Are Employers in British Columbia and Alberta Stepping Outside Privacy Boundaries in Requesting Access to a Job Applicant’s Social Media Profile?

There has always been a legitimate need for employers to screen job applicants, but the widespread use of social media have taken vetting to a new level that sometimes crosses the line into invasion of privacy.

There was a huge backlash in the past few weeks over a developing trend in the U.S. where employers are asking applicants to provide their usernames and passwords to social media sites during the interview process. In response to this, a handful of states have drafted legislation seeking to outlaw what some consider to be an invasion of privacy. Lawmakers in Illinois, Maryland and California have proposed legislation that would prohibit employers from requiring disclosure of any usernames or passwords. Likewise, lawmakers from Connecticut and New Jersey are considering drafting similar legislation, as is the United States Senate.

In Canada, some employers have also been requesting usernames and passwords to social media sites from potential job applicants. While searching for publicly available information on a job applicant may not infringe upon a person's privacy, requiring their username and password arguably goes beyond that.

Under the respective Personal Information Protection Act (PIPA) in Alberta and British Columbia, private organizations are permitted to collect, use and disclose personal employee information without consent for reasonable purposes related to the recruitment, management or termination of the employment relationship.  However, the request for a potential job applicant’s username and password is unlikely to be seen to be a "reasonable purpose" as access to a candidate’s social media profile is arguably beyond what is necessary in assessing whether a candidate is fit for a job. As such, organizations would be required to notify and obtain the consent of the job applicants before the organization could collect, use, or disclose personal information such as a username or password but in our view, even if such consent were obtained, it is likely that the Privacy Commissioner would find that the collection of a job applicant's username or password is not reasonable.

Outside of Alberta and British Columbia, the federal privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA) would apply in all other provinces except for Québec to federal works and undertakings. It is likely that a conclusion similar to that under PIPA would be arrived at under PIPEDA although a slightly different analysis would apply. In situations where PIPA and PIPEDA does not apply, an analysis under common law would likely find that the request of a job applicant's username or password to be unreasonable.

In addition to the risk of infringing PIPA, the request for access to a job applicant’s social media profile may also raise the following issues:

1. Human Rights Claims
Certain information that can be found in an applicant's online profile cannot be used as the basis for an employment decision. Accessing a potential applicant’s social media profile may expose the employer to information on the applicant's race, religion, national origin, age, pregnancy status, marital status, disability, sexual orientation, or gender, and put the employer at risk of a human rights claim if their hiring decision is challenged.

2. Unreliable Information
Online information is not always reliable. Profile information might be inaccurate or have been deliberately falsified.

3. Invasion of Privacy
Accessing a potential job applicant’s social media profile may give rise to an invasion of privacy claims in common law. This is of particular concern given the recent decision of the Ontario Court of Appeal in Jones v. Tsige in which the Court allowed a common law action for deliberate and significant invasions of personal privacy.

In light of the prevalent practice of screening potential job applicants using social media, the privacy commissioners of British Columbia and Alberta have recently released the Guidelines for Social Media Background Checks. These guidelines are non-exhaustive and recommend that organizations:

1. Determine what the business purpose is for performing a social media background check. Do you reasonably require personal information that cannot be obtained through traditional means such as interviews or reference checks?

2. Recognize that any information that is collected about an individual is personal information or personal employee information and is subject to privacy laws.

3. Consider the risks of using social media to perform a background check. Conduct a privacy impact assessment to assess the risks. When conducting this assessment, organizations should:

    1. find out what privacy law applies and review it, ensuring that there is authority to collect and use personal information;
    2. determine whether the identified purposes for the collection and use of personal information are authorized;
    3. consider and assess other reasonable measures that achieve the same purpose;
    4. identify the types and amounts of personal information likely to be collected in the course of a social media background check, including collateral personal information about the individual and others that may be inadvertently collected as a result of the social media background check;
    5. identify the risks of non-compliance with PIPA associated with the collection and use of this personal information, including risks associated with the collection of third party personal information and actions taken based on inaccurate information;
    6. ensure that the appropriate policies, procedures and controls are in place to address the risks related to the collection, use, disclosure, retention, accuracy and protection of personal information using social media;
    7. determine if the collection is authorized and obtain any necessary consents, and notify the individual that you will be performing a social media background check and tell the individual what you will be checking and what the legal authority is for collecting the personal information; and
    8. be prepared, upon receipt of a request for access, to provide access to the information you collected and used to make a decision about an employee or volunteer.