The first in an ongoing series examining the nuts and bolts of privacy compliance. Here we examine the potential privacy issues with employee background checks, and how to mitigate them.
It’s common practice for employers to perform background checks on prospective employees, particularly if they are being hired into a position of trust. Checks are also done to ensure that the potential employee has the qualifications required for the position. A background check could involve looking up criminal records, litigation records, citizenship or immigration status, driving records, or credit information, as well as confirmation that the employee really does have the qualifications listed on his or her resume. Recently, online and social media checks have been added to this list. An online background check might involve anything from a cursory look at a Facebook profile to accessing an online public records search to hiring a specialist to dig up everything on the Web about the person.
This collected information could be legally defined as “employee personal information,” “personal employee information,” or “personal information” (PI), depending on the nature of the information, how it is collected, and the wording of laws in specific provinces. Provincial privacy regulations govern the collection, retention, use, and disclosure of PI. This means that regulation of storage procedures, security controls, and access to PI may differ from province to province.
Contrary to common practice, it is not permissible to access job candidates’ personal information online or through other channels without their knowledge and consent.
One requirement remains the same across all Canadian jurisdictions, and that is consent. Across the board, consent for access to PI is required from the individual in question when performing a work-related background check.
The Risks, and How to Mitigate Them
Privacy laws restrict how much information may be collected about an individual. Even when consent has been given, companies should only gather personal information that a reasonable person would consider appropriate in the circumstances. That is, the information collected has to be relevant to employment.
Social media checks raise serious questions about what information is truly relevant to a person’s ability to do a job.
Performing a background check through social media, such as Twitter, Facebook, or dating sites puts you in danger of breaking the law because there is no way to limit how much information you may discover. Some of the information found may be related to job qualifications, but much of it will not. Accessing irrelevant personal information creates a risk not only of privacy violation, but also of discrimination. If you decide to conduct a social media background check, make sure there is a clear business reason for your search, and that your search is reasonable.
It’s also worth remembering that the accuracy of information gleaned from social media cannot be guaranteed. To begin with, unless prospective employees voluntarily show employers their profiles or pages, there is no way to be certain whether it really was the person in question who posted the material. Material posted by third parties also cannot be assumed to be reliable. Section 33 of Alberta’s Personal Information Protection Act (PIPA) requires an organization to “make a reasonable effort to ensure that any personal information collected, used or disclosed… is accurate and complete.”
Another risk is that an employer may inadvertently collect information about third parties without their consent. This is a violation of Alberta’s PIPA.
Given all these potential pitfalls, it may be worth considering whether your search can be conducted through more conventional means such as interviews and references. Before you look up job candidates on social media, you need to ask, What do I really need to know about this person that I can’t find out in other ways?
A Few Reference Points
Consent: Consent is required to access any type of PI, either before or after an offer of employment. Be sure that any proposed background checks during employment give your employees the option of not complying; mandatory checks, enforced by the threat of job termination, may be seen by the courts as coerced (see Case Study below).
Internal Disclosure: Once collected, PI must be stored securely, with strict controls to prevent staff accessing a co-worker’s personal details, either intentionally or inadvertently. We will be addressing this important topic in an upcoming article.
For further information, take a look at the Office of the Information and Privacy Commissioner of Alberta’s “Guidelines of Social Media Background Checks”: http://oipc.ab.ca/Content_Files/Files/Publications/Social_Media_Guidelines_Dec_2011Final.pdf)
Criminal Background Checks: When it comes to criminal checks, you have a range of options. A useful resource to help you choose between them is the Ontario information and Privacy Commissioner’s one-page guide: https://www.ipc.on.ca/site_documents/range_of_bkg_checks.pdf