Follow Me on Twitter

Can an Employer ask a Job Applicant for their Facebook Password?

I had several media requests today asking about employers asking job applicants for their Facebook passwords, but I wasn’t sure why.

I just noticed a Toronto Star piece describing how an applicant for a police position was asked to give his Facebook password in a job interview.   My first reaction to this was, “what kind of a sleazy employer would ask for that”.  It’s like asking for the key to an applicant’s diary.  Sadly, there are some out there, even in Ontario apparently.

I’m going to bed, having just come home from yet another awful Leaf game.  But my first take on this is that asking a job applicant for their Facebook password is a violation of the Ontario Human Rights Code, and unlawful.  Take a look at Section 23 of the Code, which sets out rules relating to job application forms and interviews.  Here is what is says:

Application for employment

23(2) The right under section 5 to equal treatment with respect to employment is infringed where a form of application for employment is used or a written or oral inquiry is made of an applicant that directly or indirectly classifies or indicates qualifications by a prohibited ground of discrimination.

The prohibited grounds include: race, ancestry, place of origin, colour, ethnic origin, citizenship, creed, age, record of offences, marital status, family status or disability.

Section 23(2) says that an employer can’t ask a job applicant for information that “directly or indirectly” classifies a person by a prohibited ground.  In other words, it is none of an employer’s business if you are married or single (family status), whether you are gay, straight, or bisexual (sexual orientation), what your religion is (creed) or your race, if you are Aboriginal, what your skin colour is, where you are from, how old you are, whether you have children (family status), and whether you have a disability. Some of these things will be evident by the interview stage (like skin colour and maybe disability), but the employer certainly cannot ask you to disclose other information about prohibited grounds that are not self-evident in the interview.  Moreover, Section 23 doesn’t just ban the question “Are you disabled?”, it bans other questions that are likely to give the employer the answer to that question, such as “Can you lift 50 pounds and stand for extended periods of time?”.  The objective is to keep information about the applicant’s association with prohibited grounds out of the hands of employers during the recruitment stage.

Now ask yourself whether your Facebook page might disclose any of the protected information to a prospective employer?

Does it say if you are married or single?  If so, none of employer’s business, and illegal to ask for a means to check that.

Does it indicate your sexual orientation, or your marital status?  If so, none of employer’s business, and illegal to ask for a means to check that.

Does it indicate your religion?  Your age?  Where you were born?  Whether you have children?  If so, none of a prospective employer’s business, and they are breaking the law if they ask you to provide them with access to this information.

Odds are most Facebook pages do indicate some or all of these things. Therefore, the Code prohibits an employer from asking about it, or asking you to provide a secret password that will allow the employer to access this information.

Put it this way:  Could an prospective employer ask you directly what church, temple, or synagog you attend, or whether you are married, gay, or have children?  Of course not.  So why can they ask you for the key to access a personal webpage that would tell them that information indirectly.  If you have a piece of paper locked in your glove compartment with all the info about your sexual orientation, religion, family, and age, can an employer insist on having the key?

To me, this is a no-brainer (though others may disagree, of course).  I think it is against the law for an employer to ask for a secret password to a personal Facebook account, in Ontario at least.  I would have to look at the human rights legislation of the other Canadian jurisdictions.     If you are an employer,  don’t ask for this information.  It’s illegal, irrelevant, and none of your business.  The Human Rights Commission should issue a strong and clear paper stating this–perhaps it already has, I haven’t looked.

Of course, applicants who refuse to give the password to an employer that asks for it may not get the job.  They could file a human rights complaint, and in theory the Tribunal could order the employer to hire them.  But that doesn’t happen very often, and anyways, the complainant would probably be satisfied with taking some cash rather than accept a job under these circumstances.  So my advice to job seekers who think they might run into an illegal request for access to personal information on their facebook page is to create second dummy page for that purpose.  Put innocuous stuff on that page, making sure it doesn’t disclose anything that you would not want an employer to see.  Give the law-breaking employer the password to that page, if you really need the job. Anyone see any problem with that advice?  [Post-script: I'm told that it is a violation of facebook rules to open two accounts, for what that is worth]

Does anyone think I am wrong about this?  If so, tell me why an employer can ask for private information that is likely to disclose a whole range of information that the Human Rights Code prohibits an employer from asking about?  Am I missing something obvious here?

