Understanding Social Media Privacy Risks to EnterprisesLouisa GaribLegal Services, Policy and Parliamentary Affairs

“Social Media is a conversation”• Online content generated by users

• Uses accessible technologies• Not organized• Not controlled• Many voices• Social dynamic• Mainstream – here to stay

It is a social dynamicIt is a social dynamic

Blogs

Wikis

Podcasts

RSS

Mashups

Social Networks

Features of Social Media that can give rise to Privacy Risks

• Users misunderstand privacy risks• Intimacy and immediacy– promotes

disclosures• Users underestimate scope of disclosures• Used for Work and for Fun – blurs line• Control once information is posted

How serious are the Risks to Enterprises?

• Don’t know full extent of risk • Just beginning to understand technology,

use by people, impact on privacy• Rapidly changing• Beginning to construct appropriate rules of

engagement to understand and mitigate risks

What are the Risks of SM?• Illegal/unauthorized/inappropriate disclosure

of personal or confidential information• The employment relationship – internal/discl.• Lack of policies, protocols, training, errors • Customer Relationship – external/collection• Malware, hacking - external/ breach

Consequences:• Liability under PIPEDA and other laws• Harm to corporate reputation

PIPEDA and Social Media• Collection, use and disclosure of personal

information• Course of commercial activity• Employment relationship if FWUB• Notice, Consent, Reasonable purpose

• BUT – other private or confidential information and situations not caught by privacy legislation

• Still risks to enterprise – Best practices• PIPEDA minimum standard - guidance

Disclosures by Employees using SM

• Personal or corporate SM • On or off duty – lines blurred• PI about other employees – examples• Unionized workplace – neg’n, elections• Human rights, harassment, defamation• Obscene materials, copyright • Clients / customers• Business partners• Confidential corporate information • Reputation and publicity

Collection, Use and Disclosure of Personal Information using SM

• Recruitment and staffing• Monitoring• Investigations• Change day to day management of the

employment relationship • Customers – service delivery, managing

relationship, marketing information• Requests from law enforcement; litigation

How to manage risks?

• Understand technology – aware of privacy implications for enterprise

• Aware of information flows – in and out• Express policy guidelines on SM and handling

PI; understandable; consequences of violation; disseminate widely - OPC Fact sheet

• Use allowed in the workplace? Will it reduce risks? Create other issues?

• Education – avoid privacy misunderstandings