Privacy Implementation Notice 2021–01: Privacy Requirements for Official Social Media Accounts

Legislation

• Federal Administration Act
• Privacy Act

Related Treasury Board policy instruments

• Policy on Privacy Protection
• Policy on Communications and Federal Identity
• Directive on the Management of Communications

Guidance from the Principal Publisher (accessible only on the Government of Canada network)

• GCpedia Social Media Account Management Resources
• Privacy Requirements for Official Social Media Accounts

1. What are the prescribed processes for official social media accounts?

Under Appendix D of the Directive on the Management of Communications, departments must follow the processes outlined by the principal publisher, Service Canada, when creating, configuring, and disposing of official social media accounts. The principal publisher is responsible for granting permission to establish any official accounts.

The prescribed processes (accessible only on the Government of Canada network) include new privacy procedures: Privacy Requirements for Official Social Media Accounts (accessible only on the Government of Canada network). Changes include a section dedicated to privacy in the application form (accessible only on the Government of Canada network) for official social media accounts. It requires that Access to Information and Privacy (ATIP) Coordinators be consulted by communications officials and outlines the common uses of official social media accounts. The updated Terms and Conditions for Canada.ca also has an expanded section on interacting with the government on social media and now refers to the related Personal Information Banks (PIBs). The Privacy Notice for Government of Canada Departments for official social media accounts has also been updated.

2. Which social media platforms have already been reviewed as part of the prescribed processes?

• Facebook
• Flickr
• Instagram
• LinkedIn
• Pinterest
• Twitter
• YouTube

A Threat and Risk Assessment, as well as a legal analysis of the terms of use and privacy policies, was conducted for the above platforms for the four common uses (see question 4). Copies of the Threat and Risk Assessment and the legal analyses are available upon request from the Information and Privacy Policy Division. Official accounts on these platforms may be established without each department completing a separate privacy and legal analysis. However, it is up to each department to determine if the reviews meet their needs and internal requirements prior to use.

3. Are existing official social media accounts subject to the new privacy procedures?

Yes, the new privacy procedures and the publication of the Privacy Notice are mandatory for both new and existing official social media accounts. However, the Official Social Media Account Request Form (accessible only on the Government of Canada network) should only be submitted to the principal publisher for new accounts.

ATIP Coordinators are expected to work with stakeholders in their departments, such as the Heads of Communications and social media account managers, to validate that the new requirements have been implemented and that internal procedures and controls are appropriate.

4. What uses of official social media accounts are covered by the prescribed processes?

The prescribed processes cover four uses of official social media accounts as part of a department’s communications program:

• Broadcasting: The broadcast or dissemination of information to individuals, businesses and stakeholders, including directing users to Government of Canada websites;
• Engaging: The facilitation of discussions and dialogue between government departments and individuals including, where appropriate, preparing responses to public enquiries;
• Account management: The review and management of individual postings to official social media accounts for purposes of moderating discussions including, where appropriate, the editing, removal or refusal of comments or the blocking of users that contravene commenting standards; and
• Account analytics: The collection, analysis, measurement, and reporting of data about account activity and user visits to understand and optimize the usage of the social media account, to gauge public interest in topics, activities or events related to department’s mandate, and for research, statistics, audit or evaluation purposes (to be used in aggregated format).

An analysis of the privacy and legal impacts of the above-mentioned practices has been completed. Thus, official social media accounts may engage in these activities without each department completing a separate privacy and legal analysis.  Copies of the Threat and Risk Assessment and the legal analyses are available upon request from the Information and Privacy Policy Division.

5. If a department wants to use its official social media accounts for purposes other than the uses covered by the processes, is that possible?

The prescribed processes (accessible only on the Government of Canada network) apply to official social media accounts which are involved in broadcasting, engaging, account management, and account analytics. They do not apply to other uses, such as investigations, lifestyle analysis or fraud detection.