Socialize

16 Responses to Can an Employer ask a Job Applicant for their Facebook Password?

  1. Gerrit Reply

    March 21, 2012 at 12:00 am

    So, extrapolate, is it illegal for employers in Canada to check Facebook pages of prospective employees? Or even Google them?

    • Doorey Reply

      March 21, 2012 at 8:33 am

      Gerrit, thanks for the comment. The Human Rights Code regulates questions asked by employers on job application forms and in job interviews. So it clearly captures a question by an employer asking for secret passwords to access information they have no legal right to access. I doubt that the Code reaches as far as preventing an employer from looking at publicly available information that an applicant has chosen to offer the world. A new law would be needed to prohibit employers from ‘googling’ candidates, along the lines of what the Germans are considering.

  2. Chris Davidson Reply

    March 21, 2012 at 12:24 pm

    The Privacy angle:
    The BC Privacy Commissioner found that the NDP contravened privacy legislation in that province when it asked NDP candidates for their facebook passwords in order to ‘vet’ them:
    “The investigation concluded that the BC NDP collected a large amount of personal information, including information that may be outdated, irrelevant or inaccurate. It also concluded that the BC NDP collected personal information from third parties that it did not have consent to collect.”
    http://www.oipc.bc.ca/Mediation_Cases/pdfs/2011/P11-01-MS.pdf
    Now we don’t have privacy legislation in Ontario, but the new Tort for intrusion upon seclusion might offer some help in the following way. The BC Privacy Commissioner found that asking for Facebook passwords violated privacy legislation, in part, beacause it allowed the NDP access to the information of third parties (e.g. the candidate’s facebook friends) who had not consented to their information being disclosed to the NDP.
    Applying that to Ontario’s tort:
    There’s intentional intrusion upon the seclusion of another’s private affairs (the facebook profile of a the friend)
    And I would argue that it would be highly offensive to those third party facebook friends who set their privacy expecting that only friends could see the details of their private lives. (Also note a facebook password would provide access to private correspondence – private messages between the individual and facebook friends)
    A potential employee wouldn’t be able to sue, but the employee’s facebook friends might be able to sue if they heard about it.)

    • Doorey Reply

      March 21, 2012 at 12:30 pm

      Thanks Chris. I agree that there may also be privacy law issues raised by this scenario, though what they are is much more uncertain than the human rights approach, in my view. You may be right about the application of the new tort, though the civil litigation route created by the tort won’t likely help many job applicants, as you note. The clearest way to deal with this issue would be to prohibit businesses from requesting private passwords from employees or potential employees. Difficult to imagine any politicians, from any of the parties, rallying against such a law. If I was the provincial NDP, I’d be drafting a private members’ bill right now.

  3. David Camfield Reply

    March 21, 2012 at 12:59 pm

    Interesting post, David.

    I think such inquiries are also illegal in Manitoba because of this clause in the HRC:

    http://web2.gov.mb.ca/laws/statutes/ccsm/h175e.php#14%284%29

  4. Ryan E Reply

    March 21, 2012 at 3:25 pm

    Slightly disagree… I think it’s not prima facie illegal under 23(2) for an employer to ask for Facebook credentials, but if the candidate is unsuccessful, I think it raises some very strong presumptions that will be difficult to rebut.

    • Doorey Reply

      March 21, 2012 at 4:01 pm

      Thanks Ryan. So your approach would be to permit the employer to demand to see all of the information they are not entitled to ask about (family status, age, marital status, sexual orientation), and then require the employee to ‘prove’ that the employer didn’t rely on any of it in their hiring decision? The employer would say, “yes, I saw on his Facebook page that Joe was gay, single, and Jewish, but I didn’t consider any of that information in my hiring decision.” Then Joe would have to “prove” that the employer did consider that information. How would Joe do that? Given that the Code is to be interpreted broadly and purposively, isn’t a better interpretation that the employer just shouldn’t ask for access to the private source of information about the prohibited grounds in the first place? That’s why the Code doesn’t allow the employer to ask about prohibited grounds directly in the interview or on the application. It’s irrelevant, and extremely difficult for an employee to disprove an employer assertion that the information wasn’t relied upon. I’d be shocked if the Tribunal took that narrow approach to section 23 you suggest. Then again, I’ve been wrong once or twice before. D

  5. Ryan E Reply

    March 21, 2012 at 5:16 pm

    I don’t know if that’s what would happen, but the Tribunal’s entire jurisdiction exists by virtue of the Code; so if the Code is not engaged, the Tribunal can’t remedy a wrong.

