Hiring an employee is a big step, and the costs of getting a hiring decision wrong can be significant. One can’t blame employers for wanting greater insight into candidates’ backgrounds, but what are the limits?

Now, just as Canadian employers are grappling with searching the internet for publicly available information about candidates, a new background check tactic has come to light – checking candidates’ password-protected social media sites. What better record of a candidate’s candid behavior than his or her Facebook account? Why not have a look?

The great negative reaction to this tactic makes clear that it is not in step with common values. Unfortunately the public dialog has not included any employers’ voice, leaving those of us with faith in employers to question “Why?” and “How exactly?” Also unfortunately, there have been statements about the legal rules that apply to the tactic that are too categorical. What conflicts with common values does not necessarily conflict with law.

In this post, I propose a model for conducting responsible searches for publicly available information about candidates. I then comment on the negative reaction to reports that employers, including Canadian employers, are seeking access to candidates password-protected social media accounts in the course of hiring.

Searches of publicly available information from the internet

There is great pressure on employers, charged with making a duly diligent hiring decision, to search the internet for publicly available information on candidates.

Compliance with anti-discrimination legislation is a competing concern, but risks can be managed by respecting two key principles – justification and objectivity.

Compliance with privacy legislation can be more technical and varies by jurisdiction, but only private sector employers in British Columbia, Alberta and Quebec are regulated. Application of the Personal Information Protection and Electronic Documents Act to federally regulated employers’ hiring processes is questionable until PIPEDA is amended by the proposed Bill C-12, which will expand the statute’s reach to encompass employees and “applicants.”

With the key principles of justification and objectivity in mind, employers may abide by the following practices to manage the legal risks associated with conducting social media background checks:

1. Check at the end of the hiring process. This is a background check, not an evaluative process. It should come as the next to last step in the hiring process.
2. Check only when there is a demonstrable need. What’s the need? What are the alternatives? Why is this the better alternative? Document your needs analysis.
3. Search based on objective criteria. It will be very hard to establish the validity of a profiling exercise – i.e., an exercise in which you attempt to draw broad inferences about job performance or trustworthiness based on social media activity. Unless you have a qualified expert prepare a defensible predictive model, don’t profile. Look for objective behaviors that raise legitimate concerns in light of job responsibilities. For example, you may look for statements that a candidate for a sales or marketing position has made critical comments about your company or industry that are incompatible with becoming a representative of the company.
4. Have someone other than the decision-maker search. This is a means of ensuring that the decision-maker does not see irrelevant information that may be related to a personal characteristic that is protected by anti-discrimination legislation.
5. Direct a written report to the decision-maker. The report (which contains only feedback on the objective search criteria) goes in the hiring file and is part of the formal record upon which the hiring decision is made. This record is designed to assist in the defence of discrimination claims and is a record of due diligence. It makes the actual (forensic) record of the internet search irrelevant to a discrimination claim, which should minimize e-discovery risks.
6. Validate negative information. Positively identifying the author of internet publications can be difficult. Validate authorship and seek an explanation.

In addition, employers should consider whether to provide advance notice to candidates. Bear in mind however, that this is a unique kind of background check because the source of information is under the control of candidates (unlike with checks of criminal, credit and education records). Some employers will feel that the purpose of the check is likely to be frustrated by providing advance notice. Such employers should review the requirements of any applicable privacy legislation with legal counsel. Public sector employers who are subject to legislation that establishes requirements for “indirectly” collecting employee personal information may need to give notice.

Searching password-protected social media sites

There has been much discussion about searching candidates’ password-protected social media sites in the last week. On March 20th, the Toronto Star published an article about a Canadian employer who asked a candidate for a by-law enforcement position for his Facebook password. Professor David Doorey of York University published a blog post the same day alleging that the tactic “clearly” violates the Ontario Human Rights Code. The Ontario Human Rights Commission responded to Professor Doorey on March 23rd by issuing a more qualified statement that employers “should not ask job applicants for access to information stored on social media or other online sites.” Also on March 23rd, Facebook issued a statement highlighting that it is a breach of its Statement of Rights and Responsibilities to share a Facebook password and that it might initiate legal proceedings to protect its users in appropriate circumstances.

What’s a Canadian employer to make of all this? Here are four points.

First, there is a disconnect between the positions taken by those critical of the tactic and the view that a post to a social media account, even if password protected, is a communication to the public. Facebook friends do not undertake to keep friends’ information secret, and experience demonstrates that things posted to Facebook tend to get around quite easily. There is case law that upholds employers’ right to discipline for postings to password-protected social media accounts and, in Ontario, there is express judicial recognition that Facebook communications are not private communications.

