Workwise - addressing social media risks in the workplace

Articles Written by Christine Ecob (Partner), Ruveni Kelleher (Partner), Kevin Lynch (Partner), Karina Marcar (Partner), Rebecca Laubi, Phoebe Sheahan


Social media has provided vast opportunities for businesses and has increasingly become a necessary tool, particularly as a means of engagement for promotion and provision of information to a wide-scale audience. However, its ease of use and wide-ranging application combined with the ability of users to instantaneously disseminate information has also brought difficulties and challenges for businesses.

In this article:

  • we look at some of the areas of law relevant to social media (intellectual property, privacy, media and defamation, consumer protection and employment, as well as continuous disclosure and risk management issues for ASX listed companies); and
  • we examine the strategies businesses can employ to minimise the risks associated with corporate involvement in of social media for each of these areas of law.

This article concludes with a general discussion of the use of social media policy, both as it applies to employees and the involvement of the business in social media.

Intellectual Property

Risk Posed

Huge amounts of text, images, music and audio-visual materials are available in the digital environment. The ease with which these materials can be accessed, downloaded, reproduced and communicated holds social and economic benefits without which businesses as well as individuals can no longer imagine functioning. At the same time, however, the availability of text, images, sound and moving images at everyone's fingertips has caused many to overlook the fact that they are protected by intellectual property rights, in particular copyright, which apply in the same manner in the digital environment as they do in the physical world. Contrary to common belief, the internet is not the public domain, a copyright free zone. What does this mean, from a legal and practical perspective?

Copyright and moral right infringements

Copyright owners, usually the author of copyright materials, have exclusive rights in relation to these materials, including the right to publish, copy and communicate them to the public. Communicating means making copyright material available online or transmitting it electronically. Any use of a substantial part of copyright material without the permission of the copyright owner infringes copyright unless a defence applies. Whether a part is "substantial" is determined on the basis of a qualitative rather than quantitative test: a part is substantial within the meaning of the Copyright Act 1968 (Cth) if it is an essential or material part of the copyright work. Some uses of substantial parts of copyright material without the permission of the copyright owner are authorised under statutory exceptions, for example fair dealings for the purpose of criticism or review and parody and satire. However, these exceptions are interpreted restrictively and businesses should seek legal advice as to how they could rely on them in the context of social media.

In addition, individuals have moral rights in relation to their works, such as the right to be identified and named as the author of their works and the right to ensure that their work is not subjected to any act that is in any manner harmful to the author's honour or reputation. A failure to respect these rights amounts to an infringement unless the conduct was reasonable in the circumstances.

Copyright and moral rights are infringed not only by the unauthorised use of copyright materials and a failure to respect moral rights but also by authorising someone else to infringe, for example by asking for or encouraging the infringer's conduct, or providing the infringer the means to do so.

How to Address

Businesses with an online presence must ensure that they either own the intellectual property rights to the materials used on their website or their social media platforms, or that their use of these materials is duly licensed. In this context, a few points are noteworthy:

  • Businesses will own copyright in materials created by their employees in the course and within the scope of the employment relationship;
  • Businesses ought to ensure that they control any user-generated content uploaded to their online platforms. While a licence is implied that the business can make available online any text or image uploaded to its social media, that licence might not allow the business to use the materials differently, for example by reproducing them in other media, unless such uses have been agreed. The easiest manner to achieve this is by having terms and conditions covering these issues;
  • Similarly, businesses should ensure that individuals provide relevant consent (for example consent that they will not be attributed as the author of the user-generated content), by accepting;
  • Businesses should also provide in their internal social media policy and their terms and conditions that people should only upload materials which they have the right to use in this manner, either as copyright owner or as licensee; and
  • A lot of material available online is licensed to the world at large, for example under creative commons licences. Before using such materials, businesses should ensure that their proposed use falls within the scope of the general licence. In particular, businesses should be aware that copyright works under creative commons licences may be used for non-commercial purposes only. Uses on social media operated as a part of a business' promotional and marketing strategy are unlikely to qualify as "non-commercial".

Businesses should monitor content and remove any content if there is a claim for copyright or moral right infringement until the matter has been assessed. While social media can be a fantastic promotional tool, allegations of "rip-off" can generate very negative publicity.


Risk Posed

Collection, use and disclosure of personal information in breach of privacy laws

Organisations that collect personal information must comply with the Privacy Act 1988 (Cth) and the National Privacy Principles (NPPs) under the Privacy Act. "Personal information" currently means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. From 12 March 2014, when important amendments to the Privacy Act will take effect, the definition of "personal information" will cover information or an opinion about an identified individual, or an individual who is reasonably identifiable. Given this broad definition, most information on social media relating to individuals is likely to be covered by the Act and will need to be dealt with, in particular collected, used and disclosed in accordance with the NPPs.

