Can your employer ask for passwords to your social media accounts?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. The Act sets out the ground rules for how companies must handle personal information in the course of their business operations, including human resources.
Subsection 5(3) of PIPEDA reads, “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”
The section governs how businesses and employers can collect, use and/or disclose their customers’ and employees’, and prospective employees’, personal information. In order to comply with s. 5(3), even with consent, an organization must show that its purposes for collecting, using or disclosing personal information are ones that a reasonable person would consider appropriate in the circumstances.
An important consequence of subsection 5(3) is it prohibits requiring passwords to social media accounts of job applicants as well as employees of federal works, undertakings or businesses (federally-regulated employers such as banks, airlines, and telecommunications companies) for the purpose of employee screening.
Employees and prospective employees are not often in a position of power when looking for work or negotiating the terms of their work. Employers are prohibited from taking advantage of this unequal bargaining power to require that employees, and prospective employees, grant access to their private social media accounts, which may have highly sensitive personal information that, further, is irrelevant to the employer’s business or unnecessary for the employer’s business purposes.
The Office of the Privacy Commissioner of Canada (the Commissioner) is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada and enforces PIPEDA. The Commissioner started to apply their guide for obtaining meaningful consent on January 1, 2019.
 The Office of the Privacy Commissioner of Canada, Guidelines for obtaining meaningful consent, online: https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/#fn21
 The Office of the Privacy Commissioner of Canada, Guidance on inappropriate data practices, online: https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gd_53_201805/