If a department intends to use personal information collected from its official social media accounts for purposes other than those listed above, it must verify that the department has the authority to collect and use the personal information for those purposes, and to conduct its own analysis to validate that it complies with the Privacy Act and related policy instruments. A Privacy Impact Assessment (PIA) and consequential risk mitigation measures may be required. Alternatively, a privacy protocol could be established if personal information is collected, used, and disclosed for non-administrative purposes, such as research, statistics, audit, and evaluation.

The department will need to consult the principal publisher, Service Canada, to determine what additional steps are required to establish the new official account for other uses.

6. Can personal information be used for secondary purposes?

Personal information can only be used for the purpose for which it was collected, or for a use consistent with this purpose. Uses for secondary purposes must be consistent with the standard Personal Information Banks (PIBs) that have been identified for the activities related to the use of an official social media accounts: PSU 938 (Outreach Activities) and PSU 914 (Public Communications). For example, the consistent uses listed in these two PIBs include moderating discussions on social media platforms, evaluating programs, establishing distribution lists, or transferring questions and complaints within or outside the department.

If the personal information is used for a secondary purpose, the individual’s consent may be required. The department must verify that it has the authority to collect and use the personal information for those purposes, and to conduct its own analysis to validate that it complies with the Privacy Act and related policy instruments. A PIA and consequential risk mitigation measures may be required. Alternatively, a privacy protocol could be established if personal information is collected, used, and disclosed for non-administrative purposes, such as research, statistics, audit, and evaluation.

7. Should consent be obtained before collecting personal information on official social media accounts?

There is no requirement to obtain consent to collect personal information from official social media accounts for the four uses covered by the prescribed processes.

In accordance with the technical specifications for social media accounts, departments are required to publish a Privacy Notice that explains, among other things, the government’s responsibilities for the protection of personal information, what constitutes personal information, and how it is used. The notice thus provides the transparency necessary for users to decide, in a free and informed manner, how they want to interact with official social media accounts.

8. Should consent be obtained from the individual before adding them to a distribution list?

Standard PIB PSU 938 (Outreach Activities) specifies that personal information may be used when establishing a mailing list, provided the individual has given their consent. For example, a department could allow individuals to register for a mailing list by sending an email to an address that is posted on the official social media account.

9. When is a PIA required?

A PIA is not required if both the account is created on one of the previously analyzed platforms (Facebook, Flickr, Instagram, LinkedIn, Pinterest, Twitter, and YouTube) and if the personal information is collected, used, and disclosed within one of the four uses that have been pre‑analyzed (broadcasting, engaging, account management and account analytics).

If a different platform is chosen or personal information will be used for other administrative purposes, a PIA may be required. Details about when a PIA is required can be found in the Directive on Privacy Impact Assessment. When using a new platform, departments must consult with their legal services to determine whether a legal analysis of the terms of use and privacy policies of the new platform is required.

While the principal publisher does not review the PIA, the department will need to consult the principal publisher, Service Canada, to determine what additional steps are required to establish a new official account on a platform that has not been previously analyzed.

10. Does a PIB need to be updated?

The two standard PIBs that have been identified for the activities related to the use of an official social media accounts are PSU 938 (Outreach Activities) and PSU 914 (Public Communications). Personal information that may be collected includes an individual’s name, contact information, biographical data, image, personal opinions, comments or Internet protocol address. Departments may collect this information in electronic or paper format.

If the department has already registered these PIBs, it does not have to do so again. If the official social media accounts collect any other personal information, or are used for other uses that are not compatible with the above‑mentioned standard PIBs, it may be necessary to register a department-specific PIB.

11. How long does personal information published on official social media accounts need to be retained?

Departments must retain personal information used for administrative purposes for a minimum of two years, as set out in the Privacy Regulations. Administrative purposes include use of personal information in a decision-making process that directly affects that individual. This retention allows individuals to exercise their right of access under the Privacy Act. For example, if an official social media account manager denies an individual access to an official account due to a failure to comply with commenting standards, the username and comment would need to be retained.

There is no requirement to retain personal information that is used for non-administrative purposes, such as statistics on account activity. In these instances, the personal information collected should be disposed of as soon as it is no longer required by the program or activity.