Access to job candidates’ password-protected social media accounts: an employer friendly perspective

Hiring an employee is a big step, and the costs of getting a hiring decision wrong can be significant. One can’t blame employers for wanting greater insight into candidates’ backgrounds, but what are the limits?

Now, just as Canadian employers are grappling with searching the internet for publicly available information about candidates, a new background check tactic has come to light – checking candidates’ password-protected social media sites. What better record of a candidate’s candid behavior than his or her Facebook account? Why not have a look?

The great negative reaction to this tactic makes clear that it is not in step with common values. Unfortunately the public dialog has not included any employers’ voice, leaving those of us with faith in employers to question “Why?” and “How exactly?” Also unfortunately, there have been statements about the legal rules that apply to the tactic that are too categorical. What conflicts with common values does not necessarily conflict with law.

In this post, I propose a model for conducting responsible searches for publicly available information about candidates. I then comment on the negative reaction to reports that employers, including Canadian employers, are seeking access to candidates password-protected social media accounts in the course of hiring.

Searches of publicly available information from the internet

There is great pressure on employers, charged with making a duly diligent hiring decision, to search the internet for publicly available information on candidates.

Compliance with anti-discrimination legislation is a competing concern, but risks can be managed by respecting two key principles – justification and objectivity.

Compliance with privacy legislation can be more technical and varies by jurisdiction, but only private sector employers in British Columbia, Alberta and Quebec are regulated. Application of the Personal Information Protection and Electronic Documents Act to federally regulated employers’ hiring processes is questionable until PIPEDA is amended by the proposed Bill C-12, which will expand the statute’s reach to encompass employees and “applicants.”

With the key principles of justification and objectivity in mind, employers may abide by the following practices to manage the legal risks associated with conducting social media background checks:

  1. Check at the end of the hiring process. This is a background check, not an evaluative process. It should come as the next to last step in the hiring process.
  2. Check only when there is a demonstrable need. What’s the need? What are the alternatives? Why is this the better alternative? Document your needs analysis.
  3. Search based on objective criteria. It will be very hard to establish the validity of a profiling exercise – i.e., an exercise in which you attempt to draw broad inferences about job performance or trustworthiness based on social media activity. Unless you have a qualified expert prepare a defensible predictive model, don’t profile. Look for objective behaviors that raise legitimate concerns in light of job responsibilities. For example, you may look for statements that a candidate for a sales or marketing position has made critical comments about your company or industry that are incompatible with becoming a representative of the company.
  4. Have someone other than the decision-maker search. This is a means of ensuring that the decision-maker does not see irrelevant information that may be related to a personal characteristic that is protected by anti-discrimination legislation.
  5. Direct a written report to the decision-maker. The report (which contains only feedback on the objective search criteria) goes in the hiring file and is part of the formal record upon which the hiring decision is made. This record is designed to assist in the defence of discrimination claims and is a record of due diligence. It makes the actual (forensic) record of the internet search irrelevant to a discrimination claim, which should minimize e-discovery risks.
  6. Validate negative information. Positively identifying the author of internet publications can be difficult. Validate authorship and seek an explanation.

In addition, employers should consider whether to provide advance notice to candidates. Bear in mind however, that this is a unique kind of background check because the source of information is under the control of candidates (unlike with checks of criminal, credit and education records). Some employers will feel that the purpose of the check is likely to be frustrated by providing advance notice. Such employers should review the requirements of any applicable privacy legislation with legal counsel. Public sector employers who are subject to legislation that establishes requirements for “indirectly” collecting employee personal information may need to give notice.

