempt to balance the rights of individuals in relation to personal data that is stored by various organisations about them.

People who control and use data about others are called ‘data controllers’ and are recognised in the acts above as having certain obligations imposed on them by law.

Individuals should know when they provide personal information to any organisation:

  • Who is gathering the data
  • What use this data will be put
  • Who the data will be disclosed to

If a data controller has the data for a specific purpose but in the future decides to use it for a new purpose he must ask the person whose information he has whether they are agreeable to that new use or not as the data shall only be held for specified purposes.

Personal data should not be excessive in relation to the purpose for which it is held and should not be kept for longer than is necessary for that purpose.

In fact there are 8 rules of data protection which will broadly ensure you are in compliance with Data Protection legislation in Ireland.

8 Rules of Data Protection

1. Obtain and process information fairly.

For example, the data subject should know that you are gathering personal data, any processing must be after obtaining consent from the data subject, and the processing must be necessary.

2. The data must be kept for a specified, lawful purpose.

3. The data should be used and disclosed only for the specified purpose.

4. The data must be kept safe and secure.

5. The data must be up to date, accurate and complete.

6. The data must be relevant, adequate but not excessive.

7. The date must be retained for no longer than is necessary.

8. A copy of the data must be made available to the data subject, on request.

Non-compliance with data protection law

Non-compliance with data protection law may lead to a complaint to the Data Protection Commissioner and the Data Controller can be held liable under normal common law principles (eg the law of contract, confidential information etc.)

It should be noted that Irish data protection legislation only applies to data controllers who are established here.

Rights of Data Subjects

These rights derive from the Data Protection acts and include…….

  • The right to be informed of data being kept on them
  • The right to access to the data (there are a number of exceptions to this right)
  • It is worth noting that the Data Protection Commissioner appears to be of the opinion that CCTV footage of a person is data within the meaning of the acts.
  • Right to prevent processing where it may cause damage or distress

The transfer of data outside the state is restricted to countries outside of the European Economic Area.

It may not occur unless that country provides an adequate level of protection and this causes problems re transfer of such data to USA as there are varying standards of protection in the USA.

Their Safe Harbour scheme is a voluntary scheme which provides similar standards of data protection to europe but not all companies sign up.

Are you an employer who is concerned about his data protection obligations?

Or an employee whose rights have been infringed?

You might also be interested in this article which covers updated guidelines in relation to cctv and data protection obligations and rights.

Data Protection in Employment Law in Ireland-the Essentials

data-protection-employment-ireland

The Data Protection Acts 1988 and 2003  impose stringent requirements on the data kept by employers about employees and in particular in respect of sensitive personal data.

Employers are considered to be data controllers and processors within the legislation.

The Data Protection Commissioner can impose fines of up to €100,000 and employees can succeed in claims in relation to breaches of data protection law.

The principle obligations on the employer in respect of sensitive personal data is to collect and process it fairly, is accurate and up to date, and is kept no longer than necessary. For this reason employers should ensure that they have a data protection policy in the workplace.

Employee as Data Subject

The employee, as a data subject, has a general right to know what personal data is held about him/her, to whom it is disclosed, and to have it deleted or amended if incorrect. A written data request from an employee should be responded to within 40 days.

The Data Protection Acts, section 8 in particular, set out the circumstances where the employer may disclose the employee’s data to a third party. Whether the 3rd party is a member of the EEA (European Economic Area) or not will determine whether the request can be complied with or not by the employer. If the data is being disclosed to a 3rd party within the EEA then a written contract is required.

If not, the transfer of data is prohibited (subject to exceptional safeguards).

Registration with the Data Protection Commissioner

Data controllers fall into 3 categories for the purpose of registration

  1. Categories of persons who are always obliged to register-this includes Banks and financial institutions, insurance companies, internet service providers, phone companies
  2. Categories of persons who may be required to register –this includes data controllers who process personal data relating to mental and physical health
  3. Categories who are excluded- not for profit organisations, elected representatives, data processed for the normal course of personnel administration, solicitors and barristers, data for journalistic, literary or artistic material

Please note that these are not exhaustive lists and you may need to consult the legislation or a solicitor who has an expertise in this area if you are in doubt.

You might also want to read the 8 rules of data protection in Ireland.