1. Introduction - What is Social Media?
Social media can be defined as user generated content that is shared over the Internet, and technologies that promote engagement, sharing, and collaboration.1 The Office of the Privacy Commissioner of British Columbia utilizes an expansive definition of social media that "captures a broad range of information such as social networking sites, blogs, micro-blogging, and file sharing sites (including photographs and video)."2
Most of us think of social media as Facebook, Twitter, LinkedIn, YouTube, blogs, Flickr, Pinterest, and the like. However it is defined, there is no question that social media has become part of everyday life for most people. As a result, the majority of employees today will have some contact with one or more social media platforms on a daily basis. This may include having a Facebook or LinkedIn profile, posting comments, videos or pictures on Twitter, YouTube or Flickr or keeping a personal blog where he or she keeps a journal or expresses his or her opinions in a public or semi-public setting.
2. The Perks of Social Media for Employers
Social media is increasingly being used by employers to:
- advertise and promote the employer's brand, products, and services;
- advertise themselves to candidates for employment;
- obtain information about candidates for employment that can be used to verify information on applications and screen candidates; and
- obtain information about existing employees for use in workplace investigations, discipline, and litigation.
The public's extensive use and reliance on social media has allowed employers to utilize such mediums to interact with clients, customers, and employees on an entirely new level. Today, an employer wishing to advertise and promote its brand can rely on the multitude of social media outlets available, as well as traditional mediums, to reach an even broader audience. Advertising on interactive sites such as Facebook, Twitter, and Instagram can allow an employer to receive real time feedback from customers and clients about its products and services and can create a more personal relationship between the company and its target audience.
Beyond advertising, employers can utilize websites such as LinkedIn to advertise and search for potential employees who have the experience they need.
Social media can also be useful when conducting workplace investigations and for obtaining information for use in litigation with respect to existing or terminated employees. For instance, an employer may discover inappropriate comments made by one employee about another that support or contradict allegations of harassment or discrimination in the workplace. As another example, by viewing an employee's personal profiles and updates, an employer may discover that an employee who has claimed to be totally disabled and unable to work has engaged in rigorous recreational or sporting activities. This was the case in Teck Coal v UMWA Local 1656.3 In that 2010 Alberta labour arbitration, an employee was dismissed for excessive absences and dishonesty about the reasons. Evidence of a Facebook post was admitted that stated the individual was "in the City ready to party" at the time of an absence. The evidence undermined his credibility, as well as demonstrated his true emotional state at the time of the posting, and justified the dismissal. Thanks to social media, employers now have access to a large amount of publically available information concerning current employees to which they would not otherwise have access.
In addition, social media websites can be used to verify information provided by an applicant for employment and other screening purposes, as they allow the employer to learn about potential candidates even before the interview stage. However, prior to undertaking a 'background check' of any potential employee using social media, employers should be aware of the limitations and the perils of such a practice.
