We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

Elizabeth Tydd

Elizabeth Tydd
Australian Information Commissioner

Published:  

If you work for a government agency, you and your agency have a responsibility to preserve information you create, ensure the Australian community can access it, and that privacy rights are maintained. The recent introduction of stewardship as an Australian Public Service (APS) value confirms your obligations as custodians of government information that Parliament determined is a national resource to be managed for public purposes.

Information governance is of vital importance no matter the technology in use. However, many of the technologies agencies now use raise novel considerations for information governance and demand a shift from a compartmentalised to a holistic approach and holistic solutions. This report provides foundational guidance enabling agencies to implement those holistic solutions.

An example of this is increasing use in government of messaging apps – such as Signal, WhatsApp, Facebook Messenger and Telegram. Without the right guardrails, the use of these apps presents challenges for key pillars of our democratic system of government, including transparency and accountability.

As the Australian Information Commissioner, I have a unique role to report on the information governance requirements of agencies. This includes the power to report to the Attorney-General on the Australian Government’s management of information.

Today, I have issued the first published report of this kind, which examines the prevalence and use of messaging apps by agencies.

Messaging apps are widely used

Messaging apps are an established feature of personal and professional communication. They are also increasingly used in government.

We reviewed the policies and practices of 22 agencies around their use of messaging apps. This regulatory initiative was voluntary, and agencies actively participated.

We found 16 of those agencies permitted their use, 3 prohibited them, and 3 did not have a position.

If the tools are available, some people will inevitably use them. This means that where messaging apps are not specifically prohibited by an agency, there is a reasonable chance they are being used by staff for work.

We found the majority of agencies did not have a policy that supported staff in meeting their privacy, information access and recordkeeping obligations. I encourage agencies to review existing policies on the use of messaging apps, or develop a policy, to provide guidance to staff in meeting these obligations.

Policies need review to address obligations

Half (8 of 16) of the agencies that permitted the use of messaging apps did not have policies or procedures about their use for work. Even those agencies that did failed to address freedom of information (FOI), privacy and other key obligations.

Messaging apps raise novel considerations for meeting obligations. For example, a common function of these apps is the ability to send messages that disappear. How are agencies preserving those records and ensuring they can be searched and retrieved in response to an FOI request?

Agencies should keep pace, and in some cases catch-up, by having clear policies and practices in place that adequately address these important obligations.

Due diligence needed on apps

Twelve of the agencies that permitted the use of messaging apps had a preference for the use of Signal (one of these also endorsed, encouraged or preferred WhatsApp).

Using only one app might have benefits such as staff only needing to create the one account and track one app. Agencies also only need to do due diligence and create policies and procedures for one app.

Agencies must conduct appropriate due diligence on apps to ensure they can be used in ways that meet various obligations. Policies and procedures should reflect the functionality of each app used.

Agencies must proactively uphold obligations

Six of the agencies that permitted the use of messaging apps or had no position on their use were unsure whether staff were using them to share personal information about members of the public. Ten were confident they did not.

Privacy and FOI obligations extend to the use of messaging apps and include:

  • Some records may need to be preserved.
  • Any personal information must be collected, held, disclosed and destroyed appropriately.
  • Information shared through messaging apps must be considered in response to eligible FOI applications.
  • Information must be able to be accessed, corrected or annotated under the FOI and Privacy Act.

If your agency permits the use of messaging apps, you need to do due diligence to ensure any apps used collect and handle personal information appropriately. This may be achieved through a privacy threshold assessment.

Final notes

The report would not have been possible without expert insight from National Archives of Australia. We have integrated record creation, retention and disposal obligations with information access and privacy rights to provide a holistic approach to improving information governance. With the better understanding we now have of this issue, the OAIC has committed to continue work with National Archives to support agencies to understand and address these obligations when using messaging apps.

Improving information governance will secure government information as a national resource and a source of truth and accountability for the Australian community. It is also essential to upholding fundamental human rights and to your agency’s ability to innovate and gain the public’s trust.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia