“We don’t think employers should be asking prospective employees to provide their Facebook passwords (for pre-hiring background checking) because we don’t think it’s the right thing to do.”
— Facebook (statement on company’s website)
Facebook’s statement has set off a firestorm of controversy and misinformation. The popular consensus seems to be that the employer’s practice of demanding Facebook passwords from job applicants is morally “wrong” and “illegal.” We’re not qualified to pronounce judgment on morality; but we do have a decent grasp of the law.
Long story short: There’s no law that says you can’t demand job applicants’ passwords and use them to do a background check. But as a practical matter, once you start checking a job applicant’s profile on Facebook or another social network site (which we’ll refer to collectively as “Facebook”), you bring privacy laws into play. And, in many cases, you incur liability risks greater than the benefits you gain from your search.
As long as you’re prepared to navigate the privacy minefield, you can demand Facebook passwords and conduct searches to your heart’s content. But the question isn’t just what you can but should do. You know the kinds of things people post on Facebook. Do you really think any of this going to help you evaluate a job applicant’s professional qualifications? If no, you’re best advised to stay away from Facebook and concentrate on traditional methods of pre-employment screening such as reference checking or job interviews—or at the very least, confine your internet search to professional sites. But if you’re ready, willing and able to take on the risks of going to Facebook, keep reading…
Facebook screening and privacy
Federal laws like the Fair Credit Reporting Act ban employers from conducting personal background checks on employees and job applicants without the individual’s written authorization. Many states, including California, place even more stringent restrictions on employer collection of personal information about job applicants from third parties. It could be argued that comments, photos and other Facebook postings are personal information that can’t be collected without authorization.
However, there’s a huge loophole: Consent isn’t generally required to collect personal information that’s publicly available. Postings on a social networking site have been consistently recognized as publicly available information by courts, arbitrators and privacy commissions.
Reasonable expectations of privacy
Job applicants might also have privacy rights under collective bargaining agreements, individual employment contracts or common law, i.e., case law made by judges. To hold you liable for a privacy infraction, job applicants must show they had a “reasonable expectation” of privacy in their Facebook postings.
The operable word is “reasonable.” Thus while there are plenty of Facebook users who assume otherwise, postings on social networks are not private communications. Thus it wouldn’t be reasonable to expect Facebook postings to be kept confidential. However, the job applicant would have a stronger argument to the extent the employer circumvents the host site’s privacy controls to gather the information.
Example
Sally, a recent college grad who has opted to limit her Facebook network to other recent grads, applies for a paralegal job with ABC Medical Office. Finding its access to Sally’s network blocked, ABC has an employee pose as a grad so he can “friend” Sally and join her network. ABC uses the information the employee acquires in processing her application. Sally would at least be in a position to argue that she had a reasonable expectation of privacy.
Directly asking for a Facebook password makes it harder for job applicants to claim that your check violated their reasonable privacy expectations. So is directly notifying them of the check in advance.
Job applicants’ privacy rights are also subject to the employer’s right to collect, use and disclose personal information to perform legitimate business functions.
Key question:Does demanding a job applicant’s Facebook password and conducting a pre-employment count as collecting and using personal information for a legitimate business purpose?
Answer: It depends.
Impact on you: To avoid liability, you must make sure your particular use falls on the “reasonable” side of the “it depends” line.
What to do
The best way to do this is to conduct a privacy assessment before conducting searches to determine if they’re reasonable. There are 8 factors to consider in your assessment: (See the Model Assessment below for a template you can adapt to ensure that privacy risks are adequately assessed before pre-employment Facebook checks take place at your medical office.)
1. Does the search serve a legitimate business purpose? YES [ ] NO [ ]
Searching Facebook is faster and simpler than traditional background checking methods. But simplicity isn’t enough. To justify a search as reasonable, employers must consider what information they can collect about the job applicant that they can’t garner from traditional screening methods such as reference checks and interviews.
