With the proliferation of social media sites such as blogs, Facebook, and LinkedIn, and their increasing prominence in the business realm, it is not surprising that employers have begun to access the information posted on these sites in the course of conducting background checks on prospective employees.
As discussed in previous issues of Workwise (Another Brick in the Wall: Arbitrator Upholds Discharge for Offensive Facebook Postings), (Facebook: What Employers Need to Know about Workplace Privacy, Discipline & Dismissal), employers may discipline or terminate employees based on inappropriate material they post on the internet.
However, legal risks may arise for employers even before the employment relationship has begun as a result of using social media websites to collect information about job candidates.
Although employers may consider reviewing the contents of a prospective employee’s Facebook page part of their due diligence, this practice would likely be considered a collection, use or disclosure of personal information under Alberta’s Personal Information Protection Act, which governs how private organizations collect, use and disclose personal information. To that end, the Office of the Information and Privacy Commissioner of Alberta has recently released “Social Media Guidelines1” which identify the legal risks that arise in this context. In order to “click with caution,” employers should keep the following eight pointers in mind.
1. “Publicly Available” Doesn’t Mean What You Think It Does: It’s a Defined Term in PIPA
Employers may be of the view that information prospective employees post about themselves on the internet is “fair game” because it is publicly available. However, the provisions in PIPA that allow for collection, use and disclosure of personal information without consent if the information is “publicly available” are heavily circumscribed by the PIPA Regulation, which defines “publicly available” as personal information contained in public, business or governmental directories; judicial or quasi-judicial decisions, and magazines, books and newspapers when the information was provided by the individual. As it is unlikely that information posted on social media sites is captured by this definition, this information would not be considered “publicly available” for the purposes of PIPA.
2. Take Only What You Need: The Privacy Risks Going Beyond the Traditional Reference Check
In order to justify a social media background check, an organization must be able to demonstrate that the collection is reasonable in terms of purpose and scope. In other words, employers must be able to demonstrate that there is a reasonable business purpose for collecting information through social media because the information sought could not be provided through another method, such as a reference check. There is also a risk of “over-collection” because social media sites usually contain an abundance of personal information, not all of which is reasonable to collect for the purposes of assessing a job candidate.
Recognizing that certain industries require more comprehensive background checks than others, nevertheless, in the pre-digital age when checking out prospective employees, employers did not ask for diaries or photo albums. As such, it may be challenging to demonstrate a reasonable business purpose for collecting the type of information often posted on Facebook, on the other hand, viewing a job candidate’s “Linked In” page may be a more reasonable practice than viewing her Facebook page, as the purpose of Linked In is to facilitate networking among professionals.
3. Collecting the Personal Information of Third Parties
One of the design features of social media sites is that they link people to other people. Consequently, an employer who accesses the Facebook page of a job candidate is very likely to also access the personal information of that candidate’s Facebook friends. As these individuals have not consented to a social media background check, the likelihood of inadvertently collecting the personal information of third parties may result in an increased risk of complaints under PIPA.
4. Is This Our Guy?
PIPA requires that organizations take steps to ensure the accuracy and completeness of the information they’re collecting. As such, there is a risk that in the course of collecting information from social media websites, employers could be accessing personal information about an individual who has the same or a similar name as their candidate, in which case, they have now accessed the personal information of a third party without consent. What’s more, as not all information posted on the internet is accurate, even if there is a reasonable business purpose for collecting the information, employers must also do what they reasonably can to ensure this information is accurate and complete.
5. If You Can’t Ask It in an Interview, Don’t Take It from the Internet
Under the Alberta Human Rights Act, there are certain protected grounds of discrimination about which employers cannot ask questions during the interview process: race, religious beliefs, colour, gender, physical disability, age, ancestry, place of origin, marital status, source of income, family status, and sexual orientation. Employers could easily come across personal information that relates to these protected grounds while searching social media websites. For example, a candidate’s Facebook page may disclose an affiliation or membership to a religious organization (religious beliefs) or the candidate may have disclosed that she has a spouse (marital status). As employers cannot ask questions about these topics during an interview in order to ensure that the job selection process is free of discrimination, it follows that it would be unreasonable under PIPA to access this information through other means. What’s more, if a prospective employee is concerned that an employer has used information that relates to one of the protected grounds of discrimination in the job selection process, the employer could become the target of a human rights complaint. Notably, the Ontario Human Rights Commission has recently cautioned (through an announcement on its Facebook Page incidentally, a sign of the times to be sure) about these risks.
