Social media and privacy – engaging with the community

Using social media to engage with the community

Social media is a useful way for public sector organisations to circulate information and engage with citizens, partners, and stakeholders. There are many factors that may deter an organisation from embracing social media – privacy is only one element. Other factors include unfamiliarity with the technology, lack of resources and infrastructure, and a culture of risk aversion.

The Office of the Victorian Information Commissioner (OVIC) supports the responsible use of social media throughout the public sector. Although there are inherent challenges associated with social media, organisations that adopt a risk management approach can establish a digital presence and enjoy its benefits while maintaining a strong commitment to privacy.

This document contains commonly asked questions regarding information privacy and social media in the Victorian public sector. It is intended to assist organisations that are unsure about how to use social media tools effectively while upholding information privacy under the Privacy and Data Protection Act 2014 (PDP Act). It is not a guide on how to use social media in general.

What is social media?

Social media is a broad term that covers a range of online services and tools. It can be used for publishing, sharing, and communicating information.

Some types of social media include forums, blogs, wikis, and social networking platforms that allow users to socialise and communicate online – for example, Facebook, Twitter and LinkedIn. Video and image sharing platforms such as YouTube, TikTok, Flickr and Instagram also fall under the umbrella of social media, as does any other website or app that allows users to upload and share content.

What opportunities does social media bring to the public sector?

Social media provides governments with effective tools to engage and communicate with citizens and stakeholders. The Australian Bureau of Statistics, Household Use of Information Technology, 2016-17 statistics note that approximately 80% of Australian internet users access the internet for social networking purposes. This clearly presents a significant opportunity for governments to reach a large proportion of the population.

When used responsibly and effectively, social media can:

• increase citizens’ access to government and encourage two-way communication;
• facilitate a sense of openness and trust in government;
• reach specific audiences on particular issues;
• create opportunities for marketing and promotion of government activities, services, and events; and
• allow governments to gain insight into emerging trends and issues of concern within the community.

What are some of the privacy risks associated with public sector use of social media?

There are several privacy risks to consider when using social media. However, when managed effectively before establishing a social media presence, these risks should not prevent an organisation from using and experiencing the benefits of social media.

Some of the common privacy risks that public sector organisations should be aware of include:

Over collection

The amount of personal information available on social media is immense, and organisations cannot control what other users disclose to them via this medium. As such, there is a risk that organisations may collect more personal information than is necessary for their functions.

One of the opportunities offered by social media is that it can facilitate a two-way channel of communication between organisations and the public. However, this also opens organisations up to comment from the public, which may increase the risk of over collection of personal information, including third party information.

While social media can create a dynamic form of communication, organisations should manage the way they interact with the public online, including having processes in place for how social media will be used. Some organisations may choose to focus on using social media as a way to broadcast information, rather than create dialogue.

Remember: Personal information on social media includes more than just an individual’s name. It may also include their profile picture, photographs containing identifiable individuals, geo-location, video and audio content, as well as personal opinions. Further, social media content may also have embedded information – for example, images may have metadata which could potentially identify an individual.

Over sharing and permanency of content

The nature of social media means that even if posts or accounts have been deleted, the information shared may remain archived or captured by others. It may also be shared further without consent, or even the original publisher’s knowledge; information has the ability to spread quickly via social media.

Because of this risk, organisations should be mindful of the permanence of what they post on social media and ensure they do not share information that is personal or sensitive in nature unless appropriate to do so.

Scams and malware

Social media involves interaction with a broad range of users, many of whom may be unknown to organisations. Clicking on links provided by unknown sources can give rise to risks such as phishing attacks and scams, or the introduction of malware into an organisation’s system. This can lead to unauthorised access or disclosure of information, including personal information. It is therefore important to ensure that employees using social media are aware of these risks and take caution when clicking on links on other users’ social media posts.

What does privacy law say about the use of social media by the public sector?

In Victoria, the Information Privacy Principles (IPPs) under the PDP Act govern the collection, handling, use and disclosure of personal information (excluding health information) by the public sector.

As principle-based legislation, privacy law in Victoria is technology-neutral. The IPPs are designed to be flexible so that organisations can apply them regardless of the technology they use or the projects they undertake – including establishing a social media presence.

As an example, IPP 1.3 requires organisations to take reasonable steps to provide notice to an individual when their personal information has been collected. Generally, this would mean a collection notice before or at the time of collection. However, within the context of social media, it may be appropriate to include an abridged version of a collection notice within the ‘About me’ or ‘Bio’ section of a social media profile, with further information available on organisations’ websites or in privacy policies.

For further information on collection notices, please refer to the Collection notices guidance available on the OVIC website.

There is so much information on social media. Does using social media mean our organisation is ‘collecting’ all of this information?

Social media creates a unique environment for what constitutes ‘collection’ as traditionally understood in the PDP Act. Within an online context, merely seeing personal information of users on a social media platform (for example, of users that follow an organisation on Twitter) is, arguably, not considered to be collection under IPP 1.

For personal information to be considered as ‘collected’, it has to be held by an organisation. Organisations should only collect personal information from social media platforms if it is relevant to their functions. Once collected, that information must be handled in accordance with the IPPs.

What is the recommended process for organisations seeking to establish a social media presence that is consistent with privacy law?

The specific process for each organisation will differ according to their unique business context, including the type of social media they intend to use, and for what purpose.

