Last Thursday, the Ontario Office of the Information and Privacy Commissioner released its new guide for online reference checks.  In the face of the recent debates about whether an employer can request personal social media passwords during job interviews, the release of this document is quite timely.

The guideline is entitled, Reference Check:  Is Your Boss Watching?  The New World of Social Media:  Privacy and Your Facebook Profile.  The guideline reviews the various issues around online background checks, and provides a number of suggestions on how a candidate or employee can protect him or herself.

I attended the event last Thursday at which the Privacy Commissioner, Dr. Anne Cavoukian, unveiled the new guideline and discussed the various risks and problems associated with employers asking for social media passwords.  It will be a surprise to no one that she firmly opposes requiring a candidate or employee to provide their personal social media passwords, although her reasoning was based more on privacy principles than legal prohibitions, given the ongoing gap in privacy law for provincially regulated employees in Ontario.

In her speech, Dr. Cavoukian summarized five unintended consequences of requesting and obtaining a candidate or employees’ personal social media passwords:

  1. Accessing a candidate’s personal social media profile may lead to uncontrolled secondary use of personal data, such as data regarding a candidate’s friends and family.
  2. Once the employer is in the possession of the data, the employer becomes responsible for that data and assumes liability for the privacy issues regarding the data.
  3. An employer may lose out on qualified candidates who are deterred from applying for a position because of the employer’s practice.
  4. Possible loss of reputation of the employer.
  5. Costs of legal liability should a claim arise regarding the use of the information gathered during the social media background check.

Most of the consequences are focused on potential risk or reputational damage.  The reality is, given the privacy law gap in Ontario for non-medical employee personal information, any direct legal consequences are more likely to flow from the breach of a workplace policy, collective agreement, or contract (assuming one exists that speaks to the issue of privacy), than any specific law at this point.

I discuss the Ontario privacy law gap in an earlier post here.  Until the landmark Ontario Court of Appeal decision, Jones v Tsige, was released in January, there was no employee recourse, so it will be interesting to see how the new Guidelines will be used by adjudicators as a thought-piece and articulation by the Ontario Privacy Commissioner of what the law should be for Ontario employers.