Social media has drastically changed the way people communicate and do business. Naturally, employers may want to take advantage of the convenience of performing background checks on social media. But with increased use of social media comes increased risk of a privacy violation.
In May 2017, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) published a guidance document aimed at helping private organizations and public bodies navigate the complex relationship between social media background checks and privacy laws. The document’s main points are summarized below.
The collection, use, and disclosure of personal information retrieved from social media about an applicant for employment (paid or unpaid) or a volunteer position is subject to the BC’s Freedom of Information and Protection of Privacy Act (FIPPA) for public bodies, or the Personal Information Protection Act (PIPA) for private organizations. This legislation requires employers to ensure the information collected is accurate, regardless of whether the employer is viewing or saving the information. However, social media is prone to errors. Also, given the multiplicity of social media accounts, including fake accounts, employers risk inadvertently obtaining false information about a candidate or performing a background check on the wrong person.
Privacy laws require private organizations to collect only the information that a reasonable person would consider appropriate. For public bodies, FIPPA further limits employers’ collection of information to that which is directly related to and necessary for the public bodies’ operations. Complying with these laws can be difficult given the lack of control over information retrieved on social media. Employers risk collecting irrelevant information about an individual and inadvertently collecting third-party information.
In light of these risks, the OIPC recommends private organizations and public bodies conduct a privacy impact assessment of the risks associated with using social media in background checks. Such an assessment should:
- Consider applicable privacy laws and less intrusive measures for collecting and using personal information;
- Identify the types and amount of information to be collected;
- Identify the risks involved in collecting and using the information;
- Ensure policies and procedures are in place to address identified risks; and
- Prepare to make accessible the information collected about an individual.
As the guidance document suggests, the efficiency of a social media background check as a mechanism to screen a prospective employee or volunteer may attract serious consequences if misused. Individuals have a right to complain to the OIPC if they suspect that their personal information has been improperly collected. Such a complaint could lead to an investigation, remedial action, or litigation. Further, where an employer discovers information about an applicant that falls within a protected ground of discrimination under the BC Human Rights Code (e.g. disability, sexual orientation, age), and subsequently decides to reject the candidate’s application, the employer risks facing a human rights complaint from the unsuccessful candidate.
Be aware that this is a guidance document and does not have legal force. However, the suggestions made by the OIPC are good practices.
By: Donovan Plomp
- Quebec’s Law 25 and cookies: Not so cookie cutter - November 20, 2023
- Sweeping privacy reform comes into force in Quebec - October 27, 2023
- Legality of search engines and AI systems under PIPEDA and CPPA: Google v Privacy Commissioner - October 23, 2023