Employers understand this. They warn their employees to be careful of what they post on password-protected sites in their social media policies. What, then, is the consistent and duly diligent employer who conducts searches of the public internet to do? Why should it hold its current employees accountable for postings to their Facebooks but refrain from checking candidates’ Facebooks because of a privacy concern?

Second, with great respect to Professor Doorey (who I follow and whose commentary I appreciate greatly), the issue of compliance with anti-discrimination legislation is not clear. Professor Doorey relies on section 23(2) of the Ontario Human Rights Code. Section 23 reads:

23. (1) The right under section 5 to equal treatment with respect to employment is infringed where an invitation to apply for employment or an advertisement in connection with employment is published or displayed that directly or indirectly classifies or indicates qualifications by a prohibited ground of discrimination.

Application for employment

(2) The right under section 5 to equal treatment with respect to employment is infringed where a form of application for employment is used or a written or oral inquiry is made of an applicant that directly or indirectly classifies or indicates qualifications by a prohibited ground of discrimination.

Questions at interview

(3) Nothing in subsection (2) precludes the asking of questions at a personal employment interview concerning a prohibited ground of discrimination where discrimination on such ground is permitted under this Act.

Though section 23(2) will often apply when an employer collects information associated with a protected personal characteristic, it is not a prohibition on the collection of information. An employer only violates section 23(2) if it “classifies” an employee by a protected personal characteristic or “indicates qualifications” by a reference to a protected personal characteristic. An employer who merely accesses a social media account that may contain information related to a protected personal characteristic in order to review the account for objective behaviors that raise legitimate concerns has neither classified an employee nor indicated job qualifications by reference to a protected personal characteristic. Both Professor Doorey and the Ontario Human Rights Commission seem to conflate access to information with collection and use of information, yet the language of the statute makes clear that only use of information for certain purposes is prohibited.

Third, the newly-recognized “intrusion upon seclusion tort” protects against “unauthorized” collections of information in certain limited circumstances. Concerns about candidate vulnerability noted, it is a stretch to frame this collection as unauthorized. For the same reason, we should rule out liability under the Criminal Code computer crime provisions. This seems a matter about reasonableness and justification rather than consent, and a private matter between employer, candidate/user and social media provider.

Fourth, legal risks can be reduced by conducting a supervised review instead of requesting passwords. Requesting passwords raises potential liability for intentionally inducing a breach of candidates’ contract with Facebook. It also opens employers to accusations of identity fraud. These concerns can be answered by using a process that features a supervised review – i.e., a process by which the candidate logs in and permits the review under supervision. This could be extremely awkward, especially if the check is done without notice. It seems an imperative, however.

In the end… employers beware

My aim is to contribute an employer-friendly perspective to the ongoing dialog about checking job candidates’ password-protected social media accounts in the hiring process. I’m not encouraging employers to adopt the tactic, but respect that some employers will feel that they have a demonstrable need and can accept the legal and non-legal risks. The negative public reaction is a sign that great caution is in order.

On February 10th, the Ontario Superior Court of Justice struck a claim that alleged a breach of the privacy part of the Municipal Freedom of Information and Protection of Privacy Act because an alleged breach of statute cannot found a civil cause of action.

Sampogna v Smithies, 2012 ONSC 610.

Today the Court of Appeal for Ontario took a significant step to clarify the scope of the “advice and recommendation exemption” in Ontario access-to-information legislation. It held that the Information and Privacy Commissioner/Ontario erred in applying an extremely restrictive interpretation of two 2005 Court of Appeal decisions.

The Court first affirmed the meaning of “advice” and “recommendations” it articulated in 2005. “Advice” is “material that permits the drawing of inferences with respect to a suggested course of action.” A “recommendation” actually suggests a preferred course of action. Background facts that support advice and recommendations are not exempt from disclosure.

The Court then made two important clarifications.

First, the Court clarified that the entire deliberative process is protected. The IPC erred, it held, by imposing a requirement that exempt information must go to the final decision maker. In doing so, it quoted Justice Evans of the Federal Court of Appeal, who said “It would be an intolerable burden to force ministers and their advisors to disclose to public scrutiny the internal evolution of the policies ultimately adopted.”

Second, the Court clarified that the presentation of a range of options may be properly withheld. The IPC erred, it held, by imposing a requirement that exempt information identify a single course of action.

