Yammer. A private social network?
This guideline will help public service officers ensure their use of Yammer complies with their obligations in the Information Privacy Act 2009 (Qld) (IP Act). While the practical tips in this guideline refer specifically to Yammer, they may also apply to other private social networks.
What is Yammer?
Yammer is a ‘private social network’ that provides the capacity for users to share information within the designated Yammer group. It is frequently used by government agencies as a collaborative tool for projects and programs.
While many Yammer groups will be comprised only of individuals within an agency, others will be set up to include persons from other agencies and/or from the business and community sectors.
How ‘private’ is Yammer?
Regardless of whether Yammer is used to engage in shared or private messages and conversations, these postings constitute a document1 of the agency. As such, they are subject to the information and document management obligations imposed on Queensland Public Service employees and agencies, including the access and amendment rights in the Right to Information Act 2009 (Qld) (RTI Act) and the IP Act and the obligation to comply with the rules for handling personal information.
Privacy considerations and Yammer
While an individual who posts their personal information to a Yammer group will be consenting to the transfer and disclosure of their personal information, privacy concerns will arise as soon as a post contains the personal information of another individual.
Participants need to keep in mind that when they are using Yammer to post their opinions or share a file, note or conversation, the content is being transferred overseas because Yammer operates from servers located outside Australia.
The transfer of personal information outside of Australia must only be done in accordance with section 33 of the IP Act. Agencies using Yammer will have to rely on either 33(a) or 33(d)(i) and (iv). Section 33(a) requires the express agreement of the individual. As with all agreements, this should be informed, current and voluntary. At the very least, the individual should be aware that their personal information is being transferred overseas with every post. Such agreement can only be given by the individual concerned.
An individual cannot agree on behalf of another person. Any Yammer participant who posts the personal information of another person (for example, by mentioning that a specific individual has given advice on a particular topic) is transferring that individual’s personal information overseas. If this is done without the individual’s agreement, it could potentially lead to a privacy complaint.
The terms and conditions of the contract for the use of Yammer will determine whether the agency satisfies the requirements of subsections 33(d)(i) and (iv) of the IP Act. Agencies may wish to seek legal advice as to whether the terms of the contract with Yammer would satisfy these subsections.
Information Privacy Principle (IPP) 10 and National Privacy Principle (NPP) 2 provide that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the prescribed exceptions applies.
Yammer encourages free-flowing and open access to information. This could lead an agency to inadvertently use personal information for a different purpose from that for which it was obtained. It is therefore important to ensure that any secondary use falls into one of the exceptions to IPP 10 and NPP 2.
Whenever personal information passes outside of an agency, whether this is to another government agency, to an individual or a business or community sector organisation, if the person or entity receiving the information did not already know that information or could not otherwise access the information, this constitutes a disclosure.
For Yammer groups which include more than one agency and/or private or community sector organisations, each post potentially involves the disclosure of personal information. IPP 11 and NPP 2 prescribe the circumstances in which agencies can disclose personal information. Disclosure is permitted if the individual concerned consents to the disclosure. While consent will be applicable to the author of the post, anyone who posts the personal information of another person on Yammer without that person’s consent is potentially breaching their privacy. This breach could lead to a privacy complaint.
Waiver of privacy rights
When an individual publishes their personal information to the public, they lose certain privacy protections, not only for the published information but also for any information related to or connected with the published information.2
The privacy protections that are lost are:
- the requirement to check the accuracy of personal information before use3
- the use only of relevant personal information4
- the restrictions against secondary use of personal information5
- the restrictions against disclosure of personal information6; and
- the requirement to anonymise health information before disclosure7.
In practical terms, if an individual posts personal information about themselves on Yammer, they may lose privacy protections against the agency posting personal information about them that is related to or connected to their originally posted information.
However, agencies must continue to comply with the obligations applying to the transfer of personal information overseas, regardless of whether or not the individual had posted their personal information.
Yammer is a platform for sharing information which will involve the personal information of members.8 While it is understandable that Yammer postings could be thought of as an ephemeral communication akin to a verbal conversation among friends and colleagues, this is not the case. Yammer is provided for an officially approved purpose, with each Yammer posting being published on behalf of the poster’s employing agency. The posting also involves the transfer of this personal information overseas.
Anytime a Yammer posting contains personal information both of the poster and more particularly of another person, there are privacy obligations that must be considered for an agency to avoid a privacy breach and potential privacy complaints. Posters should take care to avoid or minimise their postings of personal information.
Public service employees’ information governance and accountability obligations arise for each Yammer posting in the same way as any official workplace document such as correspondence, briefs and reports. The same care and consideration that is put into the content of ‘public documents’ should be put into Yammer postings. This includes managing the content posted on social networks in accordance with the recordkeeping requirements of the Public Records Act 2002 (Qld).9
- 1 As defined in Schedule 1 of the Acts Interpretation Act 1954 (Qld).
- 2 See sections 28 and 32 of the IP Act.
- 3 See IPP 8 and NPP 3 (in respect of secondary use and disclosure only).
- 4 See IPP 9.
- 5 See IPP 10 and NPP 2.
- 6 See IPP 11 and NPP 2.
- 7 See NPP 9(4).
- 8 Even if a Yammer group member never posts anything, their membership of the group and their contact details constitute their personal information and this information will be shared with other group members.
- 9 Refer to Queensland State Archives ‘Yammer’ guidance, accessible at http://www.archives.qld.gov.au/Recordkeeping/Digital/Pages/Yammer.aspx
Current as at: May 7, 2015