In general, some steps to consider include:

1. Assess which social media platform is best suited to the goals and priorities of the organisation. Consider the balance between the needs of the organisation and the privacy risks associated with that particular platform. Organisations should be aware of the terms and conditions of the social media platforms they sign up to. While organisations may handle personal information in accordance with the IPPs, a social media platform’s practices may not be consistent with these principles. This is particularly relevant if the platform is based outside Victoria (see IPP 9). Terms of service policies or similar documents will generally include important information that may affect organisations’ ability to uphold the IPPs, such as who owns the data, and what happens to it if an account is deleted.

2. Undertake a privacy impact assessment (PIA) of the program. A PIA will assist organisations to identify any privacy risks associated with a particular social media platform, as well as potential risk mitigation strategies. OVIC’s resources contain a PIA template and guide.
3. Undertake a security risk assessment. While a good PIA will touch on security, a stand-alone assessment of the security implications of social media use should be conducted, in addition to a PIA. See OVIC’s information security resources for more information on security risk assessment.
4. Consider internal and external policies and procedures and whether they need updating to accommodate for social media use. Creating a specific social media policy that includes guidance on appropriate use, security protocols, and clear lines of responsibility and accountability is recommended. Further, if organisations are collecting people’s personal information via social media, this should be accurately reflected in privacy policies and collection notices.
5. Review the technical settings of the chosen social media platform and customise them where possible. Default privacy settings on a platform will often be at the lowest level, so ensure the settings you choose reflect a high standard of privacy protection, and are consistent with the organisation’s privacy policy.
6. Ensure employees with access to official social media accounts are properly trained. This may include training on how to use the platform itself, appropriate use in line with the organisation’s social media policy, privacy and security requirements, and procedures to follow should a privacy or security breach occur. Organisations should appoint a social media administrator who is responsible for overseeing the organisation’s social media use. The administrator should be aware of the Information Privacy Principles.

What about other considerations when using social media in the public sector such as freedom of information (FOI) and recordkeeping requirements?

Organisations should be mindful of their recordkeeping obligations in relation to social media posts, for example, in accordance with any requirements under the Public Records Act 1973.  Captured social media records may include the personal information of individuals and such records should be handled accordingly. For more information about recordkeeping obligations in relation to social media, please contact Public Record Office Victoria.

A social media post may also create a public record that would be considered a ‘document’ subject to a potential freedom of information request. It is important that organisations are aware of their recordkeeping obligations in relation to social media posts, as this will impact upon what records an organisation holds, and subsequently, what documents may be requested under an FOI request.

What protective data security considerations should an organisation take into account when using social media?

Any personal information collected through social media should be handled in accordance with IPP 4, which requires organisations to take reasonable steps to protect the personal information they hold.

IPP 4 does not specify what constitutes ‘reasonable steps’, however the Victorian Protective Data Security Framework (VPDSF) and the accompanying Victorian Protective Data Security Standards (VPDSS) provide useful guidance that is designed to be adaptable to each organisation’s unique business context and risk appetite.

The VPDSS adopt a risk-based approach to protective data security and emphasise robust governance, and security across four domains: physical, personnel, ICT, and information security.

Part 4 of the PDP Act, which relates specifically to protective data security, requires organisations to adhere to the VPDSF and VPDSS in relation to all public sector data, beyond just personal information. Organisations using social media should keep in mind their broader data security obligations, regardless of whether or not personal information is handled.

My organisation wants to take photos of an event for its social media page. What privacy considerations are there? Do we need to obtain individuals’ consent to publish the photos online?

In general, IPP 1.3 requires organisations to take reasonable steps to make people aware of a range of matters when their personal information is being collected – this includes when taking photographs in which individuals may be identifiable.

When taking photographs of a large crowd, it may be sufficient to provide a collection notice on a sign or poster. However, it is best practice to take reasonable steps to ensure anyone who is clearly identifiable in a photo has consented to their image being publicly shared. This promotes a stronger sense of trust between organisations and the community.

Organisations should consider taking the following steps when taking photographs:

• ask for permission prior to taking someone’s photograph, and let them know that the image may be published online; and
• if photographs will be taken at an event, include a statement in the registration process, or place clearly visible signs at the entrance, to inform people that there will be photography at the event. It is appropriate to also give people the option to notify the organisation if they do not wish to be captured in photographs. Be sure to include details of how they can contact the organisation about this.

My organisation wants to run an online competition and ask the public to make submissions through social media. What privacy considerations need to be taken into account?

In this scenario the organisation will be collecting personal information from people in order to run the competition. The same obligations under the IPPs exist when using social media as with other means.

The information collected may vary depending on the type of competition. For example, for a photography competition the information collected may include a person’s name, profile photo, the photograph the entrant is submitting (which may contain the image of an identifiable person), and any data embedded in the image. In line with IPP 1, organisations should only collect the minimum amount of personal information necessary to run the competition.

Organisations should also take reasonable steps to ensure that individuals making submissions to competitions are aware of what will be done with their personal information. Including a reference to the privacy statement or privacy policy of the social media platform being used to facilitate entries is an important step.

Remember: Asking people for their personal information via social media is asking them to share their personal information with a broader online audience. It is good practice to give people the opportunity to enter the competition in an alternative way, such as via email, if they do not wish to publish their submission online for everyone to see.