6. Consent is Only Part of the Puzzle
Employers should not take too much comfort in the fact that an employee has consented to a social media background check as consent is only part of the organization’s obligations under PIPA. Even if an employee consents to the employer conducting a social media background check, an employer must still also demonstrate that there was a reasonable business purpose to collect the nature and extent of the information it did.
7. Request Passwords at Your Peril
The most intrusive form of social media background check is for an employer to request that the job candidate provide her password so that the employer may directly access her pages on social media sites. Dr. Ann Cavoukian, Ontario’s Information and Privacy Commissioner, has sternly criticized this practice2 and Facebook’s Chief Privacy Officer has also released a statement on behalf of Facebook and stating that soliciting a user’s password is a violation of Facebook’s Statement of Rights and Responsibilities. Several U.S. states are said to be contemplating legislation that would ban this practice. Accordingly, employers should be well aware of the risks associated with requesting passwords.
8. Organizations Are Responsible for Their Employees
Organizations are ultimately responsible for the actions of their employees, and this responsibility extends not only to traditional employees, but also to those providing services for an organization. Consequently, employers cannot contract out of compliance with PIPA by hiring third party social media search companies. In addition, employers should provide employees involved in the hiring process with guidance and training on the appropriate use of and risks associated with social media background checks.
In closing, employers should consider whether they have reasonable purpose for performing social media background checks and should consider whether they can do so in compliance with the privacy principles outlined above.
Update: Alberta Court of Appeal Rules on Constitutionality of PIPA Provisions
As discussed in a previous edition of Privacy Press the UFCW, Local 401 v. Alberta (Attorney General) case began as a complaint to the OIPC that the UFCW was taking video recordings and photographs of persons in and around a picket-line. In addition to posting personal information on its website, the union also published images taken at the picket-line in its newsletters and leaflets. On judicial review, the Alberta Court of Queen’s Bench held that the operation of PIPA violated the UFCW’s freedom of expression under section 2(b) of the Charter. Broad Charter remedies were ordered which would have resulted in revisions to the wording of PIPA3.
On appeal, the Alberta Court of Appeal agreed that the application of PIPA in the picketing context constituted an impermissible violation of the freedom of expression of the UFCW which could not be saved under s. 1 of the Charter4. In doing so, the Court of Appeal made broad statements about the unconstitutional breadth and impact of PIPA. Notably, these statements are not limited to the picketing context alone.
Slatter J.A. for the Court held that PIPA contains no general exemption for forms of expression that are constitutionally protected. To the extent that the exemptions in the Act are not sufficient to permit the type of collection and use of information engaged in by the union, it was held that the Act’s constitutionality should be analyzed by considering the application of the Act as a whole. Ultimately, Slatter J.A. held that PIPA was not drafted in a manner that is adequately sensitive to protected Charter rights. In this regard, the Court of Appeal identified a number of issues with the legislation:
PIPA covers personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values;
PIPA contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places;
The definition of “publicly available information” is artificially narrow;
There is no general exemption for information collected and used for free expression; and
There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.
In considering whether the violation of s. 2(b) of the Charter could be saved under s. 1, the Court of Appeal held that the salutary effects of the Act did not outweigh its deleterious effects as the legitimate rights of the organization had to be balanced against the minimal expectation of privacy of the persons being recorded.
The remedy for the unconstitutional scope of the legislation was narrowed to a declaration that the application of PIPA to the activities of the union was unconstitutional, and the Adjudicator’s order was therefore quashed. In making this ruling on remedy, the Court of Appeal stated that deciding the nature of the amendments necessary to bring PIPA “in line with the Charter” is an issue that falls “within the particular mandate of the Legislature”.
The OIPC has sought leave to appeal this decision to the Supreme Court of Canada.
Office of the Information and Privacy Commissioner of Alberta, “Guidelines for Social Media Background Checks” (December 2011).
"Reference Check: Is your Boss Watching? The New World of Social Media: Privacy and Your Facebook Profile" (October 2007).
2011 ABQB 415
2012 ABCA 130