Planning a company social network? Don't forget privacy issues

Computerworld - Large corporations seem to be tripping over themselves in their rush to tap into the social networking phenomenon by deploying their own versions of online user communities. But by trying to shoehorn this generation's Woodstock into a corporate wingtip, they may be assuming risks that even the best social networks haven't fully addressed.

I have to admit: I'm one of those over-35 types who think they're hip because they have a BlackBerry but are deaf to the siren songs of text messaging and Facebook. People like me think we have a hard enough time managing e-mail without getting sucked into a black hole of endless texting and friending. We're the cold showers in charge of corporate policy, and you'll have to warm us to the idea of deploying a “CitiBook” or “myHomeDepot” for corporate staff.

But despite our skepticism, the nearly universal use of social networking sites among those entering the workforce is thrusting this issue onto boardroom agendas around the country. We have to meet the expectations of our younger workers, the human resources department's argument goes, so that we can attract them and get the most out of them.

We heard the same argument during the dot-com boom, by the way, to explain why we needed to let new hires dress in pajamas and bring their parrots to work.

More sober IT departments have also been making a case for policy decisions on social networks, however. They see the large amounts of time users are spending on Facebook, Flickr and LinkedIn. They worry about the productivity of their own IT staffers, the security risks of importing social-networking applications into the computing environment, and the privacy risks of employee and customer data leaving the core network through these new channels.

To get ahead of the curve, traditional IT security managers have already blocked employee access to social networking sites as well as free e-mail services. The more daring chief information security officers are siding with HR, lobbying for internal social networks that redirect employees' attention inward, where they can be safer and more productive. Legal departments, for their part, are raising these questions:

• What if an employee posts to the corporate site revealing photos or a political rant? Is the company prepared to define its acceptable-use policy in detail, laying out what is obscene and which political or religious viewpoints are unacceptable? Will it assign someone to patrol content and respond to user complaints?
• What if an employee posts revealing photos or slanderous remarks about another employee? What if an employee appropriates another employee's image to promote a side business? Will it be enough from a legal perspective to have a process in place to remove content that harms another employee?
• What if an employee's extramarital relationship becomes a topic of discussion on the corporate site? Does the company proactively remove the content, or wait to become party to a divorce proceeding?
• When interviewing internal candidates for an executive position, should we consistently exclude or include a review of their profiles and postings on the corporate social network?
• Does the social network violate the company's own privacy policy by falling short of privacy principles regarding notice, choice and access?
• If an employee in the U.S. posts sensitive information about a European employee, does that constitute a cross-border data transfer in violation of EU privacy rules?