The advice and recommendation exemption is a very important exemption that has always been interpreted extremely narrowly by the IPC. This decision breathes life into the exemption in a manner that will please institutions which, quite legitimately, crave a healthy zone of privacy in which to deliberate so they can make optimal decisions about policy and other matters.

Ontario (Finance) v. Ontario (Information and Privacy Commissioner), 2012 ONCA 125.

On February 22nd, Ontario arbitrator George Surdykowki held that the Court of Appeal for Ontario’s recognition of an “intrusion upon seclusion” tort does not change rights and obligations related to the use of employee medical information for employment purposes. He said:

I agree with the Union that Jones v. Tsige reinforces the premium value of privacy in Canadian society. But the decision does not establish an additional premium or value
in that respect.

I agree with the Employer that whatever Jones v. Tsige actually stands for in terms of the non-legislated or non-contractual right to privacy, it does not stand for the proposition that asking for or even demanding that an employee disclose confidential medical information for a legitimate purpose constitutes an improper or actionable intrusion on the employee’s right to privacy. Jones v. Tsige does not posit any absolute right to privacy. Although, Jones v. Tsige does mean that the comments about the common law of privacy in paragraph 20 of Hamilton Health Sciences #1 are no longer completely accurate, it does not otherwise alter the fundamental analysis in that case (or in Providence Care, Mental Health Services and other decisions following or flowing from Hamilton Health Sciences #1). It remains the case that an employer is entitled to request and receive an employee’s confidential medical or other information to the extent necessary to answer legitimate employment related concerns, or to fulfill its obligations under the collective agreement or legislation, including the human rights or health and safety legislation (for example). I agree with the Employer that nothing in Jones v. Tsige alters its right to manage its workplace(s), or to obtain confidential medical or other information as required or permitted by legislation or the collective agreement, or which it reasonably requires for a legitimate purpose. Of course, it remains the case that the employer is only entitled to the confidential information necessary for the legitimate purpose. Even then the employee can refuse to disclose her confidential medical or other information, although if she does she must accept the consequences of exercising that right of refusal. Refusing to allow access to necessary confidential medical information may justify the employer’s refusal to allow the employee to continue or return to work, or stymie the accommodation process, result in the loss of disability benefits, or even lead to the loss of employment.

It’s nice to have a clear and strong statement like this “out of the gate.” The medical information management arbitral jurisprudence that deals with justification for collection is well-settled and well-calibrated. Jones v Tsige doesn’t and shouldn’t make a difference.

Complex Services Inc. and OPSEU, Local 278 (February 22, 2012, Surdykowki).

The IPC/Ontario issued a significant “e-FOI” decision on February 9th. Here is what it said about retrieving e-mails from backup tapes:

In general, an access request for emails does not require a routine search of backup tapes for deleted emails unless there is a reason to assume that such a search is required, based on evidence that responsive records may have been deleted or lost.

This sets up a kind of presumption that institutions will appreciate, but if a requester asks or if there is an indication that responsive records may have been deleted or lost, an institution must search and retrieve responsive e-mails from backup tapes subject to its right to recover a fee. In many cases requesters will opt not to pursue backup tape searches given the fees such searches are likely to generate. Institutions, however, should be careful to base their fee estimates on good evidence of what the restoration and search effort is likely to entail.

Carleton University (Re), 2012 CanLII 5892 (ON IPC).

Yesterday the Supreme Court of Canada issued a comprehensive decision on the third-party information exemption in the federal Access to Information Act. Although the third-party, research based pharmaceutical company Merck, lost its appeal, the decision establishes decent procedural and substantive protection for third-parties.

The matter – about a Health Canada access decision

The matter involves a request made to Health Canada for records related to a New Drug Submission and Supplementary New Drug Submission. Health Canada disclosed some records without providing notice to Merck and gave notice to Merck regarding parts of others with a note that it was “unable to determine” whether the mandatory exemption for third-party information in section 20(1) of the ATIA applied. This led to a Heath Canada decision to disclose numerous records that Merck challenged by way of judicial review. It took issue with the process by which Health Canada administered the request and its decision not to apply section 20(1).

