Policy and Legal Considerations for Government’s Use of Analytics

By Allen Brandt, Legal and Policy Fellow, Future of Privacy Forum

Government agencies, like many private organizations, use social media for a variety of purposes. At its most basic form, monitoring of social media gives the agency feedback on how your constituents feel your agency is performing its duties; if you are seeing many complaints and negative statements posted, it might give insight into how to improve services. Some governments, however, are using social media or website tools to track their citizens, with potentially harmful results.

With the continually-decreasing cost of data storage, it is now easier and cheaper to keep data than it is to systematically delete it, so you can now hold an ever-increasing history of your users, their interactions with your web and social media sites or other people, and using simple tools, the ability to identify and track the identities of these users, and the use of this history could be in conflict with local or international data privacy laws.

A major use of social media by governments around the world is to relay official announcements, press releases and statements in a consistent and coherent way. One government agency in India, taking a cue from the new Prime Minister, has mandated that every government department post both a tweet and a Facebook post, at least once every 15 days, regarding their agency’s welfare schemes or achievements. The use of social media, in addition to speed, has the advantage of lower costs, since your agency can get official announcements published to your constituents at essentially no cost.

Privacy Policy

Does your agency have an easy to find privacy policy, written in plain language? For U.S. Government sites, writing in clear language “that the public can understand and use” is now the standard, starting from the Plain Writing Act of 2010 and the Executive Orders that follow. For others, take the effort to have your websites and social media postings written for your audience. In many global organizations, that may mean insuring that your writing is to a 6^th or 8^th grade level. If you are unable to have your privacy policies rewritten into easy to understand language, consider adding an easy summary section to the beginning, where a user can get a one or two sentence description for each part with a link to the longer, more formal language, sometimes called a “layered privacy notice”, and are considered an industry best practice. This is especially important if your audience is multinational, such as USAID or the State Department in the US, or for your customs or immigration accounts.

Transparency

As a big advocate in transparency: do your public facing policies match the actual practices that your agency has in place? Doing this often eliminates constituent FUD (fear, uncertainty, and doubt), and goes a long way towards your agency’s credibility, and the elimination, or at least minimization of your users’ surprises. One recommendation is to review your policies against actual practices on an annual basis. In the private sector, an organization failing to have their actual practices match their website statements could lead, in the US, to a Federal Trade Commission (FTC) section 5 violation, commonly called an unfair or deceptive trade practice, in the UK, an Unfair Trading Regulation, and other countries are similar.

Data Collection

A privacy concern is the potential secondary uses of this collected data. First, it’s seemingly impossible to give proper notice to a social media or website user for future uses of their information that are not yet known at the time of collection. Mass collection of personal data, without consent by the individual or another legal basis, could be in violation of both EU and US data protection laws. And some secondary uses, especially those for the public good, would be generally seen as positive, such as using social media after a hurricane or natural disaster, when normal telephone or mobile service was overloaded or slow, if working at all. Of course, with the speed and available to all access of social media, rumors and false information can be just as easily transmitted. After Hurricane Sandy, FEMA published a rumor control website, giving people the real story on what was happening and ways to contact them via phone, website or mobile device. The First Responder website offers guidance, best practices and lessons learned from the use of government agency’s use of social media during times of disaster.

But care should be taken for secondary uses of data that might not be universally appreciated. While a user’s social media name might be personal data, as it is in the US under GSA guidelines or would be under most EU laws, removing the individual identifiers to use, share and analyze the data without the means of identifying any individual has many advantages, including the ability perform research and analysis without risk of identifying any user. Google shares anonymized data with the public for both flu and dengue trends, allowing health officials to better respond to outbreaks. Working with university and other researchers may give your agency additional options to remove individual identifiers from social media logs and allow you to use and analyze the data without the risk of potential disclosure.

Using anonymized Google data to help determine where the flu might be headed is one thing, but to track or potentially identify users who may be searching for information about a communicable or socially unacceptable disease, and the use of this information could lead to legal or labor issues, Privacy Act violations, Genetic Information Act issues, or other problems, should be something to be avoided.

Finally, care should be taken that uses of collected data do not profile individuals, or perform some algorithm that disadvantages any individual (the concept of algorithmic accountability or insuring that your data processing is fair, just non-discriminatory, and in conformance with society’s standards and norms), and the credibility of your agency may depend, in large part, on the public’s perception of how they are treated and if they feel that their person information is being protected.

International, Host Country, and Domestic Laws

Remember that all data that your agency collects in your home country, and under many foreign laws, could be subject to eDiscovery or the ability of citizens to request that your agency produce for inspection, the information that you hold on an individual. The data that you collect or use for analysis have privacy impacts, often subject to various and often conflicting legal and use rules, conflicts between intelligence gathering and the internal agency’s policies, and requests for secondary uses.

Ask your agency’s privacy office and general counsel for guidance, or other agencies, to learn what they are doing and create your own policies and procedures that work for you, and help educate your agency’s management on these issues and how to navigate them.

ABOUT ALLEN BRANDT

Allen Brandt is an attorney who has merged his technical skills with delivering practical data protection and privacy advice, bringing more than 20 years of experience in the technology and information industries. He also served as a panelist at the Digital Diplomacy Coalition’s “Digital Diplomacy and Proactive Monitoring: Challenges to Solutions” event with the Open Technology Institute and Future Tense at the New America Foundation in Washington DC.