Is a Social Media Policy legally required for UK employers?

There is no single statute that expressly requires UK employers to have a dedicated Social Media Policy, but several overlapping legal obligations make one practically essential. Under the Employment Rights Act 1996, employers must issue a written statement of employment particulars, and where disciplinary and grievance procedures exist, they must be referenced in or appended to that statement. The ACAS Code of Practice on Disciplinary and Grievance Procedures (2015) — which Employment Tribunals must take into account under section 207A of the Trade Union and Labour Relations (Consolidation) Act 1992 — requires that employees are clearly informed of the standards of conduct expected of them and the consequences of falling below those standards. A Social Media Policy serves precisely this function in the digital context. Additionally, the Data Protection Act 2018 and the UK GDPR require employers to take appropriate technical and organisational measures to prevent unauthorised disclosure of personal data. A Social Media Policy forms part of those measures by instructing employees not to share personal data via social media without a lawful basis. Failure to have a Social Media Policy could expose the employer to vicarious liability under the Equality Act 2010 if an employee's social media posts constitute harassment of a colleague, because the employer will find it difficult to demonstrate that it took all reasonable steps to prevent the harassment.

Can an employer discipline an employee for social media posts made outside of working hours?

Yes. UK employment tribunals have consistently upheld dismissals arising from social media posts made outside of working hours where those posts damage the employer's reputation, bring the employer into disrepute, constitute harassment or discrimination of a colleague, or disclose confidential information. The key legal test for unfair dismissal under section 98 of the Employment Rights Act 1996 is whether the employer acted reasonably in treating the conduct as a sufficient reason for dismissal. In British Waterways Board v Smith [2015] UKEAT, the Employment Appeal Tribunal confirmed that offensive social media posts made outside work can justify dismissal where the employee can be identified as an employee of the organisation and where the posts affect the employment relationship. However, the employer must follow a fair procedure in accordance with the ACAS Code of Practice, carry out a proper investigation, give the employee the opportunity to respond, and consider whether dismissal is a proportionate response given all the circumstances. A clearly worded Social Media Policy makes it far easier to establish that the employee was on notice of the standards expected and the consequences of breaching them.

What monitoring of employee social media use is permitted under UK law?

The monitoring of employee social media use is governed by several overlapping legal frameworks in the UK. The Regulation of Investigatory Powers Act 2000 (RIPA) and the Investigatory Powers Act 2016 regulate the interception of communications. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 permit employers to intercept electronic communications on their own systems for lawful business purposes, such as monitoring for compliance with policies, preventing crime, or investigating breaches, but only where employees have been informed that monitoring may take place. The Data Protection Act 2018 and UK GDPR require that any monitoring of employees constitutes proportionate processing of personal data with a lawful basis under Article 6 (typically legitimate interests under Article 6(1)(f)) and that a Data Protection Impact Assessment (DPIA) is carried out for monitoring that is likely to result in a high risk to employees. The ICO's Employment Practices Code provides detailed guidance on monitoring at work. In practice, employers may lawfully monitor employee use of company IT systems and internet access (including social media), provided they have informed employees of the monitoring and its scope, the monitoring is proportionate to the legitimate aim pursued, and employees' reasonable expectations of privacy are balanced against the employer's business interests. Covert monitoring of personal social media accounts is generally difficult to justify and carries significant legal risk.

Can an employee's social media post constitute defamation under English law?

Yes. Under the Defamation Act 2013, a statement is defamatory if it causes or is likely to cause serious harm to the reputation of the claimant. For a statement about a company or business, serious harm means serious financial loss. Social media posts can constitute defamation where they make false statements of fact that are published to third parties (and a social media post is clearly published to followers and potentially beyond) and where those statements cause or are likely to cause serious harm to the reputation of the subject. The Defamation Act 2013 provides several defences including truth (section 2), honest opinion (section 3), and publication on a matter of public interest (section 4). However, malicious, fabricated, or recklessly inaccurate posts will not attract these defences. Under the E-Commerce Regulations 2002, social media platforms may have a hosting defence if they are not the author of the defamatory content, but the individual employee who published the post will be personally liable as the author. Employers should make clear in their Social Media Policy that employees are personally responsible for social media content they publish and that defamatory posts may result in both disciplinary action and personal civil liability.

What is the Computer Misuse Act 1990 and how does it apply to social media use at work?