2. Does the search collect only relevant information? YES [ ] NO [ ]
For a Facebook search to be reasonable, it must provide relevant information and only relevant information. Relevant means information about the applicant’s qualifications. Personal information like what the applicant looks like or her recipe for lasagna is irrelevant.
Much of the personal information contained on social network sites is not just irrelevant but illegal to look at during the course of a hiring process. Especially dangerous is material that reveals an applicant’s race, gender, religion, family status, disability, age and other personal characteristics protected by anti-discrimination laws.
Once you come into possession of such information, you can’t un-possess it. Electronic search records will show that you accessed the information and wind up as Exhibit A in the rejected applicant’s discrimination suit. You can argue that you didn’t look at the information; the problem is that merely possessing it is evidence that it factored into your employment decision.
3. Are you searching only relevant sites? YES [ ] NO [ ]
Social media site checks can range from simple Facebook profile checks to sweeping searches of blogs, micro-blogs and file sharing sites. Decide in advance what websites you plan to check and make sure each site provides access to the exact relevant information you’re looking for.
4. Is information collected current and accurate? YES [ ] NO [ ]
You must ensure that the information you collect is current and accurate. That’s tricky because social media sites are littered with inaccurate information like mislabeled photographs and out of date bios. Moreover, simply looking at the information is deemed the equivalent of collecting it. So you need to have safeguards in place before doing your search.
5. Will search reveal information only about the applicant? YES [ ] NO [ ]
One of the biggest challenges you face when getting access to a job applicant’s Facebook profile is to keep the search focused on just that individual and avoid capturing information about third parties like the individual’s “friends” who didn’t fork over their password or consent to the search.
6. Do you notify applicants of the search? YES [ ] NO [ ]
Demanding passwords serves the purpose of notifying the applicant that you’re going to do the search. But you should also notify applicants of key aspects of the search, including:
- All sites you intend to search;
- The information you’re seeking and why you deem it relevant;
- How you intend to use the information you collect; and
- A statement that your organization is an equal opportunity employer and that the search isn’t intended to collect information about the applicant’s race, sex, age, religion and other personal characteristics protected by the human rights laws.
Consider asking applicants to sign a form giving express consent to the search. But keep in mind that applicants can withdraw their consent at any time; when and if they do, you can no longer use the information to make your decision on their application. (See the link to a Model Notification below for language you can add to your job application.)
7. Are your search methods on the level? YES [ ] NO [ ]
Actual searches must be appropriate, consistent with the methods described in the application notification and in line with the host site’s use restrictions and applicant’s indicated privacy preferences. Practices that make Facebook searches “unreasonable” would include having individuals at your organization “friend” applicants to gain access to their privacy-protected information (as in the Sally example above) or doing the search from a personal account to hide your medical office’s tracks.
8. Do you limit use of information collected to the stated purpose? YES [ ] NO [ ]
Remember that privacy restrictions apply not just to the information’s collection but also its use. To be reasonable, the use must be consistent with the stated purpose for which it was collected, i.e., to evaluate the applicant’s fitness for the job. Example: Your Facebook search reveals that the applicant is the regional director of a notorious hate group:
- Appropriate: Rejecting the applicant on the basis of the information;
- Inappropriate: Sending the applicant’s file to the police.
Conclusion
You have every right to demand Facebook passwords to check job applicants as long as you keep your search “reasonable” under privacy laws. Keeping it “reasonable” isn’t so easy. You’re only allowed to collect information that’s relevant to the applicant’s qualifications. Personal information having no bearing on the applicant’s ability to do the job is off limits, as is personal information about third parties. And in the realm of privacy laws, where information seen is considered information collected, it’s quite a challenge to keep searches focused on the relevant and blind to the irrelevant—especially when sites are conducted on social networks like Facebook. That’s why, at the end of the day, medical offices determined to use the internet for pre-employment screening are better advised to concentrate on professional sites.
Related Tools
Model Form: ABC Medical Office Use of Social Media for Pre-Employment Screening
Model Tool: Notification to Applicants of Pre-Employment Screening
