The explosion in the popularity of social media has revolutionized the way in which we interact with the world. From Facebook to Twitter, the use of social media allows us to instantaneously connect with others on an unprecedented scale. Today, we are able to share and access more information than ever before.
Although the use of social media has been prevalent for many years, its use in the workplace remains a live issue for many organizations. Increasingly, some employers are using information gathered from social media sources for a variety of purposes, including screening potential candidates for work, reviewing customer feedback, and sometimes monitoring employee activities after working hours. The collection, use and disclosure of this type of personal information has created a host of novel situations in the workplace.
Consider the case of Lougheed Imports Ltd. (West Coast Mazda) v. United Food and Commercial Workers International Union, Local 15181 in which the British Columbia Labour Relations Board (BCLRB) upheld the termination of two employees for making inappropriate comments on Facebook about their employer’s business and its personnel.
In that case, the employer began monitoring the Facebook activity of two of its employees after becoming aware of inappropriate Facebook comments they had made. The employer terminated both employees for making comments which it found were insubordinate and damaging to its business. The BCLRB concurred with the employer and upheld the decision of an arbitrator which had found that the employer had proper cause to terminate the employees.
While this case is an example that an employee may be terminated in a unionized workplace based upon personal information gathered from social media sources, the collection, use and disclosure of such information presents many legal and other challenges.
One of the concerns about collecting, using and disclosing personal information is the potential breach of privacy laws when reviewing an employee’s social media – an issue which is beginning to be explored by Canadian privacy tribunals. Currently, the federal Personal Information Protection and Electronic Documents Act sets national standards for privacy practices in the private sector. Moreover, Alberta, British Columbia and Québec have enacted substantially similar legislation which governs how private sector organizations are able to collect, use or disclose personal employee information.
In a recent investigation regarding a potential breach of the B.C. Personal Information Protection Act (PIPA), the Office of the Information and Privacy Commissioner for British Columbia reviewed the legal principles surrounding the use and collection of personal information when vetting job candidates.
In early March 2011, media reports stated that the BC New Democratic Party (NDP) was asking leadership candidates to provide their Facebook passwords as part of the NDP’s vetting process in order to review the candidates’ social media content for inappropriate material. The Privacy Commissioner conducted an investigation and found that the NDP did not have the authority under PIPA to collect the amount and type of personal information it retrieved, despite the fact that express consent was obtained from the candidates to do so.
In a summary of its decision,2 the Privacy Commissioner stated that PIPA operates to limit an organization’s collection of personal information to what a reasonable person would consider appropriate in the circumstances. Whether the collection of information is reasonable depends on a number of factors, including:
- The quantity and type of information collected;
- The purpose of the collection and the surrounding circumstances;
- The use to which the information will be put;
- Any disclosure the organization intends at the time of collection; and
- The existence of reasonable alternatives to collecting personal information to achieve the organization’s goals.
The Privacy Commissioner concluded that the BC NDP’s collection of information was unreasonable in the circumstances because it collected information from third parties without the third parties’ consent and because it collected large amounts of personal information which may have been outdated, irrelevant or inaccurate. Moreover, there were reasonable alternatives that could have been used for the purpose of vetting its candidates.
As a result of this decision, the BC NDP agreed to discontinue its practice of requesting social media passwords to vet its candidates. The Privacy Commissioner’s decision highlights the inherent problems associated with collecting and relying upon personal information gathered from social media sources.
While the use of social media has had a profound impact on our lives, we are only beginning to understand the legal implications of its use in the workplace, particularly with respect to privacy considerations. As this area of the law continues to develop, organizations should review their own privacy practices and develop clear guidelines and codes of conduct with respect to the collection, use and disclosure of employee personal information. In this way, organizations can ensure that they are able to meet their legitimate business objectives without running afoul of applicable privacy legislation.
1 BCLRB No. B190/2010
2 P11-01-MS Summary of the Office of the Information and Privacy Commissioner’s Investigation of the BC NDP’s use of social media and passwords to evaluate candidates