The Computer Misuse Act 1990 (CMA) creates three principal criminal offences relevant to workplace social media use. Section 1 makes it a criminal offence to access any computer (or program or data held on a computer) without authorisation. Section 2 makes it an offence to access a computer without authorisation with intent to commit or facilitate the commission of a further offence. Section 3 makes it an offence to carry out an unauthorised act in relation to a computer with intent to impair its operation. In the social media context, the most common CMA risks arise where an employee accesses a colleague's or manager's social media account without authorisation; accesses company social media accounts after their authorisation has been revoked (for example, following resignation or termination of employment); uses another employee's login credentials to post content; or conducts a cyber attack on a competitor's social media accounts. All of these acts constitute criminal offences under the CMA. A Social Media Policy should explicitly state that accessing social media accounts without authorisation is a criminal offence and may be referred to the police, in addition to resulting in disciplinary action.

How should an employer handle social media-related harassment complaints under the Equality Act 2010?

Under section 26 of the Equality Act 2010, harassment is defined as unwanted conduct related to a relevant protected characteristic that has the purpose or effect of violating a person's dignity, or of creating an intimidating, hostile, degrading, humiliating, or offensive environment. Social media posts that refer to a colleague's race, sex, disability, sexual orientation, religion or belief, age, gender reassignment, or other protected characteristic and that meet this definition constitute harassment under the Act. Under section 109, employers are vicariously liable for acts of harassment committed by their employees in the course of employment, unless the employer can show it took all reasonable steps to prevent the harassment. The primary defence is demonstrating that the employer had a Social Media Policy (and an Anti-Harassment and Bullying Policy) in place, that employees were trained on those policies, and that the employer responded promptly and properly when a complaint arose. When a complaint is received, the employer should: acknowledge the complaint promptly; carry out a confidential investigation in accordance with the ACAS guidance on handling complaints of harassment; take appropriate interim protective measures if necessary (such as suspending the alleged harasser pending investigation); and take proportionate disciplinary action where the complaint is substantiated. Employment tribunals may award unlimited compensation for harassment claims, making proactive policy management and prompt complaint handling essential.

Social Media Policy for Employees (England & Wales) — United Kingdom

Create a comprehensive Social Media Policy for Employees compliant with the Data Protection Act 2018, UK GDPR, Employment Rights Act 1996, Equality Act 2010, Defamation Act 2013, Computer Misuse Act 1990, and ACAS guidance. This template covers personal and professional social media use, company account management, confidentiality, monitoring, data protection, anti-discrimination obligations, disciplinary consequences, and approval processes. Suitable for employers of all sizes in England and Wales. Fill in your company details, preview in real time, and download as PDF or Word.

What Is a Social Media Policy for Employees (England & Wales)?

A Social Media Policy for Employees is a workplace document that sets out the standards of conduct expected of employees, workers, and contractors when using social media, both in a professional capacity and on personal accounts where their conduct may affect the employer. In England and Wales, employers face a complex web of legal obligations that intersect with social media use, making a clearly drafted Social Media Policy an essential element of modern workforce management.

The policy operates at the intersection of employment law, data protection law, defamation law, and criminal law. The Employment Rights Act 1996 requires employers to make clear the disciplinary standards expected of employees and the consequences of breaching them. The Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) impose obligations on employers to prevent unauthorised disclosure of personal data, including disclosure via social media. The Equality Act 2010 imposes vicarious liability on employers for harassment committed by their employees, including harassment via social media. The Defamation Act 2013 makes individual employees personally liable for defamatory statements published on social media. The Computer Misuse Act 1990 criminalises unauthorised access to computer systems, including social media accounts.

A Social Media Policy typically addresses two distinct contexts. The first is professional use: the management of official company social media accounts, including who is authorised to post, what approval processes must be followed, what content standards apply, and how complaints and negative comments should be handled. The second is personal use: the standards expected of employees when using their own personal social media accounts, particularly where posts identify the individual as an employee of the organisation or where posts could affect the employer's reputation, its clients, or its colleagues.

The ACAS guidance on social media in the workplace, published by the Advisory, Conciliation and Arbitration Service, recommends that employers develop a dedicated Social Media Policy that is clearly communicated to all employees and consistently enforced. ACAS guidance notes that social media-related disciplinary cases have increased significantly in recent years, and that employers without a clear policy are at a substantial disadvantage when defending Employment Tribunal claims arising from social media disputes.

When Do You Need a Social Media Policy for Employees (England & Wales)?

Every employer in England and Wales that employs staff should have a Social Media Policy, regardless of the size of the organisation or the sector in which it operates. The need for a Social Media Policy has become more acute as social media platforms have proliferated and as the boundary between personal and professional life has become increasingly blurred in the digital age.

