Recent guidelines from the European advisory body on data protection and privacy — known as the Article 29 Working Party — may have serious implications for employers who monitor the social media of their staff.
Considering that there are more than 1.87bn Facebook profiles, it is easy to see why — according to a survey conducted by US recruitment company CareerBuilder — up to 70% of employers check the social media profiles of job applicants as part of the recruitment process.
While the employers may argue that they are only accessing information that is already in the public domain, the Article 29 Working Party — which includes representatives from all EU member state data protection commissioners’ offices — see this as an invasion of the privacy of the job applicant.
It is easy to see why an employer would be eager to find out as much as possible about an applicant.
However, as per the guidelines, employers need a ‘legal ground’ for accessing the applicant’s social media profile and using that information as part of the recruitment decision.
The legal grounds that can be used are in section 2A (1) of the Data Protection Act 1988 as amended by the Data Protection Act 2003.
Of the grounds mentioned, the recent guidelines have focussed in particular on the ‘legitimate interest’ ground.
This being where the reason given by the employer for scanning the social media of a job applicant is that they have a ‘legitimate interest’ in finding out as much as possible about the applicant; in case there is evidence of a personality trait that would make them unsuitable for the job.
However, from now on, an employer will have to be looking for something specific when accessing the applicant’s social media; broad ‘fishing expeditions’ are no longer allowed.
The employer will need to be able to show that the reason for accessing the social media was to search for specific information, which would have a significant impact on the recruitment decision.
If an employer comes across information they weren’t specifically looking for, then that information should be ignored.
The effectiveness of this protection in the real world is hard to predict as the more unscrupulous employers would be unlikely to willingly admit they used information they shouldn’t have acquired.
Nevertheless, it may make employers think twice before automatically ‘googling’ the applicant.
In dealing with employers monitoring the social media of current employees, the guidelines specifically prohibit the idea of the employer making a ‘friend request’ to the employee.
In noting the imbalance of power between the employer and employee, the Article 29 Working Party felt that an employee’s consent to allowing the employer access their social media would only be of value where the employee could withdraw that consent and not fear any consequences.
Emphasis is also placed on cases from the European Court of Human Rights, which suggest that, unless specifically told otherwise, an employee can have a reasonable expectation of privacy at work.
So the question becomes, when can that reasonable expectation of privacy be overridden by the employer? Although not specifically listed, the guidelines can be interpreted to mean that there are three criteria that an employer must satisfy before they can access the social media of an employee: They must be looking for specific information and have a real, identifiable, need for that specific information; the level of access to the social media of the employee should be proportionate to the need of the employer; there must be no other way of finding out the specific information.
When these criteria are combined, they make it much more difficult for an employer to justify regular monitoring of an employee’s social media.
However, they do allow for an employer to check the social media of an employee in some situations; such as where it has come to the attention of the employer (through another means) that the employee’s social media contains confidential company information or comments that are derogatory to the employer or some named individuals.
In these situations, the employer may have sufficient cause to access the social media as an evidence gathering exercise.
However, the employer is still limited to accessing the social media for the specific purpose of gathering evidence of the alleged misbehaviour and can only act upon information related to that misbehaviour.
All in all, the guidelines seem to be redrawing the boundaries between the personal information of an employee and the information that an employer has the right to know.
It would seem that the days when an employer could ‘shoulder surf’ an employee to see what they had posted on social media, or gain access to profiles through demanding log in details or ‘friend’ status, are rapidly coming to an end.