Search

BC Workplace Blog

Authored By Michelle Quinn & Colleagues

Richards Buell Sutton > BC Workplace Blog > Wait, Employers Can’t Search Social Media? Privacy Law & Social Media in Hiring Decisions

Main content

04 November

Wait, Employers Can’t Search Social Media? Privacy Law & Social Media in Hiring Decisions

By RBS Lawyers

This post will take less than 8 minutes to read.

There is a general perception that public social media posts are fair game for employers in the hiring process.

However, under BC’s privacy legislation for both the private sector (the Personal Information Protection Act, S.B.C. 2003, c. 63, or “PIPA”) and the public sector (the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165, or “FOIPPA“), social media such as Twitter, Facebook, and Instagram are not considered to be “publicly available” and searching them is likely a breach of the legislation. LinkedIn is an exception to this rule, and can be searched in the hiring process.

Legislative change is unlikely due to other privacy concerns with the use of social media.

This blog post will explain the legislative framework, and then answer some common questions.

Legislative Framework

General Principles of Privacy Legislation

Privacy legislation, for the public and private sectors, and for all parts of Canada, is built on a few foundational principles. Four of the foundational principles are especially important in this context.

  1. Personal information is information about an identifiable individual. Clear examples of this include a person’s name, address, picture, and driver’s licence. Other examples include location data (if, for example, the person “checks in” to a place on Facebook), family status, health information, and sexual orientation.
  2. An organization or public body can only collect, use, or disclose personal information that is relevant to a decision, program, or other purpose. For example, even though a person’s driver’s licence number is a useful identifier, unless you need to know it (for example, because you are renting a car to the person), you should not be asking for it.
  3. The organizations or public bodies are responsible for complying with the legislation – not the individuals whose personal information they are collecting, using, or disclosing. Even if an individual agrees to give you certain information, or voluntarily discloses it, the organization or public body must ensure that it can have that piece of information.
  4. An organization can be found to have “collected” someone’s personal information without keeping a record of it. Viewing a job candidate’s Facebook profile is “collecting” the personal information on that page, even if the hiring manager does not print it or make any notes.

What does PIPA say?

PIPA applies to private sector organizations – companies, non-profits, and other private groups.

PIPA is based on the idea of consent. That is, it allows the collection, use, and disclosure of personal information so long as the individual has consented. However, there are restrictions on what consent can be obtained, as well as limited situations where information can be collected, used, or disclosed without consent.

The primary restriction on consent is relevance. Regardless of consent, organizations may only collect, use, and disclose personal information “for purposes that a reasonable person would consider appropriate in the circumstances” (s. 2).

That is, an organization can only collect personal information if the purpose of the collection is reasonable and appropriate. As a result, obtaining consent to collect irrelevant personal information does not fix the breach of PIPA.

There are two exceptions to consent, or situations where consent is not needed, under PIPA which appear at first glance to apply to social media searches in the context of hiring. However, on deeper examination, these exceptions do not apply.

The first potential exception is the exception for “employee personal information”. Under s. 13 of PIPA, employees may collect “employee personal information” without consent. However, the definition of “employee personal information” specifically excludes “personal information that is not about an individual’s employment” (s. 1).

As I will discuss further below, one of the primary concerns with social media is that it frequently includes irrelevant information – that is, information which is not “about an individual’s employment”. As a result, social media searches do not fall within the exception to consent for “employee personal information.”

The second potential exception is the exception for personal information that is “available to the public” (s. 12(e)). Many people assume that any social media posts which are set to “public” fall under this exception. However, this exception is limited to four categories of public records set out in the regulations (s. 6):

  1. Telephone books, including their online equivalents;
  2. Professional and business directories;
  3. Government registries such as court registries and the Land Title Office; and
  4. Magazines, newspapers, and books, in hardcopy or electronic formats.

LinkedIn is the only social media which is considered to fall within one of these categories, as a professional or business directory. The personal information on LinkedIn is also more clearly relevant to a hiring decision. As a result, LinkedIn is the only social media which employers can search during the hiring process without breaching PIPA.

Finally, organizations are obliged to make “a reasonable effort” to ensure that personal information collected is “accurate and complete” (s. 33).

What does FOIPPA say?

