Employer asking for social media log in details!

bootybouncer

Not obliged to chap.................ask said employer to show you their gash or todge.......see how they like it

DoctorEdgeWild

billybob123 wrote: »

I have worked here for over 1 year. I do promote the business somewhat through my LinkedIn, however it is not a premium account so they have not paid for it and i had it 4 years before i start here.

They say it is regarding an ISO compliance thing to do with data protection.

Definitely nothing to do with ISO:9001 quality or 14001 environmental, that's an area I work in. Might be worth asking to explain what they meant exactly as there may have been a miscommunication. It's not something I'd ever even consider asking any of my employees though.

hullaballoo

All employees of certain social networking sites have full admin access to all users profiles, including messages etc. Again, I'm surprised more people don't expect this to be the case.

Dublinflyer

I got asked for my Facebook password by a company I worked for a few years ago as they got wind that some of the guys were bitching about managers on their pages. I told them that I did not have a facebook page, which was the truth, and they started disciplinary proceedings against me. I let it run a bit as I was intending to leave anyway and eventually got a solicitor involved. I think they wanted to make an example of somebody but picked the wrong person as I was able to prove that I never had a page. I am going back a good few years as FB was still a new thing but they ended up having to pay a few people in the company compensation as the LRC, it went that far, said it was a form of bullying. The company ended up going bust about a year later but I don't think there were many tears shed at the time.

whomitconcerns

hullaballoo wrote: »

All employees of certain social networking sites have full admin access to all users profiles, including messages etc. Again, I'm surprised more people don't expect this to be the case.

Really? Which sites are they. i want to see those t&c's please so i can get off them.

munchkin_utd

are you sure they asked you for a "password" or was it your "login" - the first being a request for your password but latter meaning just your user id just so they can "friend" you or whatever ?

hullaballoo

whomitconcerns wrote: »

Really? Which sites are they. i want to see those t&c's please so i can get off them.

Would you not just presume it's all unless they specifically state otherwise?

The general rule is that if you don't want other people to have information about you, don't post it on the internet.

whomitconcerns

hullaballoo wrote: »

Would you not just presume it's all unless they specifically state otherwise?

The general rule is that if you don't want other people to have information about you, don't post it on the internet.

And yes I agree 100% and I dont use a lot of those sites for that very reason. However, I would assume private messages,etc would be not in public domain. And yes I would have a legitmate expectation of privacy therin. From google or linkedin or facebook T&Cs.

Larbre34

Handover the passwords, then change them immediately. When the query comes back, 'eh, they dont work', sue the pants off them.

Five Lamps

billybob123 wrote: »

I have worked here for over 1 year. I do promote the business somewhat through my LinkedIn, however it is not a premium account so they have not paid for it and i had it 4 years before i start here.

They say it is regarding an ISO compliance thing to do with data protection.

In that case, you need to have a frank conversation with them - that you promote the company through your own social channels. Advise them that you are happy to stop doing this or assist the company in setting up and managing their own channels.

They have no requirement for the credentials of your personal accounts as part of their ISO process.

Manach

Purely from a devil's advocate position, it might be argued that a firm's reputation and/or security policy standpoint having the passwords would be allowed to ensure these are safeguarded. As the OP mentioned, there are work related material on those sites and as part of T&C in employment contracts there are usually articles on confidentiality as well as IP rights safety.
But aside from that, in the normal circumstances handing over passwords is just not on - and to even mention the Data protection act as a pretext for this is odd.

Pat Mustard

whomitconcerns wrote: »

Really? Which sites are they. i want to see those t&c's please so i can get off them.

I'd suspect that they all do.

Have a look at Facebook's privacy conditions for a start.

sopretty

Would ISO compliance not require access to and review of all marketing and marketing channels used?

DoctorEdgeWild

sopretty wrote: »

Would ISO compliance not require access to and review of all marketing and marketing channels used?

Not for 9001 or 14001. It would simply require that the process you have in place is adhered to and can be checked. Not every company would have marketing so it is not mentioned specifically in either standard.

However, if you said in a process/procedure that you monitored all online marketing by employees, you could be asked to show evidence that you do. It would be up to you to decide how best to do that to satisfy your auditor.

touts

Remove the business related posts from Linkedin and tell them that the business stuff is now gone and it is a purely personal account.

Tell them the other accounts are personal and not business related.

Leave it at that. Unless they take further action you should not. Do not get snotty and certainly don't go running to a solicitor as some people here have advised. Remember if you go all bolshy and legal then you might win the Battle of the passwords but you will lose the war or your career. Even when you leave there will be a note on your file to say you were a difficult employee and that'll go out to any future prospective employers looking for a reference. There is a reason the most bolshy people in the country are those with jobs for life in the civil service. They don't have to worry about a reference in the future.

sopretty

DoctorEdgeWild wrote: »

Not for 9001 or 14001. It would simply require that the process you have in place is adhered to and can be checked. Not every company would have marketing so it is not mentioned specifically in either standard.

However, if you said in a process/procedure that you monitored all online marketing by employees, you could be asked to show evidence that you do. It would be up to you to decide how best to do that to satisfy your auditor.

So, if they had stated that their marketing processes include the use of employee social media accounts, then it might well be a case that they do indeed need to provide evidence of this and the ability to review such marketing?

DoctorEdgeWild

sopretty wrote: »

So, if they had stated that their marketing processes include the use of employee social media accounts, then it might well be a case that they do indeed need to provide evidence of this and the ability to review such marketing?

Yep, if I were QM for a company that said they monitored all online accounts in a policy, I would show evidence of a company LinkedIn/Facebook page being regularly updated by an employee.

It is a big stretch to monitor an employees personal account though. I can't imagine a quality system that would include something like that and have yet to see one, definitely a question for HR/legal people rather than Quality/Conformance people.

