The foundation of a good governance program is the policy. It describes, in broad strokes, the behavior expected of - and prohibited to - employees and ensures that those expectations are clear. Most organizations will have a suite of policies that address everything from appropriate workplace behavior and dress to hiring and disciplinary action to information security.
But in 2012 too many organizations still don't have policies that address social media in any meaningful way. And those that do often have draconian policies that simply pick up where policies on other types of information leave off without taking into consideration certain unique aspects of social media.
In the first place, most social media tools are not implemented on premises in the organization's data center. Where they are, or where they are implemented as a hosted service, the organization enjoys much more control over governance. For commercial services though it's a dramatically different proposition: data is stored in one or more distributed data centers across the country - or across the world. This has significant implications for governance including how to access the content and different privacy considerations in different jurisdictions.
Next, the terms of service often include provisions that have several implications for the governance program:
The terms are written with the goals of the service in mind. When the goals of the service change or expand, the terms will be updated to reflect those changes.
Since the services cater primarily to individual users, the users have a fairly simple choice: accept the terms, or don't use the service. If the terms are sufficiently onerous, users will leave in droves. Until they are, this "choice" isn't really much of one.
The terms may include provisions that are contrary to established governance practices. For example, the largest commercial services all prohibit users from having multiple accounts - so no having a personal account and a professional one. They also prohibit any user from disclosing their access credentials or from accessing another's account for any reason. I'll discuss the password issue in the employment context in a subsequent post. But this should raise the question - how do you do retention and disposition on social content centrally? This, too, will come up in a future post.
The terms are not negotiable, in no small part because of the way in which the services are architected. With very few exceptions, primarily for organizations who wield the full force of law such as federal governments, the terms are the terms.
And the final consideration for this post is that a couple of sets of lines and boundaries are getting very blurry. Consider:
The growing gap between work as represented by the org chart and work as it gets done
The increased reliance on outside parties including customers and suppliers to contribute to innovation and development, blurring the line between internal and external
The surging interest by organizations in finding and participating in communities on sites they (the organizations) have little to no control over
The work day, like the work location, is more and more variable and mobile. Organizations and employees are engaged in a very real process of time- and location-shifting work to wherever there is broadband internet access that is accessible through their device(s) of choice.
All of this points to one conclusion: the days of tightly locked-down governance, with a classification for everything and everything in its place, is, if not already gone the way of the dodo, at least on that road and about to hit the gas. What this means for the policy is that it cannot simply be an edit of the existing policy to add the phrase "...and social media/Web 2.0 services..." to every governance clause.
Rather, organizations need to rethink what the policy needs to convey. Some of the concepts will still be the same or will be applicable: offensive content is just as offensive through Facebook or Yammer as it is when sent through email or pinned to the bulletin board. But the notion that Tweets should be reviewed and approved before posting, or that employees must request permission to set up a free social media account on a service that will make them more productive, is an artifact of the paper paradigm that organizations will have to overcome if they are to keep up with their counterparts, competitors, and customers.
In my next post I will go into some more specific guidelines about what to include in the social media policy - including the notion that there shouldn't be one at all.
#socialmedia #socialnetworking #web2.0 #policy #governance #InformationGovernance #compliance #SocialBusiness