Does social media make Privacy Act violations inevitable?
Agencies must tread carefully to avoid stomping all over the Privacy Act's restrictions
The authors of “The Privacy Act of 1974: A Reference Manual for Compliance” couldn’t have foreseen it: a huge gap in the understanding and application of the act spurred by social media, cloud computing and the Internet. And yet that’s exactly the situation we’re in today as more and more information sharing happens outside the confines of the printed page.
The biggest problem, says Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group, is that there is a bias for using third-party services and technology offerings in a scattershot manner without understanding underlying privacy laws and why they exist. “There’s a really strong push to get modernized, but no one wants to look at the plumbing that’s happening with privacy,” she explains. In fact, many agencies, says Dixon, see privacy as an “innovation killer that needs to be removed.”
Unfortunately, when this happens and there is a breach or disclosure, consumer trust is damaged, she says. One example, she says, goes back to 2001 when the Labor Department started working with job board Monster.com, using it to post government jobs. When the job site was hacked, there was a potential for sensitive information getting out. Privacy was a second thought, she says, right from the start. This is happening at an accelerated rate with social media because everything related to social media is, inherently, public knowledge, thwarting adherence to the Privacy Act.
Reading vs. collecting
For instance, the act says agencies should “maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity.” In other words, you can’t keep a file about how someone exercises their right to free speech. However, if someone at an agency collects and stores a series of tweets, Facebook updates or blog posts because they are pertinent to an issue at hand or a specific topic, are they running afoul of the act? Probably, says Gellman.
“An agency can’t go out and collect tweets unless there’s a legitimate law enforcement reason behind it,” he says. “Even if it’s not done with a malevolent purpose, the minute you start collecting and creating files based on what someone says, you’ve violated the Privacy Act.”
This becomes even more of a problem if you look at how people are interacting with social media. Anyone who follows a lot of people, likes a large number of Facebook pages or has an expansive LinkedIn network might use a social media aggregator such as HootSuite or TweetDeck that do exactly what the Privacy Act cautions against: create a snapshot of everything a specific user has posted or said while online.
There are ways to use social media that protect an agency and its employees and keep them within the confines of the act, says Dixon. Anyone who is using social media to disseminate information or gather it should be working with general counsel, who should create policies and help enforce them internally. External privacy impact assessments can help, too, especially if you publish the findings and ask for public comment, she says. Finally, consider saving and compiling information without attaching user names, handles or URLs.
“You need some forward-thinking people to look at these issues and figure out how to use social media to become modern but at the same time think about how we can protect the people who might be harmed,” Dixon says. “You should only be maintaining information that’s relevant, necessary and appropriate as it relates to the Privacy Act.”