3. Employers' Use of Social Media in Hiring
(a) The Legislative Landscape
The collection of personal information by private employers in British Columbia who do not fall within exclusive federal jurisdiction is governed by the Personal Information Protection Act4 ("PIPA"). PIPA outlines prerequisites for the collection of personal information. There must be consent to the collection, use, and/or disclosure of the information, unless the Act specifically authorizes that consent can be dispensed with: s. 6. There must be notice of collection, including the purpose for the information, and contact information of an individual who is able to answer questions about the collection: s. 10(1). PIPA also establishes an additional limitation to collection, even with consent. An organization may collect personal information, "only for the purposes that a reasonable person would consider appropriate in the circumstances": s. 11. Thus, a standard applies even to the consensual collection of information that employers subject to PIPA must meet. The standard is even higher for public bodies regulated by the Freedom of Information and Protection of Privacy Act5 ("FOIPPA"). PIPA's section 13 allows collection of 'employee personal information' without consent if the collection is "reasonable for the purposes of establishing, managing or terminating an employment relationship between organization and the individual" and the individual is notified of the collection.6 This does not include information that is not about an individual's employment.7
The collection of personal information from social media sites, and its use in the hiring process by employers falls within this legislative regime. In October 2011, the Office of the Information and Privacy Commissioner for BC released its Guidelines for Social Media Background Checks ("the Guidelines").8 The Guidelines identify three main risks associated with such data collection and use. Firstly, there is a greater risk of inaccuracy with social media-sourced information. Mistakes abound, whether it is in identifying the profile associated with the correct candidate, determining the validity of such profiles (risk of imposters or hackers), and the room for human error associated with multiple contributors adding content at any time (mislabelled photographs, outdated content etc.). This is particularly legally problematic, as under privacy legislation, employers have a duty to ensure that personal information collected is accurate, and current.9
Secondly, there is the risk of collecting much more information than intended or needed. Since social media content usually pre-exists and does not contemplate the hiring scenario, and is contributed by multiple parties, it is not a narrow source, nor can it easily be filtered. Additionally, the first look on an individual's Facebook profile displays fields that may contain one's marital status, religious views, political affiliation, sexual orientation, number of children, birthplace, and a host of other information largely irrelevant to the employment relationship. Once collected, this information can be very difficult to disregard. From a human rights perspective, each of the above examples are related to a 'prohibited ground' of discrimination.10 Should negative hiring decisions follow or appear to follow from the unintended collection of this sort information, human rights offences and damages could apply. Thus, from a hiring perspective, the less an employer knows about these areas of a candidates' life, the lower the risk of attracting human rights litigation. The narrower the source, the lower the risk.
Some large organizations reduce this risk by having the social media search conducted by someone who will not be involved in the hiring decision. The person doing the search removes references to the prohibited grounds of discrimination, and passes on the rest of the information to the people who will be making the hiring decision. This shields the decision makers from knowledge that should not be used in their hiring decision.
Similar concerns motivated the Ontario Human Rights Commission to issue a statement, incidentally on their Facebook page, that set out their opinion that requesting access to an employment candidate's social media profiles or passwords is a violation of the Ontario Human Rights Code.11 The statement outlined that section 23(2) of the Code prohibits potential employers from asking candidates questions that touch upon prohibited grounds of discrimination. It went on to state:
A Facebook profile could include direct or indirect information on any or all of the 15 prohibited grounds. ...This information could be available as text or inferred from pictures.
For this reason, the OHRC believes employers should not ask job applicants for access to information stored on social media or other online sites and that doing so could leave an employer open to a claim of discrimination under the Code.12
Thus, not only does the excess information available on social media sites attract the adverse inference that a candidate was not hired due to a prohibited ground, but a request for access itself may breach human rights law as well, unless the decision makers are shielded from .information about prohibited grounds of discrimination.
Finally, there is the risk of over-reliance on consent. As mentioned above, even if consent is given to screen social media content, the collection must still be reasonable. The legislation also allows for withdrawal of consent at any time.13 In addition, the Guidelines suggest that since most information in a social media profile is not about employment (see the overbreadth concerns discussed above) it would not qualify for collection without consent. Thirdly, there is a risk of inadvertent collection of third party personal information to which no consent is given.
Recently, the BC NDP was the subject of a BC Privacy Commissioner investigation into their vetting process for potential candidates in their 2011 leadership convention. The influence of the Guidelines is clear in the outcome. Potential candidates were asked to complete an application form which asked the applicant to disclose their Facebook password. In the investigation, the Privacy Commissioner stated that the following considerations determine an organization's adherence to s. 11 of PIPA: the purposes of collection and the surrounding circumstances; the kind and amount of personal information collected; its intended uses or disclosures; and whether the organization had reasonable alternatives to the collection to meet its goals.14
While the BC NDP's vetting process is not precisely a hiring scenario, it is a close analogy: an individual is unlikely to receive a benefit if they do not provide a password, nor if password disclosure leads to the discovery of unsavoury personal information. Asking for job applicants' social networking passwords has been a growing trend in job applications in the United States.15 It is reasonable to expect a similar framework of privacy analysis would be applied in hiring circumstances. The outcome of the BC NDP investigation also provides useful insight into how a provincial privacy commissioner understands the nature of Facebook and similar social networking sites.
