Social Media: Guidelines on the policy for employees using social media for non-business purposes 

Jan du Toit

About 17 years ago social media could have been described as printed media, radio and television. That was until we were introduced to the World Wide Web and all the wonderful things that we are now capable of from our desks without having to go to the library, the post office or even having to speak to somebody in person. It cannot be argued that the internet drastically changed the way we communicate and do business. 

During the past 10 years a number of social networks popped up and can best be described as addictive for some users. Facebook seems to be by far the most popular social networking platform followed closely by Twitter with a growing user base. It is reported that there are currently around 4.5 million Facebook users in South Africa, a number that has steadily grown from 3.8 million in 2005. 

These statistics may be good for Facebook, but what does it mean for employers? First of all there is the question of the productivity of employees that access Facebook and other social networking sites during office hours, as well as the associated infrastructure costs. It was recently reported by a well-known electronic communications surveillance service provider that in one company with 600 employees, 79% of the time of the employees were spent on social networking or gaming sites. One can just guess for how much longer that company will be able to do business. 

Another concern is the reputation of the business of the employer, or its employees, as a result of the information published on these sites. During the past couple of years we have seen a number of employees being dismissed as a result of defamatory information that was published on Facebook. In Sedick & another / Krisray (Pty) Ltd [2011] 8 BALR 879 (CCMA), both the operations manager and bookkeeper were dismissed for bringing the company's name into disrepute by publishing derogatory comments about the owner of the company on Facebook. The employees claimed that their right to privacy was breached by the employer by accessing their profiles on Facebook. They further argued that the comments they made did not identify any person or organization and could therefore not have damaged the reputation of the company.

The commissioner noted that in terms of the Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002, “any person . . . may intercept any communication if he or she is a party to the communication, unless such communication is intercepted by such person for purposes of committing an offence”. According to the Commissioner the internet is a public domain and Facebook users have the option to restrict access to their profiles as well as the information that they publish. In this case the dismissed employees did not block access to their profiles and as such any person could have accessed the information that they have published. The admissibility of the employer’s evidence was accordingly not an issue.

Turning to the comments that were posted the commissioner found that former or current employees of the company, that accessed the profiles of the two employees, would have had no difficulty in identifying the person they referred to in their communications. The dismissal of the two employees was therefore found to be fair.

From the above it is clear that a dismissal under such circumstances could be fair, provided that the employer follows the correct procedures and that the evidence used against the employee has not been illegally obtained in terms of the Regulation of Interception of Communications and Provision of Communication-related Information Act. It is therefore very important for employers to ensure that they have policies in place relating to the monitoring and interception of communication in the workplace. In addition to the company’s electronic communications policy it may be necessary to introduce another policy, the social media policy.

The social media policy will establish the principles for employees using social media for official and private purposes when the employee‘s affiliation to the employer is identified, known, or presumed. Such a policy must clearly define “social media” as well as guidelines on how to use these public platforms.

Employees using social media for official purposes should be aware of the following: 

  • The approved social media sites may only be used for officiall purposes.
  • The message that the company wants to bring across to other users must be clearly defined.
  • Postings must be kept legal, ethical and respectful.
  • Employees may not engage in online communication activities which could bring the company into disrepute.
  • Personal details of employees may not be disclosed.
  • Confidential information may not be disclosed.
  • Copyright laws must be adhered to.
  • Only the official approved logo of the company may be used.
  • The information that is published must be accurate and not confidential.
  • Statements to the media must first be approved by the employer.

Guidelines on the policy for employees using social media for non-business purposes:

  • Be clear on the use of company equipment or access to such sites and when this may be done.
  • Remind employees that internet and email communication may be monitored and intercepted as per the electronic communications policy of the employer.
  • Company information must be kept confidential.
  • The company name or logo may not be used on private profiles.
  • Colleagues, managers or information pertaining to the company may not be discussed on such platforms.
  • Employees must be advised to block access to their profiles for other users that they do not know.
  • The code of conduct of the company must be respected and considered as the guiding rule. Explain the consequences of failing to adhere to the social media policy of the company.

Employers are advised to carefully weigh up the benefits of social media against possible reputational damage and the abuse of company time and resources if access to such sites is allowed. Jan du Toit is available to assist in drafting such a policy as well as with disciplinary enquiries and ccma matters. His email address is  


POPI and consent - don’t get caught in your own net

By Gillian Lumb, Director, Kara Meiring, Candidate Attorney, Cliffe Dekker Hofmeyr


2020 has given rise to many challenges for employers. The Protection of Personal Information Act 4 of 2013 (POPI) poses yet another challenge. Employers have a grace period of one year as of 1 July 2020 within which to ensure their compliance with POPI.