Seems a bit mental to me and hopefully just a misunderstanding.

The only possible greyness would be if someone were conducting company business through their personal accounts - which is just a bad idea in my opinion.

GarIT

Enable two factor authentication. Then you will never be able to log into Facebook from a new computer without your phone. Give them the passwords and you will get text messages if anyone tries to log into your account and the location of the attempted access.

sopretty

I'd possibly discuss this with my employer then. I'd state that while you use the LinkedIn profile for marketing (which presumably they are aware of), you would like to separate your profile from the company one. Is there anything you'd be uncomfortable with currently on your LinkedIn profile?
A bit silly of the employer to use employees' personal accounts.

As for Facebook or anything else - this is a complete blurring of lines between personal and professional.

sopretty

Is it a small or relatively new company you work for OP?

Is this their first time applying for ISO certification?

I would think that their request is probably genuine, particularly if an ISO audit has been ongoing. I wouldn't think that there is any sinister intent, rather, a naivety as to what would be required to achieve ISO certification.

For that reason, I would discuss the issue frankly and without any fear of sinister motivations. ISO might not be happy with the employer accessing passwords of personal employee accounts either, so I think your employer might need to do a bit of research. Discuss it with them, and you might come out smelling of roses!

SpaceTime

Absolutely not!

Social media accounts hold other people's private information i.e. your friends, family members etc.

It's also a breech of T&Cs of almost all the social media accounts I'm aware of.

Would you let someone have a rummage through your personal diary or maybe tap your home phone line, or go through your post i.e. have it forwarded to the office, checked and sent on.

Maybe have a little app installed on your personal mobile so they can listen in to your calls?!

I think not.

If they want to use social media on the company's behalf, they should be using corporate accounts, not your personal ones.

Five Lamps

Manach wrote: »

Purely from a devil's advocate position, it might be argued that a firm's reputation and/or security policy standpoint having the passwords would be allowed to ensure these are safeguarded. As the OP mentioned, there are work related material on those sites and as part of T&C in employment contracts there are usually articles on confidentiality as well as IP rights safety.
But aside from that, in the normal circumstances handing over passwords is just not on - and to even mention the Data protection act as a pretext for this is odd.

If the company is going for an ISO accreditation, I would imagine that they would need demonstrate that they have a good security and password regime that protects all their data no matter where. It's possible that's where the confusion is. The OP should just simply say these are my accounts and not part of the company and out of scope of your documentation. If it's a problem he just stops doing anything work related with his personal accounts and state this to his employer.

In reality, if the company is going for a quality recognition then they should already have a data privacy and a social media policy in place that would not allow a situation like this arise.

Five Lamps

SpaceTime wrote: »

Absolutely not!

Social media accounts hold other people's private information i.e. your friends, family members etc.

It's also a breech of T&Cs of almost all the social media accounts I'm aware of.

True but so is using personal accounts for business purposes.

If they want to use social media on the company's behalf, they should be using corporate accounts, not your personal ones.

It sounds like the company hasn't got a social media plan or policy in place. The OP might be in a good position to lead that. Turn this into an opportunity.

DoctorEdgeWild

sopretty wrote: »

Is it a small or relatively new company you work for OP?

Is this their first time applying for ISO certification?

I would think that their request is probably genuine, particularly if an ISO audit has been ongoing. I wouldn't think that there is any sinister intent, rather, a naivety as to what would be required to achieve ISO certification.

For that reason, I would discuss the issue frankly and without any fear of sinister motivations. ISO might not be happy with the employer accessing passwords of personal employee accounts either, so I think your employer might need to do a bit of research. Discuss it with them, and you might come out smelling of roses!

^^^ A thousand times this OP.

Lots of people get confused about what is required to meet or exceed the standards and end up getting muddled up trying to cover every base whereas it's fairly simple - The auditors are simply looking to see if you actually do what you say you do, that's really all there is to it.

Definitely be nice about it, it may be a genuine mistake made by someone.

wildlifeboy

is it iso27001, if so then theres no obligation for personal account info. there may be if you use it for business but that has to be stated in both the social media policy and has to be declared before audit. if its not declared then they wont even look into it. i work in IT security and no one should give up their personal info. tell them to go and ****ew

techdiver

wildlifeboy wrote: »

is it iso27001, if so then theres no obligation for personal account info. there may be if you use it for business but that has to be stated in both the social media policy and has to be declared before audit. if its not declared then they wont even look into it. i work in IT security and no one should give up their personal info. tell them to go and ****ew

+1

Me too

This is exactly correct and is essentially the most important thing to take from this thread!

rab!dmonkey

Larbre34 wrote: »

Handover the passwords, then change them immediately. When the query comes back, 'eh, they dont work', sue the pants off them.

Why not just hand them some bogus passwords?

scruff monkey

rab!dmonkey wrote: »

Why not just hand them some bogus passwords?

Because it only serve to piss them off and remove the ability to have a frank and honest exchange of views which is where this sort of thing needs to be rather than playing games with an employer or prospective employer. It's wasting everybodies time.

rab!dmonkey

scruff monkey wrote: »

Because it only serve to piss them off and remove the ability to have a frank and honest exchange of views which is where this sort of thing needs to be rather than playing games with an employer or prospective employer. It's wasting everybodies time.

Exactly the same thing would happen if you hand them the genuine password, but change it before they can use it.

scruff monkey

rab!dmonkey wrote: »

Exactly the same thing would happen if you hand them the genuine password, but change it before they can use it.

Not quite, if it's a personal account then you simply never hand over the information, that's the conversation that needs to happen there.

(and I would draw a distinction between that and an account that someone might operate for a company for marketing/other purposes).