Northern Exposure

When Employee Privacy and Social Media Collide

By Lyne Duhaime

An IBM employee from Quebec made headlines last month when her disability benefits were cut off by the insurance company after it saw pictures of her on Facebook. Despite being off work for depression, the employee had posted photos of herself on vacation at the beach and at a Chippendale’s show. When IBM’s disability carrier saw the photos on Facebook, it cut off her disability benefits. In its view, the employee no longer appeared to be disabled within the meaning of the insurance contract.

This case raises interesting privacy issues. Are photos posted on a social media website personal information? Are employers, disability carriers, and other organizations prohibited from using such information? If not prohibited, are there limitations? Put simply, are employers (or, in this case, insurers) able to use the Internet to collect information about their current or future employees?

The answer varies across Canada.

Thanks to the growing popularity of online social networking sites like Facebook, MySpace, and Twitter, many people have virtual profiles containing a wide range of personal information that can now be accessed easily. But in addition to these “intentionally created” profiles, one can’t ignore the “unintentional” profile of a person comprised of the entirety of personal information available on the Internet.

Such personal information may come from disparate sources. In many cases, it’s available without the participation of the person concerned. Examples include a name on a petition, contact information from online directories, comments left on other people’s blogs, names of donors to a particular cause, captions on high school reunion photos, etc.

Given the sensitivity of the content and source of such information, some provinces have restricted an employer’s right to collect and use it. Jurisdictions that have strict privacy legislation such as Quebec have significantly limited an employer’s right to use personal information published on a social networking website. In these jurisdictions, organizations:

  • are not allowed to collect personal information about an individual without having a serious and legitimate reason to do so;
  • may only collect this information directly from the person concerned unless this person or the law authorizes its collection from outside sources;
  • may gather only the information that’s relevant to the stated objective of the record;
  • must inform the concerned individual of:
    • the object of the record;
    • the use that will be made of the information; and
    • the categories of persons who will have access to the information within the enterprise; and
  • are responsible for ensuring that any record held on another person is accurate – not always an easy task when dealing with information from the Internet.

So how does IBM’s insurer get around these rules in Quebec? The answer is in the consent. The insurer should have obtained the employee’s consent for the collection of personal information relating to her disability claim from a wide variety of sources. The same would be the case for an employer with a self-insured policy. The employer would want the employee to sign a consent at the time she made her application for sick leave or disability benefits.

Because consents can be declared invalid if they are overly broad, it’s important for employers to obtain appropriate consents at various times of the employment relationship.

And a consent may not be the complete answer. Even with a valid consent, the information that is collected must be necessary for the purpose of the file. That’s necessary – not just relevant.

What about the other provinces – those with less strict privacy legislation or where privacy legislation doesn’t apply to the employment relationship? Well, subject to limits in a collective agreement, for example, those employers have more flexibility to search and rely on information publicly available on the Internet. For those employers, we suggest establishing a policy in which you warn employees that the employer may monitor the Internet and make use of any information it learns about them.

One common area across Canada is when employees publish inappropriate information about their employer on the Internet. In these cases, employers can take action against the employee, notwithstanding no appropriate consent, on the basis that the employee has breached the duty of loyalty to its employer.

As more and more people become computer savvy, the implementation of these principles in today’s virtual world will undoubtedly become more and more difficult.

Contact the author, Lyne Duhaime