The investigation found that the BC NDP had fulfilled the notice and consent requirements of PIPA, but its collection did not meet the s. 11 standard of reasonableness. When considering the above-listed considerations, the Privacy Commissioner commented:
[b]y logging onto the candidates' accounts using their passwords, the BC NDP had access to everything on each individual's account, which included but is not limited to: photos and text with restricted access; personal information about other individuals that appeared on the leadership candidate's Facebook profile; and access to how the candidates configured their accounts, including privacy and security settings.
There are significant shortcomings to logging onto an individual's Facebook account to evaluate whether it contains material that could be considered objectionable. Social networking sites are dynamic. ...This means that an individual's Facebook content may be very different from week to week. ...The design of Facebook entitles individuals who use the social network to control the information they are willing to disclose and who they are willing to disclose it to. Facebook users may change their privacy settings at any time to allow an individual or group of individuals to see more or less information.16
The Commissioner found that the NDP would be collecting large amounts of personal information, some of which, due to the nature of Facebook, could have been outdated, irrelevant, or inaccurate. Additionally, passwords themselves were found to be particularly sensitive information, the disclosure of which is normally warned against. The risk that the collection might include third parties' personal information was very significant, especially considering their consent was never procured. Lastly, reasonable alternatives existed to this collection which included: educating and providing other resources for prospective candidates about their online image and the organization's expectations surrounding social media; limiting online searches for personal information to what is available to the public; and having a more rigorous self-disclosure and interview process.17 These factors, taken together, weighed against the collection being reasonably appropriate in the circumstances pursuant to s. 11.
It is interesting to note investigation's emphasis on the 'private' side of Facebook, and the ability of users to control their privacy settings. This is in contrast to labour arbitration decisions (discussed below) where content that is 'friends only' is nevertheless characterized as public due to the vast number of 'friends' with whom one may be communicating.
Federally regulated employers must ensure their compliance with the Personal Information Protection and Electronic Documents Act18 ("PIPEDA") during social media background checks at the hiring stage. Similar concerns of overbreadth of collection, human rights implications, over-reliance on consent, and third party non-consensual collection apply. Private employers may think that some of these hurdles can be overcome with the help of provisions such as PIPEDA s. 7(1)(d) and 7(2)(c.1). The provincial Act contains almost identical provisions.19 These sections allow for collection and use of personal information by an organization without knowledge and consent of the individual if the information is already publicly available as specified by the regulations.20 The regulations list five situations of public availability. The only one applicable to social media content is:
(e) personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information (emphasis added).21
It remains unclear how subsection (e) and its provincial counterparts will apply in the social media context. Will the term 'publication' be interpreted to include social media profiles and updates, considering the examples given in the section are of a much more formal nature? 'Available to the public' may be another point of controversy. If privacy settings are available on many social media platforms, will those restricted communications qualify as public? What if they have a large audience despite their privacy restrictions? What if a user has over 1000 "followers" or "friends"? Until such time as these questions are answered, private employers might do well to err on the side of caution and avoid reliance on 'public availability' provisions outside situations expressly contemplated in their narrow wording.
The importance of complying with privacy legislation, no matter the jurisdiction, is that breaches give rise to penalties. Currently, PIPA creates a statutory cause action for damages suffered due to non-compliance.22 Currently, PIPEDA gives the federal Commissioner power to investigate complaints, encourage their settlement through alternative dispute resolution, audit organizations' privacy practices, and issue reports. The federal commissioner, however, does not have direct enforcement powers. Rather, the commissioner or a complainant may apply to the Federal Court to have issues heard and damages awarded.23
Recently, the Office of the Privacy Commissioner of Canada produced a position paper suggesting that the enforcement mechanisms under PIPEDA were insufficient to "attract the attention of these companies and proactively encourage them to comply with PIPEDA when the reality is that there are very limited consequences for contravening Canadian privacy law."24 Suggested improvements include creating statutory damages for breaches of certain sections, empowering the commissioner to order organizations' compliance, and even administrative monetary penalties or fines in cases that warrant them.