    In that way, if it was a prima facie violation of the Code for an employer to request login credentials, then there would be a violation of the Code even if there was zero information about protected characteristics on the user’s page (an unlikely event, but still possible). That can’t be correct, however, since no protected characteristic has been engaged. In this hypothetical, there’d merely be a blank page with fields that haven’t been populated.

    In my view, s. 23(2) is designed to protect situations where asking where someone went to high school could reveal that they were born in another country. While this situation is similar, I stress that I don’t think it’s a _prima facie Code violation_ to merely make a request.

    Now it’s a whole different matter if the person refuses and suffers adverse consequences…

  6. Dennis Buchanan Reply

    March 22, 2012 at 11:51 am

    Interesting discussion.

    As a side note, creating a second profile is a violation of Facebook’s terms of use, but so is giving up your password…it’s a relatively small concern in the scheme of things.

    I think that the s.23 argument is pretty tenuous. I fully agree with you that it’s akin to asking someone for the key to their diary in many ways, and while it’s possible that a diary could contain information which an employer is not entitled to ask for and which is not publicly available (most people don’t protect their Code-related information on Facebook), I doubt that would be sufficient to put it within the framework of s.23.

    Again, I think it comes down to a disagreement about the breadth of the provision. From a s.23 perspective, I don’t think this is substantively different from asking someone what school they went to. (Yes, it could reveal Code-related information. So could asking somebody their work experience. Or asking somebody why they didn’t do well in a particular course. Or asking somebody their name.) But this goes a step further: You’re arguing that ‘what the employer does with it’ doesn’t (or at least, shouldn’t) matter to the Code analysis. Unless someone’s password is “iamachristian”, neither the question nor the answer to the question even touches on Code grounds.

    Particularly consider this: If I asked a candidate for a password solely to gauge the candidate’s response, as a way of excluding candidates so desperate as to actually provide it, and never checked anyone’s Facebook account, I would never have received any Code-related information through my inquiry.

    Don’t get me wrong: It’s inappropriate to require someone’s password, and not only would I not give up my password (and I’ve never been particularly paranoid about my personal privacy), but I would need to be pretty desperate for a job before I would consider working for someone who thought so little of his/her employees’ privacy. But as much as it says about the employer, I don’t think it’s unlawful to ask.

    As for Chris’ point about common law privacy rights…I’d have a hard time fitting this into a tortious framework – I take Chris as rightly acknowledging that the employee’s consent is likely to be fatal to a claim by the employee him/herself for intrusion upon seclusion…but it would be a fairly rare case where a third party could be liable for invasion of privacy simply by *receiving* confidential correspondence by one of the participants in that correspondence. Specifically, if there’s something that can be accessed which meets the high threshold from Tsige to engage common law privacy rights, I think it’s far more likely that the employee would be liable for “disclosure of embarrassing private facts”, rather than the employer being liable for looking at information made accessible to it by the employee.

    Which makes sense. If I’ve received confidential information from my friends, it is incumbent upon *me* to protect that information.

    Actually, Chris, if you’re right about that, then it would have the impact of making all monitoring of employee workstations quite risky. If you access Facebook on your work computer, then your friends can sue your employer for monitoring your activities on your work computer in accordance with workplace policies? Doesn’t sound right to me.

    • Doorey Reply

      March 22, 2012 at 2:40 pm

      Thanks Dennis, I think it is clear from this comment and earlier comments that you and I have a different understanding of the purpose of section 23 and its scope. Mine is much more purposive than yours. To me, asking for the password to a diary that is almost certainly going to demonstrate information about any number of prohibited grounds is that same thing as asking any other question that is likely to put into the hands of the employer in an indirect manner information that the Code doesn’t want the employer to have. To interpret that section otherwise is to give it a narrow reading, and human rights legislation is to be given a very broad interpretation keeping in mind the intention to protect vulnerable employees and the purpose of s. 23 in particular, which is to keep information about prohibited grounds out of an employer’s hands. But perhaps we can just agree to disagree on this point. Maybe this particular issue will be litigated.

