As social media continues to impact and inform the hiring process, employers are grappling with understanding their obligations to obtain, store, use and protect employees’ personal information, in accordance with laws on the private and public sector’s collection, use and disclosure of personal information.
What is “Personal Information”?
Private Sector – Federal and PIPEDA
Federally, the Personal Information Protection and Electronic Documents Act, SC 2000, c. 5 (“PIPEDA”), mandates how employers in federally regulated private sectors can collect, use, and disclose information about employees.
The PIPEDA definition of “personal information” is broad, and includes any “information about an identifiable individual”, with “information” comprising a variety of identifiers: the employee’s home address and phone number, birth date, social insurance number, identification number and security passwords, birth date, income, personal interests and hobbies, prior work record, loan and credit information, criminal record, ethnic/religious/racial background, sexual orientation and medical record.
Private Sector – Alberta, British Columbia and Ontario
Only provinces where “substantially similar” legislation have been enacted can the provincial legislation govern privacy for federally regulated private sector employees. This is the case in Alberta, with the Personal Information Protection Act, SA 2003, c P-6.5 and British Columbia’s act of the same name, the Personal Information Protection Act, SBC 2003, c 63 (together, “PIPA”),
PIPA also regulates the public sector’s use of personal information in both provinces. PIPA defines “personal employee information” as information reasonably required by the organization for the purposes of establishing, managing or terminating employment, or managing a post-employment relationship. The Employment Standards Act, 2000, SO 2000, c. 41, Part XI.1 (“ESA”) in Ontario does not define personal information.
In Ontario, there is no “substantially similar” legislation. Rather, the ESA is the applicable privacy legislation. However, unlike PIPEDA and PIPA, it only provides for the monitoring of employees electronically. Specifically, the ESA only requires employers to have a written policy in place with respect to the electronic monitoring of employees. Further, it does not define “personal information”.
Public Sector – Alberta, British Columbia and Ontario
Federal public-sector employers are governed by the provincial, and sometimes, municipal, legislation within each province. In Alberta, public-sector employers are governed by the Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25, BC public sector workers are governed by legislation of the same name, Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165, and Ontario public sector workers are governed by Freedom of Information and Protection of Privacy Act, RSO 1990, c F.31 (all three, “FIPPA”) as well as the Municipal Freedom of Information and Protection of Privacy Act, RSO 1990, c M.56.
The foregoing legislation define “personal information” just as broadly as PIPEDA and PIPA. However, the title, business address and telephone number of an employee, the classification, salary range, and responsibility of that employee, and any discretionary benefit of a financial nature is not considered “personal information”, unlike the case in the private sector.
Obligations of the Employer by Legislation
Both PIPEDA and PIPA impose requirements on employers when gathering personal information:
- Employers must make an individual the designated officer whom is responsible for ensuring compliance with the applicable legislation;
- Employers must identify the business purpose for which the personal information is being collected (at the time or prior to collection);
- Employees must provide consent to the collection, use or disclosure of personal information save for where an exception applies;
- Employers can only collect information that is needed for “reasonable” business purposes;
- An employer cannot use, disclose or retain information outside of the purpose for which what it was collected, except with consent or as required by law;
- Employers must ensure information is accurate, complete and updated;
- There must be security measures in place to protect personal information that are appropriate for the sensitivity of the information;
- Policies and practices regarding the administration of personal information must be made known to employee;
- Employees, upon request, can be informed of the existence, use, and disclosure of their information and have the right to challenge the accuracy of the information; and
- Employees can make complaints to the employer’s officer in charge of personal information.
As noted above, Ontario’s ESA requires employers to have a written policy in place, however the policy must outline: if the employer monitors its employees electronically, and if it does, a description of (1) how it monitors employees, (2) in what circumstances, and (2) the purpose for which the information may be used. Outside of the ESA, and where applicable, PIPEDA, there are no other privacy protections in place in Ontario.
In the public sector, the obligations imposed on employers are significantly less stringent – the collection of personal information does not require consent. However, no personal information can be collected unless it directly relates to the activity of the employer.
Exceptions to the Requirement of Consent
There are a number of exceptions where consent of the employee to collect, use and disclose personal is not required:
- To establish, manage and terminate employment;
- Personal information produced by an individual during the course of their employment is not protected if it is in the context for which it was produced. For example, use of an employee’s person phone number to relay schedule information or their residential address to send paystubs or tax documents;
- Disclosing personal information to a lawyer representing the employer for the purpose of collecting a debt owed by the employee to the employer;
- Disclosing personal information for the purpose of complying with a subpoena or order; and,
- Disclosing personal information where collecting information is “clearly in the interests” of the employee and consent cannot be obtained in a timely way.
Practical Implications: Social Media
In the current day and age, more individuals than ever utilize social media, and in some case, various forms of social media. Personal information is more accessible than it has been in the past, and social media is being used by employers to evaluate and assess prospective candidates.
In BC and Alberta, employers do not require consent to use social media for the purpose of establishing, managing or terminating the employment relationship, but only in so far as it is reasonable. In other words, employers can use LinkedIn or Instagram to evaluate candidates.
However, the BC and Alberta privacy commissioners have published a number of guidelines to interpret the respective legislation. Such guidelines include: ensuring that social media background checks comply with PIPEDA and PIPA; ensuring that the background check is conducted on the correct individual and not multiple individuals; confirming that use pf personal social media accounts, rather than a business account, does not void compliance with the law; using third parties to perform background checks must still comply with privacy obligations; and, being aware that individuals may find out that a social media background check was conducted.
In Ontario, private sector employers that fall under PIPEDA, cannot use social media to perform background checks on candidates. However, private sector employers that do not fall under PIPEDA can conduct social media search so long as the “collection” of information is relevant. This unfortunately does create issues that arising from the presence of irrelevant information buried throughout people’s social media profiles. We note that this can be avoided by limiting searches to professional social networking sites such as LinkedIn which is utilized by most individuals for job-related information only.
Acting in accordance with the applicable laws, and guidelines, will ensure that employers are taking all prudent steps to protect employee information, as well as avoid any unnecessary claims that may arise through an employer’s use of social media and personal information during the hiring process.