Searching password-protected social media sites

There has been much discussion about searching candidates’ password-protected social media sites in the last week. On March 20th, the Toronto Star published an article about a Canadian employer who asked a candidate for a by-law enforcement position for his Facebook password. Professor David Doorey of York University published a blog post the same day alleging that the tactic “clearly” violates the Ontario Human Rights Code. The Ontario Human Rights Commission responded to Professor Doorey on March 23rd by issuing a more qualified statement that employers “should not ask job applicants for access to information stored on social media or other online sites.” Also on March 23rd, Facebook issued a statement highlighting that it is a breach of its Statement of Rights and Responsibilities to share a Facebook password and that it might initiate legal proceedings to protect its users in appropriate circumstances.

What’s a Canadian employer to make of all this? Here are four points.

First, there is a disconnect between the positions taken by those critical of the tactic and the view that a post to a social media account, even if password protected, is a communication to the public. Facebook friends do not undertake to keep friends’ information secret, and experience demonstrates that things posted to Facebook tend to get around quite easily. There is case law that upholds employers’ right to discipline for postings to password-protected social media accounts and, in Ontario, there is express judicial recognition that Facebook communications are not private communications.

Employers understand this. They warn their employees to be careful of what they post on password-protected sites in their social media policies. What, then, is the consistent and duly diligent employer who conducts searches of the public internet to do? Why should it hold its current employees accountable for postings to their Facebooks but refrain from checking candidates’ Facebooks because of a privacy concern?

Second, with great respect to Professor Doorey (who I follow and whose commentary I appreciate greatly), the issue of compliance with anti-discrimination legislation is not clear. Professor Doorey relies on section 23(2) of the Ontario Human Rights Code. Section 23 reads:

23. (1) The right under section 5 to equal treatment with respect to employment is infringed where an invitation to apply for employment or an advertisement in connection with employment is published or displayed that directly or indirectly classifies or indicates qualifications by a prohibited ground of discrimination.

Application for employment

(2) The right under section 5 to equal treatment with respect to employment is infringed where a form of application for employment is used or a written or oral inquiry is made of an applicant that directly or indirectly classifies or indicates qualifications by a prohibited ground of discrimination.

Questions at interview

(3) Nothing in subsection (2) precludes the asking of questions at a personal employment interview concerning a prohibited ground of discrimination where discrimination on such ground is permitted under this Act.

Though section 23(2) will often apply when an employer collects information associated with a protected personal characteristic, it is not a prohibition on the collection of information. An employer only violates section 23(2) if it “classifies” an employee by a protected personal characteristic or “indicates qualifications” by a reference to a protected personal characteristic. An employer who merely accesses a social media account that may contain information related to a protected personal characteristic in order to review the account for objective behaviors that raise legitimate concerns has neither classified an employee nor indicated job qualifications by reference to a protected personal characteristic. Both Professor Doorey and the Ontario Human Rights Commission seem to conflate access to information with collection and use of information, yet the language of the statute makes clear that only use of information for certain purposes is prohibited.

Third, the newly-recognized “intrusion upon seclusion tort” protects against “unauthorized” collections of information in certain limited circumstances. Concerns about candidate vulnerability noted, it is a stretch to frame this collection as unauthorized. For the same reason, we should rule out liability under the Criminal Code computer crime provisions. This seems a matter about reasonableness and justification rather than consent, and a private matter between employer, candidate/user and social media provider.

Fourth, legal risks can be reduced by conducting a supervised review instead of requesting passwords. Requesting passwords raises potential liability for intentionally inducing a breach of candidates’ contract with Facebook. It also opens employers to accusations of identity fraud. These concerns can be answered by using a process that features a supervised review – i.e., a process by which the candidate logs in and permits the review under supervision. This could be extremely awkward, especially if the check is done without notice. It seems an imperative, however.

In the end… employers beware

My aim is to contribute an employer-friendly perspective to the ongoing dialog about checking job candidates’ password-protected social media accounts in the hiring process. I’m not encouraging employers to adopt the tactic, but respect that some employers will feel that they have a demonstrable need and can accept the legal and non-legal risks. The negative public reaction is a sign that great caution is in order.

One thought on “Access to job candidates’ password-protected social media accounts: an employer friendly perspective

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.