Duty of confidence

Businesses should also be mindful of confidentiality issues that might not fall within the scope of privacy legislation because the information does not relate to individuals. Duties of confidence are breached by unauthorised use or disclosure of information in circumstances where the recipient of the information knew or ought to have known the information was confidential. For example, the publication on social media of the photograph of an employee holding a confidential report could result in such a breach if the nature or content of the report is apparent from the photograph.

Invasion of privacy

There is no general right of privacy in Australia that protects a person's image. Proposals at federal level and in some States to legislate a statutory cause of action (a right to sue created by law) for serious invasions of the privacy of natural persons, which would have allowed individuals to take action against the publication of certain personal materials, appear to have been shelved. However, in addition to obligations under privacy legislation (see above), businesses should be mindful of the following areas of law when posting or allowing the posting of photographs of people on social media:

  • Defamation laws may apply if the use of the photograph lowers the public's estimation of the person portrayed, exposes the person to hatred, contempt or ridicule, or causes the person to be shunned or avoided (see below);
  • Consumer law;
  • The use of a person's image in connection with a product or service may constitute misleading and deceptive conduct if the public is incorrectly led to believe that the person is endorsing the product or service;
  • Similarly, the law of passing off may provide remedies if the image of someone who has a business reputation is used by a competitor for its own benefit; and
  • Child protection laws, laws on pornography and obscenity as well as classification and censorship law may also apply depending on the nature of the image.

How to Address

Privacy Policy

Businesses using existing social media should familiarise themselves with the privacy rules applying to these platforms - for example Facebook's data use policy - to ensure that they comply with that policy. In addition, they should have their own privacy policy in relation to any personal information they might collect directly from users of social media, to ensure that users are aware of the purposes for which the information is collected, how the business will use the information and to whom it may be disclosed. If the terms of use are adequately drafted, social media users who are alerted to the privacy policy when they sign up are considered to have accepted those terms, and businesses that deal with personal information as agreed under their privacy policy will act in accordance with privacy laws.

Keep secret what should be secret

Employees should be reminded of their duty of confidence, and made aware of the risks of breaching these duties by the use of social media. Monitoring of content and the immediate removal of any confidential content should enable businesses to prevent or minimise breaches.

The social media policy should provide guidance as to what is acceptable and flag the risks associated with the publication of defamatory, misleading and deceptive or otherwise inappropriate content. Businesses should monitor the content posted on their social media accounts and remove any questionable images as soon as practicable.

Media and Defamation

Risks Posed

The conventional law of defamation applies to publication via social media.

The seemingly unfettered social media environment stems from popular social media sites being hosted in the United States, a jurisdiction with express constitutional protection and judicial support for freedom of expression.

For an Australian-based corporation, a much more conservative approach is required. Australian law gives rise to joint and several liability for multiple defendants involved in two defamatory publications - both the author and corporation involved in disseminating the allegedly defamatory material. A corporation will be liable for its servants and agents wherever publication was authorised, made in the course of employment and/or within the scope of an agent's authority.

When it comes to user-generated content, a corporation exposes itself to a situation where it may be the publisher of material where it has no capacity to assess the defences that may be available to it. There can be no real assessment of truth and a very real possibility that malice could defeat any prospect of a comment defence. Anonymous user-generated content can leave a corporation holding the can for what may be a highly damaging, irresponsible or malicious posting.

How to Address

Apply the same discernment in regulating corporate social media content as you would with any other corporate communication. Apply your social media policy (for more details, see below) and ensure that authority for social media communications is extended only to suitably-trained and experienced personnel or delegates.

Only allow user-generated content with careful pre-post monitoring.


Risks Posed

With the increase in the number and popularity of social media sites as a way to stay connected with friends and colleagues, employees have rapidly grown accustomed to sharing their thoughts online without much consideration for the consequences. A number of recent decisions by the Fair Work Commission (FWC) have shown that the main challenges for employers in relation to social media and employees are determining when disciplinary action can be taken for conduct on social media and ensuring that employees do not engage in unlawful or inappropriate conduct in relation to their employment through social media posts.

Unfair dismissal

The availability and portability of online social media sites has meant that the boundaries between workplace and private conduct have become increasingly blurred. Recent cases dealt with by the FWC illustrate that making unlawful, disparaging or negative comments about the employment, a colleague or an employer on Facebook or Twitter outside working hours, even if made on a personal computer or device, may justify termination of the employment in certain circumstances. This is particularly because comments made on social media sites create a permanent written record and potentially have a much wider audience than comments made verbally to colleagues.

