Social media are websites and applications that allow users to create and share content or to participate in social networking.1 Some of the more common social media platforms used by agencies are Facebook, Twitter, YouTube, Instagram and LinkedIn.2
This guideline is intended to assist Queensland government agencies3 in ensuring their creation and use of social media complies with the privacy principles4 in the Information Privacy Act 2009 (Qld) (IP Act).5 A failure to comply with the privacy principles can result in privacy complaints being made by individuals who believe their privacy has been breached.
Agency social media plays an important part in agency engagement with the community, however the nature of social media means its creation and use can have privacy implications. It is important that agencies build appropriate protections into their policies on social media use and retention of records.
What is personal information?
Personal information is any information about an individual who can reasonably be identified. All information that fits this definition is personal information, even if it does not seem sensitive or appears to be harmless, unimportant, or trivial.
Refer to What is personal information? for more information.
What do the privacy principles require?
The privacy principles require agencies to handle personal information in specific ways. This includes rules about what, and how, personal information can be collected, when it can be used and disclosed, and how it must be secured and stored.
They also include rules about when personal information can be transferred out of Australia, which will apply to most social media given it is online and mostly hosted by overseas-based servers.
What is the purpose of the social media account?
The intended use of the social media account will impact the privacy precautions an agency has to take. For example, a Twitter account intended only to communicate news updates or emergency alerts which is set to disallow direct messages will require fewer privacy precautions than a Facebook account that allows people to ask questions and receive answers.
It is important that agencies define the purpose and limitations of the social media account as part of determining what steps must be taken to ensure it complies with the privacy principles. Agencies may want to consider a privacy impact assessment6 for social media accounts that are intended for more than just broadcasting information.
Social media policies
A social media policy that includes guidance on the handling and posting of personal information can be an important part of ensuring social media accounts are, and remain, privacy compliant.
Disclaimers and collection notices
When an agency collects personal information from individuals it must provide certain information about the collection, including why the personal information is being collected and anyone to whom it is the agency's usual practice to disclose it.7 These requirements are often communicated through a ‘collection notice’.8
Agency social media accounts which involve the collection of personal information must comply with the obligations in IPP 2 or NPP 1.9 Ideally, the information required by IPP 2 or NPP 1 should be posted on the social media account itself, however if the platform does not have sufficient space it can be posted on the agency's website with a prominent link from the social media account. Agencies may also want to include this information in their privacy policies under a social media heading.
In addition to the above, agencies will need to include a disclaimer addressing the overseas transfer of personal information, eg one that ensures individuals interacting with the account understand that by doing so their personal information will be sent out of Australia.10
Acceptable use policies: other people's personal information
An acceptable use policy, eg setting out what content will and will not be permitted, generally forms part of an agency's social media policy. Agencies may want to consider including in their acceptable use policy a request that people do not post the personal information of third parties.
Security of social media
Social media accounts should be secured with a strong password and only specifically authorised employees—familiar with the agency's privacy obligations and social media policies—should have access to those credentials. This will help prevent inappropriate or unauthorised personal information being posted to the account and help ensure personal information collected through the account is secured against unauthorised use and disclosure.
The privacy and security settings of the social media account need to be set to an appropriate level based on the purpose of the account. If the account is solely for one-way communication by the agency to the community, disabling direct or private messaging and/or disallowing commenting on posts may be appropriate. However, different settings will be required for an account that is intended to facilitate two-way communication, eg answering questions and responding to issues.
Regardless of the account's purpose, any settings that allow the sharing of information with third parties, eg affiliated companies or advertisers, even in a deidentified or aggregated form, should be set to 'off' where possible.
Refer to Health agencies - data security or Non-health agencies - Protection and security of personal information for more information on securing personal information.
Posting personal information to social media
The nature of social media means it is often used to share personal information, eg stories about individuals or community groups or photos and videos taken by agency employees. Care must be taken to ensure all personal information is published in a privacy appropriate way.
Before posting personal information to social media, eg photos taken by agency officers at an event, the agency must ensure it is permitted to do so.11 This will generally require identifying what the individuals were told/what they agreed to when the photos were taken or contacting them to ask for consent.12
Agencies should develop a photo/image consent form that covers online publication and/or posting to social media, to be used when agency officers are taking photos or videos. This will ensure that the agency has the appropriate authorisation to use those images online.
Keep personal information to a minimum
Personal information published on social media can be harvested and reused by anyone. This can lead to annoyances, such as targeted marketing, or more damaging outcomes, such as identity theft, fraud, or harassment.