You need a Social Media Policy if your organisation uses social media for marketing, communications, or customer engagement. Official company accounts on platforms such as LinkedIn, Facebook, Instagram, Twitter/X, YouTube, or TikTok create legal and reputational risks that must be managed through clear governance structures. Designating who can post, what approval processes must be followed, and what content standards apply is essential to prevent inadvertent disclosure of confidential information, breaches of advertising standards, copyright infringement, or defamatory publication.

You need a Social Media Policy if your employees use social media for any work-related purpose. Even employees who do not have responsibility for official company accounts may use LinkedIn to represent the organisation professionally, discuss work matters on Twitter/X or Facebook, or use social media to communicate with clients or colleagues. Each of these activities creates risk that must be managed through a policy that clearly delineates acceptable and unacceptable conduct.

You need a Social Media Policy if you have experienced or wish to prevent social media-related incidents. These include: an employee posting derogatory or discriminatory comments about a colleague, competitor, or client; an employee disclosing confidential business information or client data on social media; a former employee continuing to access company social media accounts after their employment has ended; an employee publishing defamatory statements that expose the company to reputational and legal risk; or an employee accessing a colleague's social media account without authorisation, potentially in breach of the Computer Misuse Act 1990.

You need a Social Media Policy if you wish to monitor employee use of IT systems. Under the Regulation of Investigatory Powers Act 2000 and the UK GDPR, employees must be informed of any monitoring before it takes place. A Social Media Policy provides the appropriate notice to employees and forms part of the lawful basis for monitoring under the UK GDPR's legitimate interests ground.

The Employment Tribunal has upheld social media-related dismissals in a wide range of circumstances, but only where the employer can demonstrate that the employee was on clear notice of the standards expected and the potential consequences of breaching those standards. A Social Media Policy provides that notice.

What to Include in Your Social Media Policy for Employees (England & Wales)

A well-drafted Social Media Policy for Employees in England and Wales should contain several essential components that address the principal legal risks and workplace scenarios.

The scope clause defines which individuals the policy applies to (employees, workers, contractors, agency staff) and which activities it covers (use of social media on company equipment, during working hours, and on personal accounts where conduct affects the employer). Limiting the scope to working hours only is no longer sufficient given that Employment Tribunals regularly uphold dismissals for out-of-hours social media conduct where the posts affect the employment relationship.

The personal use section addresses the employer's position on employee use of personal social media accounts during working hours — whether this is prohibited, limited to breaks only, or unrestricted subject to productivity obligations — and sets out the conduct standards that apply to personal social media activity at all times.

The company accounts section identifies who is authorised to post on official company accounts, sets out the approval process for content before publication, specifies the content standards that apply, and addresses the transfer of account credentials when an authorised user leaves their role.

The prohibited content clause is one of the most legally important elements of the policy. It should expressly identify the types of content that are prohibited, with specific reference to the relevant legislation: discriminatory content contrary to the Equality Act 2010; defamatory content contrary to the Defamation Act 2013; content disclosing confidential information or personal data without a lawful basis; and content that involves unauthorised access to computer systems contrary to the Computer Misuse Act 1990.

The confidentiality clause reinforces the employee's contractual confidentiality obligations in the social media context and makes clear that these obligations survive termination of employment. Reference to the employee's contract of employment and any separate non-disclosure agreement is important to create clear linkage.

The monitoring clause informs employees of the employer's right to monitor social media use on company IT systems, the legal basis for monitoring, and the proportionate approach the employer will take. This is essential to comply with the Regulation of Investigatory Powers Act 2000 and the UK GDPR requirement to inform data subjects of processing activities.

The data protection clause reinforces UK GDPR obligations in the social media context: employees must not share personal data of clients, employees, or third parties on social media without a lawful basis, and must not publish photographs or videos featuring identifiable individuals without consent.

The disciplinary consequences clause sets out the potential sanctions for breach of the policy, up to and including summary dismissal for gross misconduct. This section must be aligned with the employer's formal Disciplinary Procedure and the ACAS Code of Practice, and should identify specific examples of gross misconduct in the social media context to give employees clear guidance.

The responsibilities section allocates accountability across different levels of the organisation: all employees, line managers, the policy owner, and senior management. This allocation of responsibility is essential for demonstrating to an Employment Tribunal that the employer took all reasonable steps to prevent policy breaches.

What Is a Social Media Policy for Employees (England & Wales)?

When Do You Need a Social Media Policy for Employees (England & Wales)?

What to Include in Your Social Media Policy for Employees (England & Wales)

Frequently Asked Questions

Related Documents

Employee Handbook Acknowledgment (England & Wales)

Privacy Policy (UK)

Non-Disclosure Agreement (NDA) (UK)

Employment Contract (England & Wales)

Data Processing Agreement — UK GDPR (England & Wales)