(b) Privacy at Common Law
Employees in regions without provincial privacy legislation still attract some privacy rights in the pre-hiring stage. Ontario tort law was recently expanded to include the tort of "intrusion upon seclusion". In Jones v Tsige, the Ontario Court of Appeal described the new action as follows: "[o]ne who intentionally [or recklessly] intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person"25 causing distress, humiliation, or anguish. In that case, $10,000 was awarded for regular intrusions into the personal banking records of one Bank of Montreal employee by another. While the bank was covered by PIPEDA, the plaintiff was not restricted to an action against BMO for breach of the Act. Additionally, damages for intrusion upon seclusion need not demonstrate actual pecuniary loss. While the damages may be modest in such cases, they ought to be sufficient to address the wrong done by the invasion.
(c) Best Practices
Though social media background checks are not 'illegal' or 'improper' per se, there are significant risks and room for impropriety and recklessness in their use. Thus, it is instructive to outline some best practices for employers utilizing social media as a tool in hiring. Perhaps the most obvious practice is to collect written, informed consent from the individual being checked. Though we have canvassed the limits and risks associated with social media checks, there is no doubt they will all be further aggravated if an employer misrepresents their information collection practices or if there is a reasonable doubt as to a candidate's wishes regarding their information. The BC Privacy Commissioner's Guidelines provide a list of "don'ts" for employers considering social media background checks. These allude to the importance of avoiding covert background checks:
- Don't wait until after a social media background check to evaluate compliance with privacy legislation;
- Don't assume it will only retrieve information about one, targeted individual, and not multiple individuals;
- Don't perform a social media background check from a personal account to avoid privacy laws;
- Don't attempt to avoid privacy obligations by contracting a third party to undertake social media background checks;
- Don't perform a check under the assumption that individuals will never know about it.26
Similarly, the Federal Privacy commissioner recommends employers act with full transparency.
[t]he employer should say what personal information it collects from employees, why it collects it, and what it does with it. That means that if there is monitoring of employees activities online, it should be open, and the rationale, explained.
Collection, use or disclosure of personal information should normally be done only with an employee's knowledge and consent. Having [sic] employees sign a policy that specifically explains the employer's monitoring and data-handling practices. This ensures employee knowledge and consent, and promotes trust and transparency.27
As we have indicated, to deal with the overbreadth and human rights risks involved, some employers use 'middle men' in the hiring process to ensure that the individuals who perform the checks do not make the final decisions, but turn over only relevant personal information to the decision maker.28 Should any complaints or questions arise regarding the hiring process, employers should be prepared to allow individuals access to collected information on request, as they have the right to do so under the legislation. This involves having a predetermined retention policy for data collected in background searches as well as a responsible disposal of data policy to avoid related risks of unauthorized disclosure.
Also effective is the implementation of policies on the proper and improper uses of information collected from social media. Such policies ought to clearly outline the intended and proper use for the material once collected (i.e., use only to determine suitability for employment) and should mandate checks tailored for relevant and reasonable information, dependant on the position to be filled. In the face of the Guidelines' reliance on reasonable alternatives that afford the same information, employers should think seriously about whether a social media check is necessary. Could the information be acquired by other, more traditional means such as more rigorous self-disclosure obligations and interview process? Does the employer already utilize other formal checks which offer more accurate, relevant, and targeted information such as criminal record, reference, or credit checks?