The relevant provisions – the third party information exemption

Section 20(1) is the “third-party information exemption.” It protects the interests of third-parties whose information is under the control of federal government institutions. The three subsections at issue in yesterday’s decision read as follows:

20. (1) Subject to this section, the head of a government institution shall refuse to disclose any record requested under this Act that contains

(a) trade secrets of a third party;

(b) financial, commercial, scientific or technical information that is confidential information supplied to a government institution by a third party and is treated consistently in a confidential manner by the third party;

(c) information the disclosure of which could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a third party

A head has a duty to refuse to disclose a record containing information fitting within any one of section 20(1)’s three subsections, subject to a duty to sever and disclose non-exempt information that can “reasonably be severed.” A head also has a duty to give notice to an affected third-party (and hear submissions) when the head, “intends to disclose any record requested under this Act, or any part thereof, that contains or that the head of the institution has reason to believe might contain…” information that is exempt under section 20(1).

The majority decision – eleven principles

Justice Cromwell wrote for the six judge majority. He endorsed the following 11 principles (my list) about the scope of the third-party information exemption and the procedure for dealing with requests that engage the exemption:

1. Most generally, the duty to provide access to government information is equally important to the duty to protect third-party information: “when the information at stake is third party, confidential commercial and related information, the important goal of broad disclosure must be balanced with the legitimate private interests of third parties and the public interest in promoting innovation and development.”
2. The threshold for giving notice to a potentially affected third-party is low: disclosure without notice “is only justified in clear cases, that is where the head, reviewing all the relevant evidence before him or her, concludes that there is no reason to believe that the record might contain material referred to in s. 20(1).”
3. A head must give notice to a third-party even in the absence of a firm intention to disclose, including when “in doubt” about the application of section 20(1): “the institutional head ‘intends to disclose’ a record that might contain exempt information if the head concludes that he or she cannot direct either refusal or disclosure without notice.”
4. A head, however, must make a “serious attempt” to apply the exemption and not simply shift the onus of review to a third-party.
5. On judicial review of a decision to disclose, a third-party must establish application of section 20(1) on a balance of probabilities. It is an error of law to hold a third-party to a “heavy burden.”
6. Section 20(1)(a) applies to information that meets the traditional legal test for a “trade secret.” It is an error of law to associate the definition with any particularly restrictive meaning.
7. Section 20(1)(b) applies to information supplied to government that is “not available from sources otherwise available to the public or obtainable by observation or independent study by a member of the public acting on his or her own.” The information need not have inherent value (as a client list would, for example).
8. For the purposes of section 20(1)(b), information is not “supplied” if it is “collected by government officials’ observation.”  In general, judgements or conclusions expressed by government officials are not “supplied.”
9. The reasonable expectation of harm that triggers the application of section 20(1)(c) exists when there is “considerably more” than a “mere possibility of harm” and “somewhat less” than a likelihood of harm. It is an error of law to demand harm that is “immediate” and “clear.”
10. In general, it will be hard to demonstrate that harm will flow from the disclosure of publicly available information and, as a matter of principle, difficult to establish that harm will flow from the misunderstanding of disclosed information.
11. Declining to sever and produce information from an otherwise exempt record will be justified when the non-exempt information has little meaning on its own or when a cost-benefit analysis otherwise weighs against disclosure.

These principles are likely to have at least some significance to the handling of matters under statutes other than the ATIA. Principle 9, in particular, has the potential to calibrate the handling of harms-based exemptions and promote a uniform standard for proof of harm under all Canadian access statutes.

The dissent – differs on a non-substantive issue

Justice Deschamps wrote for the three judge minority, which would have deferred to the application judge’s findings. The minority did not differ with the majority on any of the 11 principles noted above, and expressly agreed with the majority’s views on the duty to provide notice and on the standard of proof.

Merck Frosst Canada Ltd. v. Canada (Health), 2012 SCC 3.

The Information and Privacy Commissioner/Ontario issued a notable “e-FOI” order on January 19th.

The IPC ordered the Ministry of Community Safety and Correctional Services to validate the authenticity of a 911 call recording that it provided to a requester. The Ministry filed an affidavit about how the recording was extracted from the system on which it was recorded and burned to CD. However, when the requester challenged the recording’s authenticity the Ministry provided the requester with a second CD that the requester successfully claimed did not match the first. The IPC ordered the Ministry to re-produce the CD and provide the requester with a sworn statement about the authenticity of the to-be-produced CD after listening to compare it with the original.

The Ministry adduced evidence of its extraction process that was very strong, but its affidavit seemingly did not capture the entire chain of custody – i.e., the first-produced CD was not marked and identified in the affidavit. This can be done relatively easily by using a hash number or even physically marking the disc that’s produced.

Ontario (Community Safety and Correctional Services) (Re), 2012 CanLII 2815 (ON IPC).