  7. Cathie Reply

    March 22, 2012 at 12:41 pm

    The reason US employer can do this and fb will shut down the acct if they do this btw, is because sadly US Supreme Court ruled drug testing and the like was a choice via a choice to take a job. Now, the bad news even if you have privacy setting set high, there are social media aggegrators who hunt the web for your name. I checked mine out and found things about me when have restricted who and what sees me on Facebook. I want laws to stop this kind of data mining.

  8. Andres Reply

    March 22, 2012 at 3:10 pm

    I think the most sensible way for this issue to be dealt with is to incorporate it into Employment Standards legislation, thereby removing the problem from the sphere of either Privacy Commissioners or Human Rights Tribunals and placing it with a body better equipped to follow-up and ensure compliance. It would be a simple matter of each Province making an amendment which prohibits employers from requesting that employees provide access to any form of social media. This would create the hiccup of the government having to catch up to the times and add “social media” to the list of definitions in the statute but that’s not such an insurmountable problem. It would also create a remedy in any jurisdiction that has retaliation provisions in their legislation.

    I don’t dream that this would create across the board compliance but it would certainly stop a significant number of inquiries. It also creates an easier avenue for obtaining compliance – rather than have an individual file a Human Rights complaint and proceed through the litigation model they can have a compliance agency conduct an investigation into the matter and educate employers.

  9. Chris Davidson Reply

    March 30, 2012 at 12:28 pm

    Dennis,
    1st, I do acknowledge that if the employee gave over the password, the employee would have no claim for intrusion upon seculsion.
    BUT as for third parties, Jones v. Tsige specifically deals with a situation in which the information was merely “received.” The defendant didn’t do anything with the plaintiff’s information. She just accessed it. The tort is simply “intrusion upon seculsion” not “use of information gained from intrusion upon seclusion.” In fact, if you look at the US scholarship and law from which the ONCA derived the tort of intrusion upon seclusion, you will see that intrusion upon seclusion IS clearly made out by simply receiving information. See for example: http://cyber.law.harvard.edu/privacy/Privacy_R2d_Torts_Sections.htm
    I also note at para. 72 of Jones v. Tsige intrusions upon private correspondence are specifically mentioned as highly offensive intrusions upon privacy.
    I was happy to see that the Ontario Information and Privacy Commissioner’s Director of Legal Services publicly took a position similar to mine (i.e. that an employer may be liable under the new tort of intrusion upon seclusion if it uses a facebook password obtained from an employee). See http://tinyurl.com/7fys8tz
    It is interesting, though, that you point out it may be the person giving up the password who would be liable. I’m not sure that’s right. But, if it were, then what are the implications of an employer asking an employee or potential employee to commit a tort?
    The US Restatement (Second) of Torts section 877(a) provides for liability for inducing another person to commit a tort: “For harm resulting to a third person from the tortious conduct of another, one is subject to liability if he (a) orders or induces the conduct, if he knows or should know of circumstances that would make the conduct tortious if it were his own . . . .”

  10. Mike Reply

    April 19, 2012 at 2:16 pm

    Hold on, ‘cuz now I’m getting a little confused and I’m thinking of a few different points I’d like to share:

    1) Police services probably have more of an interest than most employers in the reputation of their applicants. If, for example, an applicant’s facebook account discloses that they engage in criminal activity (drugs, vandalism, hatespeech etc.) that would be quite relevant to the Employer and would at least ground an argument for BFOR. Then again, why not a daycare worker? Teacher? Babysitter? Security guard? Or even (GASP) lawyer!?

    2) What if the employer does not want an applicant’s username and password for their unfettered access to the Facebook account? Let’s say the employer wants an applicant to log on to Facebook, and let the employer watch as the applicant navigates their account, various pages, friends pages, photos, etc. The employer isn’t asking for username and password, and can’t retain that information in perpetuity for continued access. Does that make it ok?