However, employers need to carefully balance their obligation to ensure employees do not engage in unacceptable or unlawful conduct with their obligation not to take unjustifiable disciplinary action against employees. For example, in Stutsel v Linfox Australia Pty Ltd [2011] FWA 8444, the FWC found that an employee was unfairly dismissed for making offensive and discriminatory comments about two managers on his Facebook page in his personal time. The main reason for the finding was that the employer had no social media policy and had not provided training to employees about inappropriate use of social media. This decision is currently being appealed.

In other decisions, the FWC has upheld the employer's right to dismiss an employee:

  • over the misuse of social media, including excessive use of social media during work hours;
  • for refusing to remove a derogatory blog entry; and
  • for taking sick leave when the employee's Facebook site showed the employee socialising during the period of leave.

Unlawful discrimination, bullying and harassment

Changes to the Federal Sex Discrimination legislation made in 2011 made it clear that sexual harassment and unlawful discrimination through new technologies such as social networking, websites, email, SMS communications and mobile phone cameras is prohibited. Employers will be liable for such conduct by their employees unless they can show they have taken all reasonable steps to prevent the conduct occurring and to deal with the conduct appropriately if it occurs.

Cyber bullying has also become a growing problem in Australian workplaces. Cyber bullying can include critical comments about employees or their behaviour and exclusion of particular individuals or groups. Cyber bullying can be discriminatory if it is based on a prohibited ground such as the victim's sex, age, race, religion, politics, marital status or disability. Cyber bullying can also constitute a breach of health and safety obligations and an employer's duty of care. In addition, proceedings can be commenced by employees in relation to cyber bullying under the new bullying amendments under the Fair Work Act 2009 (Cth) which commence on 1 January 2014.

Other Areas of Risk

Employers also need to be careful when taking disciplinary action against employees who make complaints about their employment or exercise other workplace rights on social media sites because of the general protections prohibitions under the Fair Work Act 2009 (Cth). These provisions prohibit employers from taking any detrimental action against an employee because they have made a complaint in relation to their employment or exercised other workplace rights. This can include complaints made over a social media platform.

In some comfort to employers, in the recent case of Banerji v Bowles [2013] FCCA 1052, the Court held that an employer could take disciplinary action against an employee who made critical comments about her employer, the Department of Immigration and Citizenship, anonymously on Twitter. The employee argued that in making the comments, the employee was exercising her unfettered right of political expression. However, the Court rejected this argument and held that the employee's right of political expression was limited by her obligation to comply with the terms of her employment contract, the employer's Code of Conduct and the employer's social media guidelines. However, employers must exercise caution when taking disciplinary action against employees for expressing political opinions as it may constitute unlawful discrimination.

How to Address

Employers should provide clear guidance to employees on their use of social media to ensure that such use is responsible and appropriate by adopting and implementing a comprehensive and well-drafted social media policy (see below).

Employers should ensure that the policy is applied consistently to all employees.

However, when taking disciplinary action against employees for social media use, it is important to have regard to the employee's personal circumstances, including their past employment record, any mitigating circumstances that justify the conduct and the seriousness of the consequences of the conduct, to ensure that the disciplinary action taken is proportionate to the misconduct.

Consumer Protection

Risk Posed

Australian businesses can be held responsible for content uploaded to their social media pages by others.

The Advertising Standards Board (ASB) has recently found, in a determination regarding the Smirnoff Facebook page, that corporate Facebook and Twitter pages constitute "advertising" and that the Advertiser Code of Ethics applies to material or comments posted not only by the business itself, but by friends or followers as well. This means that a business can breach the Code without adding material to its page, but by not taking down offending material.

The view of the ASB reflects that of the Federal Court in ACCC v Allergy (No. 1) (2011) 192 FCR 34, in which it held a business responsible for publications when it became aware of and decided not to remove them.

How to Address

The need for businesses to be diligent in monitoring and controlling their engagement with social media goes beyond just marketing techniques.

There appears to be a duty on businesses to not only enforce strict guidelines for material posted by representatives of the business on social media, but to moderate the material posted by the wider social media community. Businesses should ensure that care and consideration is employed for the message being conveyed through social media as a whole, in the same way it would for traditional marketing or advertising, to ensure that advertising standards are met.

It is recommended that businesses devise a policy for addressing content posted by the online community which may breach ASB Codes, including removal of content.

