Keep your KM policy within the law

What risks do social media tools present?
Ownership of content and the fallout caused by misguided content are among the most common sources of dispute. Most staff, when given social media tools to use for a work purpose, will use them responsibly or not at all – lack of use is sometimes a bigger problem than misuse.

However, any company should take precautions against misuse when introducing social media. That means providing guidelines for staff on what is acceptable and what is not acceptable and making sure that staff know about them and follow them. They should be short and easy to read. Several pages of legalese will only be counterproductive. Also make it easy for anyone to have inappropriate contributions removed quickly.

A risk that is sometimes overlooked is the need to make clear what content is accessible to whom. We have seen problems in the past of staff posting confidential material to an internal forum that they wrongly assumed was accessible to a small internal audience only. It was not a public forum, but it was visible to short-term agency workers who should not have seen that content.

Another trap is thinking that an email and internet use policy that was written several years previously will suffice. If it is an old policy, it may have been written with older web technologies in mind – and it may cover only what is downloaded, not what is uploaded. It also helps to make clear that use of public-facing social media sites outside working hours can affect the employer. We’ve all heard stories of people being disciplined or sacked for making comments on Facebook that bring the employer into disrepute, but most of these cases don’t make the headlines. It’s quite common. So again, it’s worth making the risk clear to staff in the policy.

How can you control wikis and other user-generated content for knowledge management purposes?
In our experience, the biggest challenges are nothing to do with law. They’re about organising the information when wikis are active and encouraging their use when they’re not. On the legal side, a common problem is stopping people posting content that they don’t have the right to use. You would expect developers to share code – but when they bring it with them from their last job, copyright problems arise. Clearly no company wants unwitting infringements to contaminate its own code.

The same risk exists for other types of content. An employee might think he is being helpful by making a rival’s PowerPoint presentation available to his colleagues. That’s probably going to be an infringement and even if it doesn’t result in a lawsuit, it can be embarrassing.

Employers can minimise the risks by setting ground rules on what should and should not be contributed, putting them in writing and making sure everyone knows them. They must also enforce them.

Encourage staff to report anything that is inappropriate. YouTube does this in a very clear way with its “Flag as inappropriate” button. Internal systems can adopt a similar approach.

What employment law issues do I need to be conscious of if implementing virtual learning and training?
The principal concern from an employment law perspective is how employers who offer virtual training will show the fact that their employees have undertaken the relevant training course, and how they will keep a record of the content of the course.

This may become a relevant issue, for example, if an employer is defending a claim of sex discrimination. The employer may want to advance the “statutory defence” that they have taken all reasonably practicable steps to stop the harassment occurring, which will require the employer to provide evidence of their equal opportunities policies and the fact that their employees have been trained on equal opportunities issues.

An employment tribunal will scrutinise any such defence carefully and will require evidence that the employee in question has attended the relevant course, together with details of the course content. Therefore, employers will need to consider practical ways of ensuring that a register is maintained of which employees have attended virtual training courses and that the course content is readily accessible.

This is an issue that should be explored with the training provider before subscribing to their course. Equally, interactive courses, which require employees to answer questions before they can proceed to the next stage of the course, will be preferable to non-interactive courses, because this way the employer will be able to show that the employee has actually engaged in the course and has not just left it running in the background while doing other tasks.

If information is being transferred outside of the EU, what legal obligations are there?
If personal information is transferred outside the European Economic Area, data protection rules apply. This won’t apply to non-personal training material where there is no identifying information about individuals. But it could apply to information such as learner details, learning management information, training matrices of who has done what and the outcome, and other personal details.

An organisation may collect this via an overseas affiliate, or need to transfer it to an overseas parent company which maintains training records. Or an organisation may use a third-party supplier to provide knowledge and learning tools and this supplier could be overseas.

If this is the case, the Data Protection Act 1998 (DPA) requires appropriate safeguards to be in place to protect the information. This could include secure transmission, access on a need-to-know basis and so on.

If a third-party supplier is involved, or if an affiliate is acting only on behalf of the organisation as a “data processor”, then a written contract with the data processor must also be in place to protect the personal data.

There must be a specific legal ground for the transfer. These grounds are set out in the DPA and can include the consent of the individuals to the transfer (although it can be difficult to rely on the consent of employees as consent is not valid if employees feel compelled to agree and do not really have an alternative) or the use of a “model contract” with the overseas entity. Some US third-party suppliers may be in the US safe harbor, which provides a ground for the transfer to go ahead.

The message for organisations is to think about where employee/learner data is going, how it will be protected and how DPA compliance will be achieved.