An increasing number of South Africans are conducting both their personal and professional lives online. As a result, it has become increasingly popular for employers to screen the online social media activity of job applicants. Both job applicants and employers should exercise caution in this regard – applicants wishing to put their best foot forward and create a favourable impression should be vigilant of their web persona and employers who want to make the correct employment decisions must be cautious when obtaining and using an applicant’s social media information.
Through social media, employers can source additional information about job applicants beyond their written applications, interviews, references, credit checks or other pre-employment screening. This empowers an employer to make informed commercial and employment decisions.
These searches can determine whether a job applicant is being truthful, is a suitable fit for the company, is a potential reputational risk to the company, or is a potential threat to the safe working environment, which the employer has a duty to safeguard.
On the contrary, pre-employment social media screening could pose a legitimate threat to the right of privacy of a job applicant and could give rise to liability in terms of South African law. Such screening can also influence an employer’s decision to not employ an applicant, which could amount to unfair discrimination in terms of the Employment Equity Act No. 55 of 1998 (“EEA”). In practice, however, it will be difficult for a job applicant to prove that they were not employed on the basis of information obtained from social media.
Pre-employment social media screening creates a situation where a job applicant may be held accountable for how they spend their free time outside of the workspace. This may create an inaccurate reflection of the applicant’s work ethic, which could lead to a company foregoing a good candidate on the basis of something completely independent to his/her capabilities and qualifications. Information derived from such screening is often placed out of context, which is problematic as information can be misconstrued to the disadvantage of the applicant. More so, when one considers that many applicants will not be given the opportunity to place the information in context. In many instances, applicants are not even aware that their social media profiles have been scrutinised by a prospective employer. The implementation of the Protection of Personal Information Act No. 4 of 2013 (hereinafter referred to as “POPIA”) will change this.
A job applicant’s social media information can be accessed by a prospective employer relatively easily if the information has been shared publicly. This can occur without the job applicant’s knowledge as information that is shared publicly can be seen by anyone – this includes a person who is not a ‘friend’ or a ‘follower’ and even a person searching for an applicant’s name through search engines, such as Google.
Any social media user can edit their privacy settings to suit their desired privacy restrictions. The extent to which an account holder applies privacy settings has a bearing on his or her right to privacy. This was reflected in two CCMA cases dealing with the right to privacy on social media, namely Sedick and Another v Krisray (Pty) Ltd (2011) 32 ILJ 752 (CCMA) and Fredericks v Jo Barkett Fashion (2012) 1 BALR 28 (CCMA), albeit both cases deal with existing employment relationships as opposed to a prospective one.
In these cases, the CCMA considered whether the interception of an employee’s social media profile by their employer was an infringement of their right to privacy. The CCMA applied Section 4 (1) of the Regulation of Interception of Communications and Provision of Communication Related Information Act No. 70 of 2002 ( “RICA”) in coming to its conclusion. Section 4 (1) provides that any person may intercept a communication if they are party to the communication. The CCMA found that the employers did not infringe this right because the employees had shared information publicly by not restricting their Facebook privacy settings, and thus, any person using the internet had access to such information and therefore qualified as a party to the communications for the purposes of RICA.
We disagree with the interpretation and application of RICA in these rulings (clarification in this regard is provided at the end of this article), however, we do agree that the extent to which an individual has applied privacy settings to their social media profile has a bearing on their right to privacy. In this regard, job applicants should review their privacy settings to restrict content from being scrutinised by prospective employers. Bearing in mind, that some information remains inherently public and cannot be altered through privacy settings, for example, on Facebook, this includes their name, profile picture, cover photo, gender, networks, username and their user ID.
POPIA will have a vast effect on employers who wish to utilise social media to screen job applicants. Only those sections relating to the office of the Information Regulator and the Regulations are currently in effect. The remaining provisions of POPIA will come into effect on a date to be determined by the President, at this juncture, it is unclear as to when this will be. Once POPIA is in full force and effect, employers will be required to comply in terms thereof. Compliance with POPIA will afford greater transparency and protection to job applicants.
POPIA safeguards personal information against unlawful collection, retention, dissemination, modification and usage (collectively referred to as “processing”) by a responsible party. A responsible party is defined as ‘any public or private body or any other person which, unaided or in combination with others, regulates the purpose of and means for processing personal information’. In this particular context, the responsible party is the prospective employer.
Personal information is information that relates to any identifiable living person (known as the “data subject” and in this particular context, the job applicant), which includes but is not limited to the following; name, identity number, email address, physical address, religious affiliation, educational history, sexual orientation, online identifiers (such as a social media handle), the location of a person (which may be derived from location services), personal views, opinions or preferences. This information is readily found on social media.
In terms of POPIA, the processing of personal information is only lawful if it complies with the following eight conditions: Accountability (section 8), processing limitation (sections 9 – 12), purpose specification (sections 13 – 14), further processing limitation (section 15), information quality (section 16), openness (sections 17 – 18), security safeguards (sections 19 – 22) and data subject participation (sections 23 – 25).
