UK: Whose Face Is It Anyway? How Social Media Sites Use Your Information

Social media is a great way to keep in touch with friends and family, network and meet new people, share private information and/or promote your business.  BUT do you really know what happens to your information once you have put it in the public domain? And, if you are using personal social media accounts for business purposes: did you know that the Data Protection Act 1998 (the DPA) applies?

Penny Bygrave, specialist in data protection law at BDB, stresses that the most important things to always bear in mind when using social media or otherwise posting personal information online:

• Nothing is completely private and nothing is ever permanently deleted: every compromising photo or cheeky comment you post, including posts in private chatrooms can (and, be sure, will) be viewed by anyone, anywhere, at any time – usually by the peple you would  least want to see it.  This means your parents, grandparents and (present or future) children; your peers – friend or foe; and your past, present and future employers.
• Free to use does not mean that you are not paying for the service: data is big business and your personal information is a valuable commodity.
• For organisations, including charities and social clubs: promoting your organisation via an employee or vounteer's private/personal account does not relieve you of liability under the DPA.

Sites such as Facebook, Twitter, LinkedIn, and Instagram are built around the idea that the more information you provide the better your experience will be.  This may be true if your idea of a better service means more, and more intrusive, targeted advertising.

Facebook has a market value of over $100 billion. If you wonder how a free to use service has a revenue stream of $7b to $9b per year, it's YOU – you are the product and your information generates their income.

Not all social networking sites sell your information to third parties, but many do; this is the same for all organisations that require you to register  prior to use (think Amazon, eBay etc).

What can I do to minimise the risk?

There are a number of things that you can do to protect your information and control how it is used:

• When you sign up to a site, check their terms of use and privacy policy: these should tell you who is collecting the information, what they will do with it, who they will share it with and for what purposes.  If it not clear or you don't like what you read – don't post your personal details on the site.
• Use the tools that are already available: In a recent survey by a consumer organisation, 84% of those surveyed said they wanted more control over who had access to their data.  However, 87.5% admitted to not using the existing controls to adjust their privacy settings.
• Most importantly, use your common sense: don't give more information than you need to.  And think carefully before posting compromising pictures or opinions: would you want your employer (or your Gran) to see those pictures?

What if it's already out there?

Most organisations will operate an acceptable use policy and have a procedure to have posts removed ('take down' policy). Your first point of call should be to contact the website administrator and ask for the post to be removed.  If this doesn't work, take up the matter up directly with the organisation: under the DPA you have the right to see what information is being processed about you ('subject access request').  You can also stop organisations sending you direct marketing and prevent processing that could cause damage or distress.

For Organisations

As noted above, the DPA gives people specific rights in relation to their personal information and places certain obligations on those organisations that are responsible for processing it. The DPA contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs (often referred to as the 'domestic purposes' exemption). However, it only applies when an individual uses an online forum purely for domestic purposes; it does not cover organisational use of online forums, including if, at the instigation of the organisation, an individual employee (or volunteer) posts non-domenstic information on their personal accounts. Organisations that use social media in this way are subject to the DPA in the normal way.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.