Agencies should be wary before “friending,” “following” or “liking” public users on social media sites.
Departments also should collect as little personally identifiable information through websites such as Facebook, LinkedIn, Twitter and the hundreds of other similar tools that now are commonly used to communicate with citizens and businesses.
These are two of several recommendations from the Federal Chief Information Officer’s Council in a new guide to privacy best practices for using social media.
“This paper addresses various ways the federal government can use social media for information sharing, situational awareness and to support agency operations, and the key considerations for each,” the guide, which the council posted to its website July 24, stated. “The paper also explains privacy best practices for establishing a social media program, from pulling together an intra- agency team of experts to establishing internal social media polices and ensuring transparency of social media uses through published privacy notices and documentation. The privacy best practices also cover specific technological issues, including Web measurement and customization technologies, URL shortening technologies and cybersecurity risks.”
The council dissuades agencies from actively connecting with the public unless it’s another federal, state or local government agency, a professional association or other organization based on the agency’s policy.
“A statement should be included in the PIA and on the social media account page to inform users that the acceptance of friend requests does not indicate endorsement,” the guide stated. “Agencies should also have policies that address ‘friending,’ ‘following,’ and ‘liking’ users.”
The council also recommends that agencies develop a “rules of use” policy to cover social media websites where the agency has a presence.
“If an agency decides to allow comments, viewpoints and opinions on its social media websites or applications (regardless of whether the sites/applications are agency or third party hosted), the agency must respect the public’s First Amendment rights,” the document stated. “However, an agency should monitor and, generally speaking, may remove public comments that are political or endorse a political candidate, target specific individuals or groups, are abusive, contain sensitive PII, or are similarly unacceptable.”
The guide strongly encourages agencies to develop and post online privacy impact assessments (PIA) and other documents to ensure the public is aware of agency plans to protect data.
Throughout the document, the council highlighted the need to collect only the information absolutely necessary.
“Due to its sensitivity, operational uses of social media should be approved and documented by senior agency leadership, including, but not limited to, privacy officials and General Counsel,” the document stated. “Agencies must develop specific operational use policies and procedures, as well as PIAs/System of Records Notices, where appropriate, to cover operational use. Program and privacy compliance reviews should be conducted on a routine basis to ensure the agency is in compliance with its policies and other documentation. It is important that the agency be transparent about uses of social media, especially those that involve viewing publicly available information. By being transparent about what type of information the agency is collecting and how it is collecting it, the agency can help minimize the public’s concern that the Government is monitoring individual speech and actions on social media.”
Additionally, agencies should have policies that deal with record retention and information sharing. The guide sets four criteria in which the agency should share the information it collected:
The sharing of the information is within the agency’s existing authorities;
The sharing is appropriate and consistent with the routine uses listed in the applicable SORN(s), or conducted through an interagency agreement;
The receiving agency or organization is authorized to receive the information and even then, only the minimum data (or data elements) should be shared to fulfill the authorized mission or business need; and
The receiving agency agrees to protect the information and retain it only as long as necessary; and to re-disseminate the information only in accordance with the criteria listed above.
“Agencies should develop record retention schedules specifically to cover information collected through social media that outline what information should be retained and for how long,” the document stated. “An agency should retain only the minimum amount of PII that is necessary for the proper performance of official agency functions. An agency should also ensure that retention policies and schedules are clearly described in, and are consistent with, applicable PIAs and SORNs.”
To govern all of these efforts, the council suggests agencies form a social media program that includes the privacy office, the CIO, the chief information security officer, public affairs, records management and the ethics officer.