The government increasingly relies on modern technology in order to communicate policies and activities and to elicit comments or “feedback” on agency initiatives and past performance. Agency websites and social media platforms (Facebook, Twitter, Instagram, LinkedIn, etc.) can provide rapid sharing of information and can enable individuals and groups to interact more effectively with agency staff, the public and decision makers. And the ongoing COVID-19 pandemic and the subsequent closure of government offices necessitate more reliance on teleworking, a trend likely to continue for the foreseeable future. Certainly, reliance on technology, including social media, will accelerate over time. But the broad appeal and widespread use of these communications platforms have created difficult challenges for agencies as well as for other employers.
What are the challenges posed by the public employee’s use of communications technology such as social media? First, the pervasive use of that media implicates substantial concerns as to the security of electronically stored agency information (ESI) and the risk of the disclosure — intentionally or by accident — of private or confidential information in the agency’s custody. Agencies must respond to that challenge proactively. Second, an agency employer needs to prescribe, and implement, clear policies for employees and contractors regarding the authorized use of devices that access social media platforms. Otherwise there will be a substantial risk of intentional or accidental misuse of those platforms. Third, agencies must consider how the use of social media for employment-related communications may affect the agency’s reputational interests and its potential legal liabilities. In this regard, public employees must understand how they should use social media — whether on the job or off the job — when they communicate about the agency’s activities or events in their daily lives.
This article explores these complex topics and provides several recommendations for the appropriate use of social media and other internet-based technologies in the public employer setting.
The Security of Government Information
A government agency always must maintain the security of its information, whether that information is stored in a file cabinet, on the agency's computer network, or on agency-issued laptops.
Governments and businesses have been subjected to many cyberattacks and data breaches that compromise the integrity of their computer systems and cause massive breaches of privacy and disruptions of service. Although many threats to government databases originate from professional hackers or other outside entities, agency employees also may inadvertently enable the disclosure of nonpublic information. When, for example, an agency attorney uses a laptop in a coffee shop to communicate about a proposed rulemaking with an agency project officer, there is a significant risk of confidential information being revealed over an unsecured wireless network. And if agency employees visit an unreliable website or open a link from an innocuous-looking email from their smartphone, this activity could compromise security and enable a computer virus.
To address these problems, agencies must provide orientation and training that emphasize the importance of maintaining the security and privacy of nonpublic government information. Employees should be reminded that they are not to discuss sensitive, proprietary or otherwise nonpublic information over social media. Nor, of course, can employees disclose such information for personal or financial gain. Existing ethics policies must be updated to incorporate computer-based media as a potential means by which employees could violate confidentiality or conflict-of-interest restrictions.
Authorized-Use Policies
Portable computer devices have introduced welcome flexibility into the work environment. Consistent with this trend, many agencies authorize their employees to use their personal computer devices for agency business. Agencies also may authorize employees to travel or work remotely using agency-owned devices. There are significant advantages to these bring-your-own-device (BYOD) and teleworking arrangements (improved efficiency in work, improved employee morale, cost savings for employees). However, the employee’s use of computer devices, such as a personal smartphone or a laptop computer, creates significant risks, including negligent or intentional misuse of the government’s information in the employee’s personal custody.
Government Records and Sensitive Information
When a government employee uses a device to communicate about agency business or to create work-related documents, the employee becomes the custodian of information that could be classified as a government record. Government records, by statute or regulation, must be preserved in accordance with applicable record retention laws, schedules, and policies. Government agencies recognize that the digital age requires these steps; otherwise, the documentation of government decisions or activities will "go missing."
Anticipating these laws and regulations, the agency should require the employee to acknowledge in writing that the agency legally owns the government information stored on the device and that the agency has the right to access it, including taking the device into its possession without objection or interference by the employee(e.g., denying access by locking the device with a password or an encryption key). The written consent of the employee to these requirements may avoid, or at least reduce, the possibility of a later dispute between the agency and the employee if the agency, or a third party, requests or demands access to that information or wants to take custody of the device itself.
The agency also should consider issuing a policy that prohibits or limits access to sensitive information, including classified or law enforcement information, or to databases that contain personal or proprietary information.
In addition, the agency should consider establishing clear policies (sometimes called "acceptable use" policies) that draw limits on permissible uses by the employee of either type of device (personal or agency-issued). For example, the agency may decide that employees cannot use a government-owned device for personal use at all, or that employees must "partition," by separate drives or folders, their government work from their private work.
Employees also must recognize that the use of their own devices or agency-issued devices may result in a loss or waiver of any privacy in the employee's communications on those devices. The agency should explicitly inform the employee that the use of such devices provides no privacy protections and that such communications may be monitored or later reviewed by the agency. For example, the employee's communications with a spouse or attorney on an agency laptop might be subject to disclosure later. Similarly, if the employee uses a personal device for both agency business and personal business, there could be difficult problems of shielding personal communications from later disclosure if there is a demand or request for information stored on the device.