Financial advisors using social media or Internet search websites to conduct background checks on job candidates or clients could be violating privacy laws. However, the privacy commissioners’ offices in British Columbia and Alberta recently released guidelines on this issue for businesses in their provinces.
Guidelines for Social Media Background Checks were released in October 2011 in both B.C. and Alberta in December 2011. Legislation in the two provinces is virtually identical, and the guidelines are meant to help business owners avoid violating these provinces’ respective Personal Information Protection Act.
Under those acts, employers who conduct background checks on potential employees using social media or search engines such as Google may be violating the individual’s privacy rights. The guidelines describe social media as including social networking websites, blogs, micro-blogging and file-sharing websites. The legislation also covers searches of potential or current clients and team members through social media sites.
“If [advisors] are doing research for business purposes, PIPA would apply,” says Caitlin Lemiski, a policy analyst with the Office of the Information and Privacy Commissioner for British Columbia in Victoria. “So, they have to be really careful about the kind of information they collect.”
According to B.C.’s guidelines, a background check ranges from simply checking a person’s Facebook page to hiring a third party to conduct a thorough search. Whether you are conducting these business-related searches from an office computer, home laptop, tablet or smartphone is irrelevant, says Lemiski.
PIPA covers financial advisors working in credit unions, those working at international firms operating in the province that do not have a federal undertaking and insurance advisors who work exclusively within that province.
Currently, only B.C., Alberta and Quebec have their own provincial privacy legislation. In provinces without their own privacy legislation, advisors are covered by federal privacy legislation, the Personal Information Protection and Electronic Documents Act. That means whether you are working at a large brokerage firm, with a mutual fund dealer or sell insurance, you are subject to some form of privacy law. PIPEDA was enacted in 2000 and stipulates that any province can pass its own privacy legislation, so long as it is “substantially similar” to the federal legislation.
The Office of the Privacy Commissioner of Canada provides more general information on how to stay onside with privacy laws through such documents as Your Privacy Responsibilities, a.k.a. the OPC guidelines.
The first thing you may want to do before conducting any kind of social media search, says Lemiski, is find out which legislative act specifically applies to you. But, in any case, as privacy rules are substantially similar across Canada, the new, more specific guidelines released by B.C. and Alberta will be useful to any advisor in Canada as a guide to remaining compliant with privacy laws in general.
To avoid breaking privacy laws, B.C.’s guidelines suggest that you review all applicable privacy laws, create a privacy policy, assess the impact of conducting a search, know the purpose of a search, notify the subject of a background check and be prepared to show the information you have collected to the proper authorities.
It is important to note that you do not have to keep copies of the information to violate privacy laws, says Lemiski. Even looking at information on social media is considered invasive. The guidelines also recommend using less intrusive measures to conduct a background search.
Information that is safe to collect during an online background check includes: information from an online telephone directory, newspapers or court records.
The guidelines also offer points to avoid, such as waiting until after you’ve conducted a search to find out whether it was legal or not and never assuming that an individual will never find out that you have performed a search that violates privacy laws.
Alberta’s privacy acts were enacted in 2004. Quebec has had a privacy law since 1994. Currently, Ontario has provincial privacy legislation for the health sector (the Personal Health Information Protection Act) but does not have anything covering the private sector. If such legislation were passed in the future, however, the province’s privacy commissioner would welcome it.
Ann Cavoukian, information and privacy commissioner of Ontario, writes in an email: “Until Ontario enacts ‘substantially similar’ legislation, the handling of personal information in the commercial context is regulated under federal legislation. We would welcome the enactment of provincial private-sector privacy legislation.”
Both provincial and federal legislation is enforced by their respective privacy commissioner’s offices. In each case, the office will investigate complaints made by an individual or will open an investigation if the office suspects someone has violated the law.
The initial response of the privacy commissioner is to find a solution for the dispute, not to mete out punishment for the offender. “Our first step, almost always, is to talk to the [organization],” says Lemiski, “let it know that someone has made a complaint and then try to find a way to make it better.”
If the offender refuses to take action, the commissioner’s office can issue an order to comply. If the offender continues to refuse, the commissioners’ office can take the offender to court. IE