Even when an agency has authority to publish personal information to its social media account, it should limit it to the minimum necessary to fulfill the purpose of the post.
Responding to social media enquiries
Many social media accounts are intended to provide a customer-centric platform through which people can interact with the agency and receive timely responses.
Given the immediacy of social media, and the general expectation that enquirers will receive a rapid response, social media activities should be conducted by staff who have relevant expertise. This includes knowledge of their agency's privacy obligations; care must be taken not to disclose personal information in breach of the privacy principles.
Enquiries which would require disclosing personal information, eg a comment asking for an update on the progress of the commenter's application, should not be answered, even if the message has been sent privately to the agency's account. This is because the agency has no way to verify that the person making the request is who they claim to be. Even though some platforms have a 'real name only' policy, that does not guarantee the identity of the enquirer. They should be advised to contact the agency in another way so their identity can be verified, and the requested update provided.
Responding to more general enquiries, eg comments asking how long until an agency completes a current project or the opening hours of a pool, should not raise privacy issues as they do not require the agency to confirm or disclose personal information beyond what the enquirer has already posted, eg the name/username of the enquirer.
Use and disclosure of information acquired through social media
Personal information collected through social media must be dealt with in accordance with the privacy principles, the same as personal information collected through other channels. This means there are limits on what it can be used for and to whom it can be disclosed.
The general rule is that personal information can only be used for the purpose it was collected. This means that if someone asks a question through social media, providing their personal information to the relevant part of the agency so they can send them an answer directly would generally be permitted.
Use of personal information needs to be limited to what is necessary to fulfill the purpose. This means, for example, if someone asks a policy question through social media and the agency's intent is to respond through the same channel, it would not be necessary to provide the identity of the enquirer to the part of the agency preparing the response.
The general rule about disclosure of personal information is that it can only be given to the individual it is about. There are exceptions to this general rule that also apply to the use of personal information, including for law enforcement purposes and to prevent a serious threat to an individual or the public.
If information sent to a social media account reveals, for example, a potential breach of the law or that someone may be a threat to themselves or others, the relevant exceptions can be relied on to take appropriate action.
For more information refer to All agencies - Use or disclosure for law enforcement and All agencies - Use or disclosure to prevent harm.
Personal social media accounts
This guideline relates only to official agency accounts, however there may be circumstances when an agency employee receives a communication on their personal social media account directed towards them in their official capacity. These should generally be redirected towards an official agency communication channel and steps taken to capture the message in the agency's recordkeeping system. Employees engaging in official business through their personal social media accounts must ensure they comply with the privacy principles. A failure to do so can result in a privacy complaint.
Personal accounts linked to agency employment
Some social networking sites such as Facebook and LinkedIn may display details about their employment on their profile page. Where it can be removed, employees should carefully consider whether this information should be displayed. Employees should not use their agency email address to register and log into personal accounts.13
See the Personal use of Social Media guideline for more information.14
Requests to access social media information
Social media records—including records of official business conducted through an employee's personal account—are documents of the agency. They may also be public records. Social media records can be applied for under the Right to Information Act 2009 or chapter 3 of the IP Act and may need to be retained in accordance with the Public Records Act 2002.
For more information, refer to Online and on your phone: processing access applications for social media, webmail and text messages.
- 1 Queensland Government Principles for the use of social media networks and emerging technologies
- 2 ibid
- 3 Unless otherwise specified, in this guideline agency includes a Minister.
- 4 The National Privacy Principles (NPPs) for health agencies; the Information Privacy Principles (IPPs) for non-health agencies.
- 5 in addition to other requirements for agencies' use of social media, for example, Queensland Government Principles for the use of social media networks and emerging technologies, Your Social Media and You: A guide for elected council members in Queensland, RTI and public records requirements and specific agency social media policies
- 6 See Overview of the Privacy Impact Assessment process.
- 7 IPP 2 and NPP 1.
- 8 See All agencies - Obligations when collecting personal information.
- 9 As noted, this is often referred to as a collection notice.
- 10 This may not be necessary if the platform's servers are located in Australia. See Sending personal information out of Australia.
- 11 Agencies will need to satisfy IPP 11 or NPP 2 (in relation to disclosure of personal information) and section 33, as posting to most social media platforms means the information will be transferred out of Australia.
- 12 See Key privacy concepts - agreement and consent and All agencies - Use or disclosure with agreement.
- 13 Unless it is required; Yammer, for example, only allows registration with an official email address.
- 14 Not all agencies are required to comply with QGCIO guidelines, however the information is generally relevant to employees of all agencies.
Current as at: April 21, 2021