FOIPPA applies to the public sector in BC. The result under FOIPPA is the same as under PIPA, although the legislative provisions are slightly different.

Like private organizations, public bodies are required to have consent to search social media. This is an exception to the usual rule (different from the rule applicable to private organizations) that public bodies can collect information without consent. However, this usual rule is limited to collecting information directly from an individual. Social media searches are a form of indirect collection, and so consent is required (s. 27(1)(a)(i)).

Public bodies are also limited in their collection of personal information by relevance. The definition of relevance for public bodies is very narrow – only information which “relates directly to and is necessary for a program or activity of the public body” is relevant (s. 26(c)). This is a narrower view of relevance than applies to private organizations under PIPA.

Further, public bodies have notification and accuracy obligations. Specifically, they must notify an individual when that individual’s personal information is being collected (s. 27(2)). They must also “make every reasonable effort to ensure that the personal information is accurate and complete” (s. 28).

What are the privacy concerns?

There are five main privacy concerns around social media searches in hiring:

  1. Irrelevant information;
  2. Excessive information;
  3. Inaccurate information;
  4. Collection of other individuals’ information; and
  5. Lack of notice.

The first two concerns, irrelevant and excessive information, are interrelated. Social media profiles contain a wealth of information – that is why they are so commonly searched. However, much of that information, such as a person’s family status, is both irrelevant to the hiring process and the potential source of a human rights complaint.

Regarding the third concern, inaccuracy of information, it can be difficult for a hiring manager to tell if a social media profile is accurate. It may contain errors, or otherwise present a misleading view of the person.

In addition, there may be a number of people with the same name. This can lead a hiring manager to view the social media profile of someone other than the job candidate and collect information that is not accurate to the job candidate at all.

This example of viewing the wrong person’s social media profile also relates to the fourth concern. In this example, the personal information of someone other than the job candidate is being collected.

Further, even the job candidate’s profile will likely contain photos or other personal information of other people. None of this information belonging to other people has any relevance to the hiring decision.

The final concern arises since employers do not usually tell job candidates that there will be social media searches. This is a particular problem for public sector employers under FOIPPA due to the notice requirements.

Common Questions

Can’t I just get the candidate’s consent?

Unfortunately, getting the candidate’s consent to do social media searches is not enough.

Getting consent does not address the fundamental concerns about relevance, excess, accuracy, and other people’s personal information.

As a result, even if you have the candidate’s consent, you are likely in breach of the privacy legislation.

What about using recruiters to do the searches for my organization or public body? 

Employers use recruiters for many reasons.

However, using one does not shift responsibility for complying with privacy legislation. Instead, both the recruiter and the employer bear the same responsibilities for collecting, using, and disclosing personal information.

Everyone searches social media before hiring – should the legislation match societal norms?

It is true that many, if not most, employers search social media before making a hiring decision, especially for senior positions. It is equally common for job seekers to be advised to make sure their social media feeds do not contain any embarrassing information.

In that sense, the legislation is out of step with current societal norms. In many contexts you would expect to see a movement to change the legislation to make it match societal norms.

However, it is unlikely that the legislation will change in the near future. The fundamental concerns of irrelevant information, excessive information, inaccurate information, and other people’s information would remain, even with a legislative change.

This information is important to hiring decisions – can I ever search social media?

The information available from social media searches can be very important to potential employers. At the end of the day, employers need to make a business decision based on their assessment of overall business risks, and not just based on the legal advice I can provide.

From a purely legal standpoint, you can always search LinkedIn. However, for hiring decisions, you cannot search other social media if you want to comply with privacy legislation.

You should also consider the risk, in your industry, of a job candidate or disgruntled former employee reporting your use of social media to the Office of the Information and Privacy Commissioner, along with the cost, disruption and reputational risk of any investigation that follows.

What about other internet searches?

Although this post has focused on social media searches, the same logic applies to internet searches more generally. Collecting information from an internet search (unless you are a private sector organization using one of the public record sources set out above) is likely a breach of the privacy legislation.

What about using social media in managing or terminating an employee?

Employers have more discretion to use social media once a person has been hired, for the purpose of managing or terminating an employee. Please contact me if you would like more information on that topic.

Recent Posts

Subscribe by RSS
Close Search