POPI distinguishes between the collection, storage and processing of personal information and special person information. Special personal information includes e.g. an employee’s race or ethnic origin, health or sex life, religious or philosophical beliefs and trade union membership. Securing an employee’s consent is one of the basis on which an employer can lawfully process both general and special personal information of its employees.


It is crucial for employers to understand the meaning and interpretation of consent within the context of POPI. While employers may hope for a “quick fix” to ensure compliance and trust that including a broad, “catch all” consent in employees’ contracts of employment will be suffice – this may not prove to be adequate in every instance. A general consent may be sufficient to cover some of the personal information that will be processed during the course of an employee’s employment, however employers should be aware of the risks associated with relying on blanket consents in every instance.


Section 1 of POPI defines consent as “any voluntary, specific and informed expression of will in terms of which permission if given for the processing of personal information”. Written consent is not expressly required. However, it will be for the employer in its capacity as responsible party to show that it has secured an employee’s consent where it is relying on consent. In the circumstances it is advisable for employees’ written consent to be secured.


The requirement that consent be voluntary, specific and informed means that there should not be any pressure or force placed on an employee to consent. The employee should also be sufficiently aware of the content of the processing given the requirement that the consent is informed.


The Information Regulator has yet to give guidance on the interpretation of consent in terms of POP. In all likelihood it will have regard to the General Data Protection Regulation 2016/679 (GDPR) which requires that the consent is unambiguous and must be given by a clear affirmative act. It may well be that the Information Regulator interprets consent restrictively in keeping with the GDPR.


In the circumstances clauses relating to the processing of personal information in employees’ contracts of employment which are aimed at securing employees’ consent to the processing, should at minimum set out the nature and scope of the personal information that is to be processed, the reason for the processing, consent to further processing, consent to collection from a source other than the employee and consent to the transfer of the information. The employees must be able to understand in clear language what they are consenting and the extent of the consent. Where necessary provisions should also be made specifically for the processing of special personal information.


Employers should bear in mind that POPI does not demand consent in every instance and that processing may take place without consent where e.g. the processing is required in terms of law, or for the purposes of protecting a legitimate interest of the employee.


Employers will need to determine on a case by case basis whether the processing which they wish to conduct falls within the scope of the consent which they may have secured from an employee in his or her contract of employment or whether they will need to rely on one of the other basis set out in POPI.


Both special and general personal information may be processed lawfully if the processing is necessary for the “establishment, exercise or defence of a right or obligation in law”. This would cover instances where e.g. an employer processes employees’ personal information to comply with its obligations under the Employment Equity Act.


An employer can process general personal information without an employee’s consent where such processing either protects a legitimate interest of the employee, or is “necessary for pursuing the legitimate interest of the responsible party or of a third party to whom it is supplied”. While the term “legitimate interest” is not defined in POPI, it is likely that the Information Regulator will seek guidance from the GDPR in this regard. The GDPR has established a three-pronged test in interpreting “legitimate interest” which considers purpose, necessity, and balance. It first asks, “Is there a legitimate reason or purpose for the processions?”, secondly “Is processing the information necessary for that purpose” and thirdly “Is the legitimate interest overridden by the interests of the data subject?


A determination is made as to whether there is a “legitimate interest” for the purposes of processing personal information based on the answers to these three questions.


So as not to fall foul of the provisions of POPI it is recommended that employers develop internal policies that will assist them in determining whether in each instance, personal information to be processed is covered by the general consent clause in an employee’s contract of employment alternatively, by one of the other basis for lawful processing. In the absence thereof, the employer will need to prepare and secure a further consent from the employee.


For more information, please contact Gillian Lumb at

Article published with the kind courtesy of Cliffe Dekker Hofmeyr www.cliffedekkerhofmeyr.com






Courses and Workshops




Basic Labour Relations

28 January 2021 (09:00 - 16:00)

Interactive Online Course

Employment Equity Committee Training

29 January 2021 (09:00 - 16:00)

Interactive Online Course

POPIA: Protection of Personal Information Act

04 February 2021 (09:00 - 12:00)

Interactive Online Course

The OHS Act and the Responsibilities of Management

11 February 2021 (08:30 – 16:00)

Interactive Online Course

Health and Safety Representative and Committee Training Course

18 February 2021 (08:30 - 16:00)

Interactive Online Course


 Our Clients 


Android App On Google Play

Android App On Google Play