A records and information management guide to social media
Professionals who work in the areas of information management, records management, technology, and compliance are struggling to find guidance for managing social media content. The widespread use of social media technologies introduces great potential to improve dissemination of information, interact with clients or the public, and improve services. These technologies also introduce risks associated with managing records, protecting privacy of personal information and ensuring the security for those who utilize these tools.
Organizations are looking for guidance on such things as:
- How to determine what social content qualifies as a record and so needs to be managed.
- What policies they need for employees’ use of social media, whether for personal use and how they should or shouldn’t refer to their companies, or business use, like what subjects should be avoided on a company blog to keep from creating anything that would be considered a record that would have to be managed.
- Polices for HR departments about using social media for recruitment to make sure recruiters aren’t viewing privileged information they would never be able to discuss in an interview with a recruit.
The basics of records and information management will remain key and using enterprise content management to manage any information that constitutes a record, regardless of how it is created, will remain a mainstay. However, this is all evolving and so it is important to get a handle on it now. Social media is starting to migrate to “social business” and eventually these social media tools will be part of the everyday work process.
To get started organizations can actually turn to the federal government, which has conducted extensive research on the use of social media tools for the advancement of enhanced services and interactions with the public. This research can provide guidance for companies as they work to identify what a record is, policies and procedures around the use of social media, privacy requirements and key laws and requirements to mitigate risk. (Links are below for all of the resources cited.)
Main challenges and controls
The use of social media tools has great potential to improve dissemination of information, interact with customers, and improve speed in interactions. Social media tools can be used to create communities for sharing information, such as links to other websites and resources. These tools are also used in posting current events or important, upcoming events. But there are challenges.
The Collaboration and Transformation Shared Interest Group of the American Council for Technology and the Industry Advisory Council conducted a study of 10 agencies regarding records management processes addressing the use of social media. The interviews resulted in identifying five main challenges when using social media.
- Declaration: Identifying what information qualifies as a social media record.
- Capture: Capturing social media content that is in the public domain and not under control of an agency.
- Metadata: Applying metadata to tag content for retrieval.
- Scheduling or disposition: The lack of control of content makes scheduling and disposition of records difficult.
- Education: Education and training is needed to implement a successful social media records policy.
The report went on to identify the importance of using social media tools and outlined what can and cannot be controlled. For instance, an agency cannot control what private, personal information is captured by the social networking sites. However, it can make decisions on limiting the collection and use of the personal information collected and disclosed. Sharing high-value data requires business practices that support privacy of personal information.
Identifying social media content as a record isn’t as difficult as it might seem. According to the National Archives and Records Administration (NARA) “the principles for analyzing, scheduling, and managing records are based on content and are independent of the medium …” According to the NARA Bulletin 2011-02, there are questions one can ask to help determine record status:
- Is the information unique and not available anywhere else?
- Does it contain evidence of an agency’s policies, business, mission, etc.?
- Is there a business need for the information?
To provide protection of personal information, we must look to privacy laws and guidance on establishing privacy policies that support the protection of private information. While these specifically address the management of government information, they are the foundation for the creation of privacy policies for any industry.
- Federal Records Act –This Act requires each federal agency to manage the creation, maintenance, use, and disposition of records of agency operations.
- NARA Regulations – NARA is the agency responsible for issuing guidance on records management topics such as the creation, maintenance, use, and disposition and storage of records. This guidance is found under the NARA Code of Federal Regulations, Subchapter B.
- Privacy Act of 1974 – The Act provides guidance on fair information practices, including regulation, maintenance, use and dissemination of personal information by federal executive branch agencies.
Today information is created rapidly and flows freely between employees, colleagues, and online social media tools. This presents serious risks to a business and to the protection of personal information. For government agencies, the Federal Information Security Management Act of 2002, or FISMA, created a framework for managing information security, such as system and communications protection, information integrity, or access controls. This framework, in turn, is defined by the standards and guidelines developed by the National Institute of Standards and Technology, or NIST. The framework must be followed for all information systems used by a federal government agency or contractor for the federal agency.
While this does not specifically outline security of social media, it does give direction on the creation and dissemination of information with these tools. The essence of the framework and supporting regulations requires companies to govern the use of social networks and company information.
Federal Information Security Management Act of 2002/ E-Government Act of 2002
FISMA is a federal law enacted in 2002 as Title III of the E-Government Act of 2002. This act focuses on the priority of information security controls and assigns responsibilities to federal agencies regarding security. To assist agencies in implementation statutory requirements, NIST developed a risk management framework for agencies to follow in developing information security programs.
Where to Start
The key to managing social media records, privacy, and security is to establish an information governance framework that identifies the decision rights of those who own the information and accountability for this information. In that framework, clearly identify the policies and procedures for managing records and information, train your employees on those policies, and implement technology tools that will provide security and protect the integrity of the information. The policies and regulations created by the government for the use of social media tools are excellent examples on how an organization can create its own social media policies.
Frequently Asked Questions about Federal Records Management
What social media content is record material?
Federal Records Act (44 U.S.C. Chapter 31)
Questions to assist in identifying what social media content is a record.
NARA Bulletin 2011-02, October 20, 2010, Guidance on Managing Records in Web 2.0/Social Media Platforms
Comprehensive list of NARA’s, and affiliate organizations, social media initiative.
Best Practices Study of Social Media Records Policies: ACT-IAC Collaboration & Transformation (C&T) Shared Interest Group (SIG), March 2011
Federal Statutes for Information Sharing (not all inclusive)
The Privacy Act of 1974