--- Begin Message ---
[ In 2009-10, you'd have had to be a pretty cued-in public service exec
to twig to the challenges would arise from multitudinous messaging
services designed for ephemera. (Ignoring IRC, ICQ and successors, at
that stage, it was WhatsApp and Signal):
https://en.wikipedia.org/wiki/Instant_messaging#History
[ But it's remarkable that records management, archives, FoI and - least
of all privacy - mandarins have taken 15 years to start whisteblowing. ]
OAIC puts agencies on notice for messaging app use
Aussie agencies’ lax messaging app policies have raised legal red flags
about potential breaches of FOI and privacy laws, with data security a
major worry for Elizabeth Tydd.
Dan Holmes
The Mandarin
MAR 20, 2025
https://www.themandarin.com.au/289056-oaic-puts-agencies-on-notice-for-messaging-app-use/
Australian information commissioner Elizabeth Tydd has expressed concern
agencies may be breaking the law by using messaging apps.
The Office of the Australian Information Commissioner’s (OAIC) review of
22 agencies found messaging apps are an established feature of digital
communications in the Australian Public Service.
Of the agencies reviewed, 16 permitted the use of messaging apps, three
prohibited their use, and three did not have a position. Signal was the
preferred app for 12 out of 16 agencies.
The report raises the alarm these apps are being used regularly without
adequate policies and procedures that reflect statutory obligations.
Only eight agencies that permitted the use of apps had policies or
procedures about their use for work. These policies generally did not
address freedom of information (FOI), privacy and other key obligations.
Communications through messaging apps are still subject to regular FOI
rules. Under the rules as written, self-destructing messages on apps
like Signal and WhatsApp may need to be preserved in case they are
subject to a later FOI request.
Tydd said agencies need to carefully consider the ways messaging apps
are being used, and for what purposes.
“We’ve seen through this report that messaging apps are prevalent in
their use in APS agencies, no matter their size and scale,” she said.
“[Agencies] have responsibilities that go beyond FOI and privacy into
National Archives requirements for the creation and retention of records.
“The report is a call to review your policies, and if you don’t have
policies, develop them.
“If [disappearing messages] is a function of the app officially endorsed
for use, actually address it. That is the link to the creation of
records … and how you will create or store them.
“A screenshot or translating it into a file note. Messaging it to
yourself by way of an email in the first instance. That then becomes a
record that is stored and available for access.”
Privacy policy
The privacy policies of popular messaging apps also raise questions
about what information can be exchanged on the apps under Commonwealth
privacy law.
Meta-owned Messenger and WhatsApp offer their parent company a virtually
unlimited ability to access and use user data for whatever purpose they
want, although their privacy policy says they “do not retain your
messages in the ordinary course of providing services”. Since Meta’s
takeover of WhatsApp, questions have been repeatedly raised about how
much it is doing to ensure user data is protected.
Signal’s privacy policy suggests user data is rarely stored on their own
servers. Law enforcement and integrity agencies have been open about the
fact retrieving Signal messages in investigations generally comes down
to whether they’ve been deleted from a user’s device or not.
While the OAIC report doesn’t look at the suitability of any particular
platform, it urges agencies to consider privacy policies against their
own Privacy Act obligations.
Tydd said agencies must protect sensitive data. “One of the aspects [the
report] deals with from a technical perspective is there needs to be
consideration of the hall marker that commences or registers the actual
app,” she said.
“If it’s an officially issued phone, then it has different
considerations than those that might be required to be considered if
people are using personal phones for communication of official records.
“If you’re using it for official purposes, it still has the same
requirements [security] classifications, too. So those classification
labels are something that needs to be considered.”
Collaboration and co-regulation
The OAIC report includes expert insight from the National Archives of
Australia — the first of its kind for the two organisations.
Tydd said OAIC would embark on more co-regulatory ventures with partner
organisations like the eSafety Commission.
“We do have to partner as an effective co-regulator in this space. That
involves eSafety. That involves National Archives, That will involve
cyber security,” she said.
“Increasingly you will see co-regulatory activity bringing together
these complex new dimensions and better position agencies for compliance
outcomes that ensure the right to access information and privacy are
promoted.”
OAIC will revisit the topic in two years to understand how the use of
messaging apps for government business has evolved.
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professorial Fellow UNSW Law & Justice
Visiting Professor in Computer Science Australian National University
--- End Message ---
_______________________________________________
apf-media-archive mailing list
[email protected]
https://lists.privacy.org.au/mailman/listinfo/apf-media-archive