Other than a few limited circumstances, a job applicant’s consent is required before a prospective employer is lawfully permitted to screen an applicant’s social media profile. Consent can be obtained as part of the application process, whereby applicants are either requested to provide such consent, alternatively, the applicant should be advised that their personal information will be used to search their social media presence for purposes. Consent may come in other forms, such as, an accepted ‘friend’ or ‘follow’ request, or a positive response to a prospective employer’s request for the applicant’s username and password.
An employer’s act of soliciting and the job applicant’s act of sharing a password is not uncommon. However, the disclosure of a social media password to a third-party, such as a prospective employer, may constitute a breach of the applicant’s contractual agreement with their social networking service provider. It is, however, up to the applicant whether or not they provide the employer with this information, and if they do, this serves as consent to the access of their social media account, and in these instances a job applicant cannot have a legitimate expectation of privacy. Certain legislative bodies around the world have enacted legislation which specifically prohibits employers from requesting passwords to gain access to the personal social media accounts of job applicants.
Consent is defined in POPIA as ‘any voluntary, specific and informed expression of will of which permission is given for the processing of personal information’. If an employer uses a false profile to gain access to the social media profile of an applicant, this will not constitute informed consent as the applicant accepted the request under the guise of another person/entity gaining access to their personal information.
Consent is intrinsically linked to the purpose specification and processing limitation conditions demanded by POPIA. Information may only be collected for a specific, defined and limited purpose. A job applicant requires this purpose to be specified and defined before specific and informed consent is provided. They need to know what specific information will be searched, collected and used in the consideration of their application. They also need to know what limitations are imposed on the employer to ensure that an unfettered search, collection and use of their information is guarded against. Any processing of information outside of the specific, defined and limited purpose will constitute a violation of POPIA (unless otherwise permitted in limited circumstances).
The voluntariness of consent in the pre-employment screening context may be undermined by unequal bargaining power between the applicant and the prospective employer. A job applicant’s bargaining power in South Africa is usually limited by virtue of jobs being in short supply as evidenced by the high unemployment rate. Furthermore, jobs are often offered on a ‘take it or leave it basis’ making it a difficult compromise, therefore an applicant is usually given two choices; (i) he must either provide consent and his application can be considered, or (ii) he does not provide his consent and his job application will not be successful.
POPIA stipulates that personal information must be collected directly from the job applicant, however, this requirement does not apply if the job applicant has deliberately made the personal information public through social media. There is a general prohibition on the processing of special categories of personal information, such as, the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, or criminal behaviour of a person. However, this special personal information can be collected if it has been made deliberately public by the data subject through social media.
POPIA, similarly to the findings of the CCMA in the Sedick and Fredericks matters, makes a distinction between personal information which is publicly available and that which is restricted. Despite personal information being publicly available, the fundamental conditions for the lawful processing of personal information as contained in POPIA will still apply. There must be a lawful basis for a prospective employer to process an applicant’s personal information, the applicant has the right to be notified when their personal information from social media is being processed , the data subject has the right to object to the processing, to gain access to the data collected, and to correct same, the prospective employer must take reasonable measures to secure the personal information, to ensure that the information is only retained for a specified period, to limit further processing and to report to the applicant and the information regulator when the security of personal information has been compromised.
Employers must ensure that they do not use personal information gathered from social media to unfairly discriminate against job applicants. The law of discrimination applies equally online as it does offline. In this respect, the EEA prohibits employers from unfairly discriminating against a job applicant, either directly or indirectly, in any employment policy or practice, on one or more protected grounds, including race, gender, sex, pregnancy, marital status, family responsibility, ethnic or social origin, colour, sexual orientation, age, disability, religion, HIV status, conscience, belief, political opinion, culture, language and birth. Employers should only use social media to screen for requirements inherent to the job. An employee who believes that they have been unfairly discriminated against during the application process, can refer the matter to the CCMA for resolution.
While the temptation to acquire, as much information about an applicant exists, this conduct may expose the employer to liability in terms of both South African privacy law and employment law. It is for this reason that it is advisable for employers to have an internal policy, in line with POPIA, which governs the use of social media for screening job applicants. An internal policy such as will define and limited the purpose for which personal information can be processed in line with the EEA.
Employers must bear in mind that the implementation of POPIA is imminent and the penalty for non-compliance is a fine for up to 10 (ten) million rand and/or imprisonment for up to 10 (ten) years. Not only this, an internal policy as suggested can mitigate the possibility of an unsuccessful and disgruntled job applicant from approaching the CCMA on the grounds of unfair discrimination.
The balance between these competing interests is not a simple feat. Should you have any queries regarding unfair discrimination or require advice on POPIA and its effect, not only on the employment context, but on a company as a whole, please contact one of our attorneys directly and we will gladly assist you.