ASX Listing Rules and continuous disclosure

Risk Posed

Social media goes beyond being an issue for the marketing department. The immediacy, reach and speed of social media increases the risk for ASX-listed businesses in managing their continuous disclosure obligations and effectively implementing their risk management policies. Factual, partially true or false information, disseminated via social media, can significantly affect a business, from its reputation to the price of its securities.

ASX-listed businesses are subject to continuous disclosure obligations, under the Corporations Act 2001 (Cth) and Chapter 3 of the ASX Listing Rules.

In summary, these businesses must ensure that price sensitive information is disclosed to ASX immediately when the business becomes aware of it, before it is disclosed by any other means.

There are limited exceptions to immediate disclosure of price-sensitive information, but these exceptions cease to be available once the information is no longer confidential. In addition, where ASX considers there is or is likely to be a false market in the securities of an ASX-listed business, ASX can require that entity to provide information immediately to prevent or correct a false market.

With the release this year of an amended guidance note on continuous disclosure, ASX has highlighted the potential impact of social media, including the importance of monitoring it during potentially price-sensitive confidential transactions.

Further, ASX-listed businesses must report annually against their compliance with the ASX Corporate Governance Council's Corporate Governance Principles and Recommendations. These include principles and recommendations regarding disclosure of information and risk management.

When enforcing continuous disclosure obligations, the Australian Securities and Investments Commission is concerned that appropriate policy not only exists but that there is a culture that the policy is followed.

How to Address

Directors should consider how social media fits within both the continuous disclosure and risk management frameworks for the business.

Businesses should understand what is being said about them on social media. A social media audit can be conducted, to determine who is saying what about the business, where and their level of influence.

Continuous disclosure policies should be reviewed having regard to the impact of social media, although the policy need not expressly refer to social media.

Social media policies for employees should regulate discussing or distributing information that relates to the business and set out the consequences of doing so. This might extend to notifying the business where appropriate, so that it can deal with any consequences of the information being made available.

Businesses should monitor social media, particularly during confidential transactions to determine whether any price-sensitive information has leaked or if there is the potential for creating a false market.

Use of a Social Media Policy

As can be seen from the above, businesses with an online presence are strongly advised to develop a social media policy. A well-structured policy will take into consideration the ways in which a business engages with others online and will address the manner in which social media is to be used, by whom and when.

A social media policy - no matter how well-meaning and planned - is in itself only a partial solution. The policy and objectives must be made known throughout the business, employees educated (preferably on a regular basis) as to the operation of the policy and it should be diligently enforced. It not only makes legal sense, but increases effectiveness and economic return to the business.

Employees' social media

Businesses may consider addressing in their social media policy the manner in which employees are to use their own social media accounts.

This will set out how employees are to use social media as well as providing a means by which any issues arising from employees' use of social media will be addressed.

In general, a well-drafted social media policy should:

  • explain what constitutes "social media";
  • explain what conduct on social media will be deemed acceptable and unacceptable in the workplace, as well as outside the workplace;
  • explain what constitutes appropriate and reasonable use of social media during and outside of the workplace;
  • explain how social media may be monitored by the employer;
  • address the employer's right to take action against an employee in relation to their social media conduct, including what type of actions that may be taken against them;
  • address the employer's process for reporting and handling of incidents of non-compliance; and
  • address what rights and obligations the employee has in relation to use of social media, such as reporting misuse or the right to remedy any misuse.

The social media policy should be communicated and implemented appropriately so that all employees have read and understood the policy in full and received training about the policy.

Businesses' social media

It is important that businesses manage their online presence such that it maximises their effectiveness in marketing themselves and protecting their reputation. They may also keep open a platform to respond appropriately to social media discussions about the business.

Businesses with social media should specify the people entitled to access and post on behalf of the business, and set out strict guidelines for the type of content to be posted. Further, it is advisable that businesses employ a policy which requires a multi-tiered approach to the posting of content; that is, a third party employee must approve a post before it is published.

Passwords should be kept strictly confidential and not shared beyond those entitled to post on the business' behalf.

Further, to reduce potential risk associated with former employees having access to businesses' social media accounts, passwords should be changed regularly.

A social media policy should also address the manner in which the business should monitor and respond to any posts made by other members of the online community. This includes ensuring that information about posts is elevated to the right level of the business, as not all social media matters impact solely on marketing. For example, if another's post appears to breach the ASB Codes, should it be removed?

There is a fine line between being sympathetic to the forum and allowing potentially offensive material to be posted: businesses should determine how derogatory comments by online users will be addressed. There may also be obligations on the business to moderate its content. Various software tools exist to assist in monitoring social media.

Businesses can consider a social media audit, to determine who is saying what about them, where and their level of influence.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).