< Back

Share |

Social Media and Data Protection: the Employment Law issues

February 2013

Employers are becoming increasingly aware of the benefits of using social media not only as a means of promoting their business, but also recruiting the best candidates. Along with other key considerations (including concerns around confidentiality, privacy and defamation) employers must also ensure that they are fully aware of, and comply with, their obligations under the Data Protection Act 1998 (the "DPA").

Employers' Duties under the DPA

Under the DPA, employers (as data controllers) must process employees' personal data in accordance with the eight data protection principles. These responsibilities capture a wide group of individuals, including:

  • job applicants (even if they are unsuccessful);employees
  • current employees;
  • former employees;
  • individuals engaged on an agency, contract or casual basis; and
  • individuals who are undertaking work experience.

It is vital that employers remember that their obligations under the DPA apply throughout the different stages of the employment journey. The interplay between these obligations and the increase use of social media creates some significant new challenges for employers, which should be addressed sooner rather than later to minimise the risk of any breaches of the DPA.


Employers' use of data found on social media platforms is most apparent at the recruitment stage of the employment relationship, particularly when they are advertising a vacancy and/or screening a potential candidate.


It is becoming increasingly common for employers to advertise vacancies on social media platforms such as Twitter, LinkedIn and Facebook. If used with traditional recruitment tools, these sites can help employers reach a wider audience. It is, however, important that employers remain mindful of their DPA obligations regardless of the recruitment tool being used.

Some key pointers include:

  • Any online job advert should explain how personal data will be collected, used and stored;
  • If personal data of unsuccessful candidates will be put 'on file' or if the personal data may be passed on to a third party (such as a related company), this should be stated on the relevant site;
  • The questions asked of potential candidates on these sites must relate to the recruitment process and, where possible, be tailored to the particular role.

More and more, employers are turning to a candidate's "online C.V." to learn more about the relevant individual. With the advent of so many different social media platforms, this process will often include a review of sites intended for such purposes (such as LinkedIn) as well as other sites which the candidate may use for social purposes only (such as Facebook).

At this stage in the employment relationship, employers should note that:

  • It is lawful to use social media for the purpose of screening applicants;
  • In doing so, the DPA principles must always be adhered to;
  • Any data collated as part of the recruitment process should not be used for any other purpose;
  • It may be prudent to advise potential applicants that screening processing may will include publicly accessible social media profiles.

From an employment law perspective, the main pitfall for employers when using personal data obtained through social media is the risk of discrimination complaints being made by applicants (who are protected under discrimination law even though the employment relationship hasn't formally started).

Employers must avoid using any data collated during the recruitment screening process in a discriminatory way. For example, if it is clear from an individual's twitter feed that they hold very firm religious beliefs and, on this basis, an employer decides against offering them a role, the unsuccessful applicant could make a discrimination complaint to the employment tribunal.

Crucially, any individual within the employer's organisation who has responsibility for this process and, as such, is accessing personal data from these sites should be given comprehensive training on the obligations contained within the DPA. This will minimise the risk of breaches occurring and, in turn, reduce the risk of discriminatory decisions being made on the basis of the data being processed.

During Employment

key componentMany businesses are embracing social media as a key component of their strategic business model. As such, it is very likely that employees' personal data will be used as part of this process. For example, an employer may have 'updates' used for promotional purposes in which they wish to name individuals or provide other personal data. In these circumstances, employers should be aware of how their employees' personal data is being used on social networking sites, as well as data relating to clients or third parties.

Use of Employees' Personal Data

Storage of employees' personal data taken from a social networking site without the individual's consent may amount to unlawful processing of data. An employer should, therefore, be careful about what information they keep, how it is stored and for how long it is kept.

Where the employer wishes to use the personal data of one of their employees on their social network site, they should always seek the consent of that person before putting the information online.

Use of Clients' Personal Data or Data from Third Parties

During the course of their employment, employees may become privy to personal information about clients or other third parties.  It must be made clear to employees that any such information must not be broadcast via social media sites or accounts (whether such accounts or profiles belong to the employer or the employee) without the consent of the relevant individual.

Training should be given to all employees and the employer should create a robust, and well communicated, policy dealing with the use of social media by employees. This should set out the restrictions placed on communications made via social media, and the sanctions for failure to comply with the terms of the policy.

handshakeThe End of the Employment Relationship

Employers should remain mindful of, and have appropriate policies in place to deal with, their continuing obligations under the DPA after the employment relationship has come to an end. These obligations apply equally to information either collated via or held on social media sites or accounts.

Key Action Points for Employers

Bearing in mind the issues outlined above, the three key actions for employers looking to minimise the risks of breaches of the DPA when using social media should be:

  • Ensure your data protection policy adequately deals with the challenges created through the use of social media;
  • Be transparent and clear in your communications to future, current and former employees regarding the use, storage and holding of their personal data; and
  • Train your employees on the terms of your data protection and social media policies and make them aware of your obligations as a business as well as their own obligations as employees with access to personal data of others.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Employment Law issues
Amy Sinclair


Amy discusses the issues that employers now face with the increasing use of social media.

"From an employment law perspective, the main pitfall for employers when using personal data obtained through social media is the risk of discrimination complaints being made by applicants (who are protected under discrimination law even though the employment relationship hasn't formally started)."