Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
CIO Council advises agencies against 'friends,' 'followers' or 'likes'
Friday - 7/26/2013, 1:43pm EDT
Departments also should collect as little personally identifiable information through websites such as Facebook, LinkedIn, Twitter and the hundreds of other similar tools that now are commonly used to communicate with citizens and businesses.
"This paper addresses various ways the federal government can use social media for information sharing, situational awareness and to support agency operations, and the key considerations for each," the guide, which the council posted to its website July 24, stated. "The paper also explains privacy best practices for establishing a social media program, from pulling together an intra- agency team of experts to establishing internal social media polices and ensuring transparency of social media uses through published privacy notices and documentation. The privacy best practices also cover specific technological issues, including Web measurement and customization technologies, URL shortening technologies and cybersecurity risks."
The council dissuades agencies from actively connecting with the public unless it's another federal, state or local government agency, a professional association or other organization based on the agency's policy.
"A statement should be included in the PIA and on the social media account page to inform users that the acceptance of friend requests does not indicate endorsement," the guide stated. "Agencies should also have policies that address 'friending,' 'following,' and 'liking' users."
The council also recommends that agencies develop a "rules of use" policy to cover social media websites where the agency has a presence.
"If an agency decides to allow comments, viewpoints and opinions on its social media websites or applications (regardless of whether the sites/applications are agency or third party hosted), the agency must respect the public's First Amendment rights," the document stated. "However, an agency should monitor and, generally speaking, may remove public comments that are political or endorse a political candidate, target specific individuals or groups, are abusive, contain sensitive PII, or are similarly unacceptable."
The guide strongly encourages agencies to develop and post online privacy impact assessments (PIA) and other documents to ensure the public is aware of agency plans to protect data.
Throughout the document, the council highlighted the need to collect only the information absolutely necessary.
"Due to its sensitivity, operational uses of social media should be approved and documented by senior agency leadership, including, but not limited to, privacy officials and General Counsel," the document stated. "Agencies must develop specific operational use policies and procedures, as well as PIAs/System of Records Notices, where appropriate, to cover operational use. Program and privacy compliance reviews should be conducted on a routine basis to ensure the agency is in compliance with its policies and other documentation. It is important that the agency be transparent about uses of social media, especially those that involve viewing publicly available information. By being transparent about what type of information the agency is collecting and how it is collecting it, the agency can help minimize the public's concern that the Government is monitoring individual speech and actions on social media."
Additionally, agencies should have policies that deal with record retention and information sharing. The guide sets four criteria in which the agency should share the information it collected:
- The sharing of the information is within the agency's existing authorities;
- The sharing is appropriate and consistent with the routine uses listed in the
applicable SORN(s), or conducted through an interagency agreement;
- The receiving agency or organization is authorized to receive the information
and even then, only the minimum data (or data elements) should be shared to
fulfill the authorized mission or business need; and
- The receiving agency agrees to protect the information and retain it only as long as necessary; and to re-disseminate the information only in accordance with the criteria listed above.
To govern all of these efforts, the council suggests agencies form a social media program that includes the privacy office, the CIO, the chief information security officer, public affairs, records management and the ethics officer.