Q: I like to Google job applicants before I bring them in for an interview so that I can learn more about them. Most candidates now have a Facebook page and a Twitter account too. Can I ask for their login information to these sites as part of my hiring process?”
A: No – at least not in this scenario. Michigan recently passed the Internet Privacy Protection Act (IPPA) which prohibits employers from requesting that an employee or applicant grant access to, allow observation of, or disclose information that allows access to ‘personal internet accounts’ like Facebook, Twitter, Gmail, etc. IPPA also states that an employer may not discharge, discipline, fail to hire or otherwise penalize an employee or applicant for declining such requests.
While IPPA protects the privacy of login information for personal internet accounts, it does not restrict an employer’s ability to view, access, or utilize information about an employee or applicant that is available in the public domain or can be obtained without any required access information. However, I caution you against researching an applicant’s social media history. The more you know about a person beyond their job qualifications, the more you open yourself up to potential claims of discrimination – especially prior to hire. Did you see pictures of the applicants on Facebook and make judgments about their race, age, sex (or any other protected classification)? Maybe not, but you might have a hard time proving it in a court of law if an unselected applicant cries ‘foul!’
So, asking for a candidate’s login information prior to hire is no longer legal in Michigan (unless required under federal law or by a self-regulatory agency), but what about once they are employed with you? Are there any situations in which an employer is allowed to request or require an employee to disclose access information to their personal internet accounts? The answer is yes. IPPA has noted several exceptions that allow an employer to:
- Request access information from employees in order to operate electronic communication devices that are paid for, in whole or in part, by the employer.
- Request login information to access an account or service provided by the employer or used for the employer’s business purposes; ie: the practice’s Facebook page, website, or other company-owned accounts.
- Request that employees grant access to their personal internet accounts in cooperation with an investigation into work-related employee misconduct or suspected noncompliance with applicable laws and regulatory requirements. This is also true if an employer suspects that an employee is transferring proprietary, confidential or financial information to their own personal account without prior authorization.
Employees who fail to comply with permitted requests are not protected under IPPA and can be subject to disciplinary measures including termination.
IPPA has not changed an employer’s right to restrict or prohibit an employee’s access to certain websites while on company time, while using electronic devices paid for by the practice, or while using an employer’s network or resources. Employers also retain the right to monitor, review, or access electronic data that is stored on devices the practice paid for. This includes any data that is traveling through or stored on the employer’s network. (Note: It is important that your employees are informed of the employer rights outlined above and that they have no expectation of privacy as a result. Many dental practices communicate this policy in their handbook.)
The passage of IPPA does not put employers on the hook to monitor activity on the personal internet accounts of their employees or applicants, nor does it hold an employer liable for failing to request access information to these accounts in situations where it is allowed. The important message in all of this is to think twice before asking for login information to personal internet accounts that don’t belong to you or your practice. You know what they say about curiosity and the cat!