    3) I suspect the answer to my question 2) would be no, at least according to the OHRC and the gist of this blog entry, Professor. The problem is apparently the information posted on a facebook account that would possibly run afoul of the Code, such as religion, marital status, ethnicity, age, disability, etc, right? So by that reasoning should not an employer also run afoul of the Code simply by browsing the applicant’s public facebook profile (if there is one)? Assuming the applicant’s profile is public, at least in part, isn’t there an assumption that absolutely anyone has unfettered access to that public information?

    4) I would exercise a great deal of caution before counselling a job applicant to create a dummy facebook account or claim not to have one. An employer who finds out their successful applicant was dishonest at the application stage would be none-too-pleased, and might be rash enough to terminate. Then you have all sorts of additional wrongful dismissal issues!

    5) The Commission indicates that an employer runs afoul of the Code at the recruitment or application stage by requiring applicants to disclose certain code-relevant information. General advice is for an employer to offer employment, but make it conditional on a background check, for example. Does that mean an employer could therefore offer employment, conditional on a satisfactory facebook account after the fact and in the proper circumstances? Facebook snooping seems far less intrusive than even a legitimate background check.

    • Doorey Reply

      April 19, 2012 at 9:05 pm

      HI Mike. Of course, we won’t know for sure what the answers are to your questions until they are litigated. Perhaps a Canadian government will jump on public sentiment that this is wrong, and pass a law similar to the Maryland law I cited on the blog. If I were the NDP, for example, I’d be all over this with a private members’ bill. I’m not sure why it would matter if the employee signs in and allows the employer to navigate through the private facebook page, learning that I am married with two kids, Jewish, and Polish, or whether they look up that information on their own latter. If the law prohibits the employer from accessing private websites of applicants, then it would prohibit employers from asking for access. Re your question #3, the Code doesn’t prohibit an employer form looking at publicly available information about a candidate, it only prohibits employers from asking for that information. Section 23 deals with questions asked in an application form or interview. If an applicant is stupid enough to announce that they are drug users or vandals on a publicly available website, the Human Rights Code doesn’t protect them from discrimination. Of course, if the employer relies on information about a prohbited ground found on a public website, then Section 5 of the Code would still apply. You are probably right that an employer might fire someone who does not disclose all of their facebook pages when asked. Then again, the employer probably shouldn’t be asking for that information anyhow, so it would remain to be seen whether refusing to disclose information that an employer is not entitled to ask about is cause for dismissal. Re Q5, you are probably correct (in my opinion) that the employer could ask for a facebook password after the person has been hired. Provided they do not discriminate against the employee on a prohibited ground based on information they acquire there, I can’t see how doing that would violate the Code, since section 23 no longer applies to the employment relationship–it only governs the recruitment process. Of course, the employee would presumably have time to clean up their facebook page by then, unless the employer blindsides a new employee with a demand for the password without telling them this would be a condition of hiring. That would create a nice trusting relationship.

      Amazingly, employers survived for centuries without having access to applicants or employees personal lives outside of the workplace, so I’m at a loss as to why suddenly employers would feel the need to demand this information, to be honest. It’s going to piss off the worker and get the employment relationship off to a shakey and distrustworthy start, don’t you think? And my HRM colleagues are always telling me that building the employees’ trust is essential to a productive and healthy work environment. Every single worker/student I have spoken to about this issue says that they think there should be a line between personal and work life, and that demanding passwords to private accounts crosses that line. Only (some) HR people and (some) employer-side lawyers appear to think otherwise. But that’s just my two cents. Cheers, D

  11. John T. Nicholson Reply

    January 3, 2013 at 11:12 pm

    This was a great read as Facebook litigation and issues of law will only increase with the increase of social media popularity. I think you have a reasonable theory as well. I am trying to find similar arguments to make with respect to ALJ review of claimants FB pages here in the US. I discuss the problem here: http://www.johntnicholson.com/ohiolawblog/social-security-ssdssi/will-my-social-security-disability-judge-alj-look-at-my-facebook-account/

    And although not exactly an agency issue many of the policy arguments that you make would also apply in the US admin law arena.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>