16 décembre 2011

Alberta: réseaux sociaux et contrôle pré-embauche

L'Office of the Information and Privacy Commissioner de l'Alberta vient de publier des lignes directrices destinées aux entreprises qui utilisent les réseaux sociaux pour réaliser des contrôles pré-embauche.  
"The Office of the Information and Privacy Commissioner of Alberta has released guidelines on the use of social media for conducting background checks on individuals. The guidelines are designed to ensure that organizations are aware of their responsibilities under the Personal Information Protection Act (PIPA) when collecting personal information via social media. 
The guidelines provide practical advice to organizations on how much information can or should be collected through social media when performing a background check and highlight that it may be challenging for organizations to meet the “reasonable” requirement in PIPA when collecting personal information through social media. The guidelines also point out the hazards associated with using social media to conduct a background check including the inadvertent collection of third party information and the inability to determine the accuracy of information. 
The bottom line for the guidelines is to remind organizations that they must not use social media to perform background checks if doing so would result in non-compliance with PIPA."
(Source: OIPC Alberta, News Release, December 15, 2011) 
Ainsi, il revient aux entreprises de répondre à la question "is a social media background check reasonale ?". En effet, l'OIPC rappelle que 
"prior to using social media background checks to collect personal information, an organization must understand its business purpose for doing so, and consider the reasonableness of doing such a check. Under PIPA, an organization must be able to establish that use of social media to collect personal information or personal employee information is reasonable for the purposes of collection. Organizations need to consider what a social media background check will provide that cannot be garnered from traditional means such as reference checks and interviews".
(Source: OIPC Alberta, Guidelines, p. 2)
Elles doivent alors se demander si 1) "are you collecting irrelevant and too much personal information ?" (p. 3);  2) "are you collecting third-party personal information ?" (p. 3); 3) "are you over-relying consent ?" (p. 4) et; 4) "are you collecting accurate information ?" (p. 4).

Pour les aider, l'OIPC dresse une liste de ce qu'il faut considérer et de ce qu'il faut éviter
What to consider (Guidelines, p. 5)
1. Determine what the business purpose is for performing a social media background check. Do you reasonably require personal information that cannot be obtained through traditional means such as interviews or reference checks? 
2. Recognize that any information that is collected about an individual is personal information or personal employee information and is subject to privacy laws.
3. Consider the risks of using social media to perform a background check. Conduct a privacy impact assessment to assess the risks. When conducting this assessment, organizations should:  
a. find out what privacy law applies and review it, ensuring that there is authority to collect and use personal information; 
b. determine whether the identified purposes for the collection and use of personal information are authorized; 
c. consider and assess other reasonable measures that achieve the same purpose; 
d. identify the types and amounts of personal information likely to be collected in the course of a social media background check, including collateral personal information about the individual and others that may be inadvertently collected as a result of the social media background check; 
e. identify the risks of non-compliance with PIPA associated with the collection and use of this personal information, including risks associated with the collection of third party personal information and actions taken based on inaccurate information; 
f. ensure that the appropriate policies, procedures and controls are in place to address the risks related to the collection, use, disclosure, retention, accuracy and protection of personal information using social media;
g. determine if the collection is authorized and obtain any necessary consents, and for current employees notify the individual that you will be performing a social media background check and tell the individual what you will be checking and what the legal authority is for collecting the personal information; and 
h. be prepared, upon receipt of a request for access, to provide access to the information you collected and used to make a decision about an employee or volunteer.  
What to avoid (Guidelines, p. 6)
1. Do not wait until after you conduct a social media background check to evaluate compliance with privacy legislation; 
2. Do not assume in advance that a social media background check will only retrieve information about one individual and not about multiple individuals; 
3. Do not perform a social media background check from a person account in an attempt to avoid privacy laws; 
4. Do not attempt to avoid privacy obligation by contracting a third party to carry out background checks; and
5. Do not perform a social media backgroud check thinking that an individual will not find ou about it. For example, an individual can use web analytics to determine what IP address accessed the individual's personal information.

Pour plus de détails, 

Aucun commentaire:

Enregistrer un commentaire

Remarque : Seul un membre de ce blog est autorisé à enregistrer un commentaire.