Given the large amount of potential sources of information about individuals on social media1, it is not surprising that many employers have, or have considered, searching social media sites as part of their background checks on prospective employees and volunteers. Most of us assumed that if someone posted information about themselves online, he or she could not then complain if a prospective employer accessed and used that information when making their hiring decisions.
The Information and Privacy Commissioners in BC and other provinces have now confirmed that this assumption is not correct. They say that just because someone publishes information online about themselves, it doesn’t mean that such individuals consent to the use of that information for background checks. Further, even if consent can be implied, privacy laws still apply to the kinds of information that is accessed and collected. In other words, irrespective of whether the information is available online, employers are still subject to privacy laws if they intend to view, collect and use such information.
In October 2011, BC’s Office of the Information & Privacy Commissioner published Guidelines for Social Media Background Checks. However, before reviewing the highlights of these guidelines, it is useful to review the privacy laws applicable to public sector organizations [Freedom of Information and Protection of Privacy Act (“FOIPPA”)], and private companies [Personal Information Protection Act (“PIPA”)] regarding the collection of information now that it has been made clear that these laws apply to information from social media sites.
The strictest rules affect public sector organizations. Section 27 of FOIPPA states that all private information must be collected directly from an individual, unless another method is consented to by the individual [sec. 27(a)(i)]. Further, once such information is collected, the employer must inform the individual of that fact [sec. 27(2)]. Because collecting personal information from a social media site is considered “indirect” collection, public bodies must always have an individual’s consent to collect personal information from social media sites. Once consent is provided, public sector organizations are also required to collect only such personal information that a reasonable person would consider appropriate or reasonable in the circumstances (sec. 26). For private companies, PIPA permits the collection of personal information without the individual’s consent if the collection is reasonably related or necessary for assessing the individual’s suitability for the position.
Once public sector organizations and private companies have complied with the above noted provisions of the legislation, they can still run afore of the law, depending on what information is collected. The Guidelines identify the special risks associated with the use of social media sites to collect personal information for prospective employees or volunteers.
- Collecting inaccurate information: FOIPPA and PIPA require employers to take steps to ensure that personal information they collect is accurate. Information gathered on social media sites may be inaccurate for a number of reasons. It is possible that information collected relates to another person with the same name, is out of date, or was deliberately inaccurate as part of a plan to discredit that individual.
- Collecting irrelevant or too much information: FOIPPA and PIPA require employers to only gather information that would reasonably be deemed relevant or appropriate. Since information posted on social media sites was not originally intended for prospective employers, organizations will inevitably gather more information than that which fulfills this requirement. Also, due to the nature of some social networking sites, such as FaceBook, in the course of collecting personal information about an individual, employers will often gather personal information about third parties.
The Guidelines then provide tips or practical advice to assist employers who may be considering using social media sites to gather personal information before they start the information gathering process. The following list of tips is copied from the Guidelines.
- Recognize that any information collected about individuals is personal information or personal employee information and is subject to privacy laws, whether or not the information is publicly available online or whether it is online but subject to limited access as a result of privacy settings or other restrictions.
- Conduct a privacy impact assessment including an assessment of the risks associated with your use of social media as a component of background checks. When conducting this assessment, public bodies and organizations should:
- find out what privacy law applies and review it, ensuring that there is authority to collect and use personal information;
- identify the purposes for using social media to collect personal information;
- determine whether the identified purposes for the collection and use of personal information are authorized;
- consider and assess other, less intrusive, measures that meet the same purposes;
- identify the types and amounts of personal information likely to be collected in the course of a social media background check, including collateral personal information about other people that may be inadvertently collected as a result of the social media background check;
- identify the risks associated with the collection and use of this personal information, including risks resulting from actions taken based on inaccurate information;
- ensure that the appropriate policies, procedures and controls are in place to address the risks related to the collection, use, disclosure, retention, accuracy and protection of personal information;
- if the collection is authorized, notify the individual that you will be performing a social media background check and tell them what you will be checking and what the legal authority is for collecting it; and
- be prepared to provide access to the information you collected and used to make a decision about an employee or volunteer.
Finally, employers should remember that if an individual suspects that their personal information has been collected, they have a right to ask for copies of information collected, and if they suspect that personal information has been improperly collected, they may complain to the Information and Privacy Officer.
- Social Media captures a number of different kinds of information sources including social networking sites, blogs, ‘micro-blogging’ sites such as Twitter, and file sharing sites for photographs and videos such as YouTube.