Compliance tip on the responsible use of social media sites

June 24 2009

As the means of social communication continue to change, University employees should remain aware of their continuing responsibilities concerning appropriate use of University computing and electronic communication resources.

The growth of popular sites such as Facebook, MySpace and Twitter, as well as the proliferation of weblogs or blogs provide another opportunity to reinforce these responsibilities, said Tom York, director of the Internal Audit Department.

“The University Relations and Community Affairs Division is leading the official effort to leverage these new media to reach larger audiences in a positive and interactive way,” said York. “There will be a number of employees whose official duties will include online activity in these new arenas. Their revised job descriptions will contain the individual standards of performance expected by their supervisors and they will be enforced through our performance management process.”

For employees who have personal accounts with these services and also have access to the University’s information technology system, until a specific University policy is put in place, existing policies that govern personal use of University resources are the guide. York cited two particular documents that provide critical guidance to employees. Policy Statement No. 20 “Electronic Communication Systems”,” addresses an employee’s “responsibility to use these resources in an efficient, effective, ethical and lawful manner.” It also states “(w)hile personal use of University ECS accounts is not prohibited by law, …privacy of personal ECS content residing on or transmitted through University equipment is not assured…. Personal use cannot interfere with a University employee’s obligation to carry out University duties in a timely and effective manner.” Policy Statement No. 66 “Responsible Use of University Computing and Electronic Communication Resources” establishes as a standard that “Responsible use includes, but is not limited to, respecting the rights of other users, sustaining the integrity of systems and related physical resources and complying with all relevant policies, laws, regulations, and contractual obligations.” The policy goes on to provide specific examples of appropriate and inappropriate use as well as potential consequences for violating the policy.

“In addition to our use of University resources, we all come into contact with information on a daily basis that could be considered confidential to University operations,” York stated. “Personnel, finance and student records also come with a distinct set of federal and state regulatory standards that govern the maintenance, retention and release of related data. Inappropriately releasing information through a phone call, e-mail, blog entry, Facebook posting or a tweet poses real legal and monetary risks to the individual and to the University, not to mention the reputational risks the negative publicity would bring.”

The public often connects employees with their official University roles even in social situations. York said his intent is not to tell employees how to act in their personal communications, but he would be remiss not to warn them of the documented incidents of employees being disciplined by their employers over Internet postings (e.g., the recent case of the CMS teachers).

“It should go without saying that employees should display common sense when interacting online – be nice, don’t insult anyone, don’t use profanity or attack people personally and avoid inflammatory subjects. Defamation or harassment lawsuits can be personally and professionally damaging as well as expensive. None of this should be taken as an attempt to infringe on an individual’s right to freely express ideas and opinions. If you have any questions about how a University policy applies to you, ask your supervisor. Supervisors can direct their questions on policy matters to the Office of Legal Affairs or the Internal Audit Department.”

(Some information in this article was taken from an article in IIA Insight, June 2009 edition, published by the Institute of Internal Auditors.)