There are also practices that reduce the frequency of social network background checks, and thus their attendant risks. Once again, thought should be given as to whether the check is truly necessary for the specific position-- the reasonableness of the collection may also vary by the nature of the job. Employers might only utilize social media checks for serious job contenders who have made a 'short list' in the hiring process. Or, the employer may want to perform a check only after a job offer has been extended to the candidate, conditional on the results of the check.
1 The Social Media Guide, "50 Definitions of Social Media", online: The Social Media Guide (http://thesocialmediaguide.com/social_media/50-definitions-of-social-media).
2 Office of the Information & Privacy Commissioner for British Columbia, "Guidelines for Social Media Background Checks" (3 October 2011) online: Guidance Documents (http://www.oipc.bc.ca/guidance-documents/1454), [Guidelines] at 1.
3 (2010), AWLD 2853 (Taylor).
4 SBC 2003, c 63 [PIPA].
5 RSBC 1996, c 165, ss 26-27 [FOIPPA]. A public body may only collect personal information if it related directly to and is necessary for an operating program or activity of the public body, or if it otherwise authorized. And since social media is an indirect form of collection, it must be further authorized as such.
6 PIPA, supra note 4, s 13.
7 Ibid, s 1 "employee personal information".
8 Guidelines, supra note 2.
9 PIPA, supra note 4, s 33; FOIPPA, supra note 5, s 28; PIPEDA, infra note XX, Schedule 1, Principle 6.
10 Human Rights Code, RSBC 1996, c 20; Canadian Human Rights Act, RSC 1985, c H-6.
11 RSO 1990, c H-19.
12 David Doorey, "Ontario Human Rights Commission Issues Statement on Employer Requests for Facebook Passwords" online: Doorey's Law of Work Blog (http://lawofwork.ca/?p=5026).
13 PIPA, supra note 4, s 9.
14 Office of the Information & Privacy Commissioner for British Columbia, P11-01-MS, "Summary of the Office of the Information and Privacy Commissioner's Investigation of the BC NDP's use of social media and passwords to evaluate candidates" (12 Oct 2011) online: Mediation Summaries (http://www.oipc.bc.ca/mediation-summaries/1399) [Summary of BC NDP Investigation] at 2.
15 Associated Press, "Job applicants asked to turn over their Facebook passwords", CBC News (20 March 2012) online: cbc.ca http://www.cbc.ca/news/world/u-s-job-seekers-get-asked-for-facebook-passwords-1.1133123).
16 Summary of BC NDP Investigation, supra note 14, at 2-3.
17 Ibid at 3.
18 SC 2000, c 5, [PIPEDA].
19 PIPA, supra note 4, ss 12(1)(e), 15(1)(e); Personal Information Protection Act Regulations, BC Reg 473/2003, s 6(1).
20 PIPEDA, supra note 18, ss 7(1)(d), 7(2)(c.1).
21 Regulations Specifying Publicly Available Information, SOR/2001-7, s 1(e).
22 PIPA, supra note 4, s 57
23 PIPEDA, supra note 18, s. 15-16.
24 Office of the Privacy Commissioner of Canada, "The Case for Reforming the Personal Information Protection and Electronic Documents Act" (23 May 2013) online: PIPEDA Review (http://www.priv.gc.ca/parl/pipeda_r_e.asp) at 5.
25 2012 ONCA 32, at para 70.
26 Guidelines, supra note 2 at 6.
27 Chantal Bernier, Assistant Privacy Commissioner of Canada, "Privacy and Human Rights at the Crossroads of Personal and Professional Life" (Remarks delivered at the National Human Rights Conference, Calgary, 14 June 2011), online: Office of the Privacy Commissioner of Canada (http://www.priv.gc.ca/media/sp-d/2011/sp-d_20110614_cb_e.asp).
28 Stephanie D Gutierrez, "Employment-Related Consequences to Employees' Use of Social Media" (Paper delivered at CLE BC Labour Relations Conference--2011, Vancouver, June 2011) at 1.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.