Information Management Protocol - Instant Messaging Using a Mobile Device
Issue
The use of mobile devices is increasing among public servants in the Government of Canada (GC). Many institutions are providing employees with devices that offer a variety of communication methods, including phone, email, SMS texting, and messaging using personal identification numbers (PINs). Institutions need clarification on what processes to put in place to support the use of these devices within their organization. Furthermore, Government of Canada employees need clarification of their roles and responsibilities regarding the information they create, send, and receive through their mobile devices via instant messaging.
Context
The principles of sound information management (IM), access to information, privacy, and security management apply to all forms of information created, acquired, used, or retained in the GC.
In accordance with the Policy on Information Management, the Policy on Access to Information, and the Policy on Privacy Protection, decisions made by public servants must be properly documented, and they must be stored, accessible, and protected in accordance with the Access to Information Act, the Privacy Act, and Government Security Policy.
Guidance for Employees
- Instant messages should be treated like any other information resource created, acquired, or used in the GC. Consequently, they must be managed throughout their life cycle, as per the Directive on Recordkeeping.
- Employees are responsible for the information they create, receive, or transmit in instant messages.
- Instant messages that do not have business value are deemed to be transitory, and should be deleted as soon as possible.
- When information of business value is transmitted via a mobile device, the information should be documented in another format (e.g., an email message or a Word document) and must be stored and retained in an official corporate repository. The original instant message should then be deleted. This is in keeping with the way employees are required to treat a telephone conversation during which information of business value is transmitted.
Examples of information of business value that might be transmitted via instant messaging include the following:
- A notice, request, or decision that initiates a work process or a new project;
- A message approving actions, documents, or positions where the information is not captured elsewhere (e.g., in a financial or human resource system); and
- A message granting permission where the information is not captured elsewhere.
- The Access to Information Act and the Privacy Act apply to all information under the control of government institutions recorded in any format. This includes messages created, sent, and received via mobile devices. When responding to access to information and privacy (ATIP) requests, employees must search all records under the control of their institution, including instant messages sent or received using mobile devices. In order to provide relevant instant messages to the ATIP coordinator and to enable disclosure, it is recommended that instant messages be forwarded to a GC email account. Where instant messages cannot be easily forwarded to a GC email account, employees should copy and paste or transcribe the content of the instant message into another format (e.g., email, Word document, etc.). In all cases, the employee must ensure that the "to", "from", "date", "time", and "subject" fields are always included.
- Once an access to information request has been received, it is a criminal offence to erase or alter the instant message, or to counsel anyone else to erase or alter it, for the purpose of denying an individual access to government-held information. Once the ATIP Office has received an exact and complete copy of all instant messages relevant to a request under the Access to Information Act or the Privacy Act, the messages may continue to be managed according to their normal life cycle.
Guidance for Institutions
- It is recommended that departments not use automatic logging of instant messages. Challenges with searching and managing data stored in instant messaging logs make it difficult to segregate records that must be kept from those that should be deleted. Automatic logs are not appropriate repositories for information management purposes, nor should they be used as an alternative to ensuring that employees meet their obligations to effectively store information of business value in corporate repositories.
- The configuration and use of mobile devices must comply with the Management of Information Technology Security Standard.
- Mobile devices should never be used for communicating or storing classified or sensitive information unless, in exceptional circumstances, the service used is approved by the institution's security and technical authorities and includes appropriate authentication, authorization, non-repudiation of users, and end-to-end data encryption using encryption algorithms approved by Communications Security Establishment Canada.
- Departments should ensure that users are aware of their information management responsibilities and of the security procedures associated with the use of instant messaging on mobile devices.
This IM Protocol is issued in collaboration with the Security and Identity Management Division and the Information and Privacy Policy Division of the Chief Information Officer Branch at the Treasury Board of Canada Secretariat.
Further Information
Information Management Division
Chief Information Officer Branch
Treasury Board of Canada Secretariat
8th Floor, 270 Albert Street
Ottawa, ON K1A 0R5
Email: im-gi@tbs-sct.gc.ca
Toll-free: 1-877-636-0656
Fax: 613-946-9342
TTY: 613-957-9090 (Treasury Board of Canada Secretariat)
Page details
- Date modified: