Records Advisory: Preliminary Guidance on Social Media
What is social media?
Local governments and state agencies are increasingly using social media to communicate with citizens. Social media is a subset of Web 2.0, which very broadly refers to any use of the Internet where the user helps determine content. A social media site allows its users to interact with the site’s creator and with each other as contributors to the website's content, and social media tools are intended to facilitate interactive information sharing, interoperability, user-centered design, and collaboration. They include blogs, microblogs (Twitter), wikis, video sites (YouTube), photo libraries (Flickr), networking sites (MySpace, Facebook), virtual worlds (Second Life), and other interactive sites.
Knowing the risks
If you represent government, know what you’re getting into when you embrace social media. Verify that using social media sites will meet your business needs, and be aware of the risks associated with the use of these tools, which include
- Increased system vulnerability to cyber attacks and viruses
- Inappropriate use by content creators (including internal staff and external contributors)
- Non-compliance with legal requirements for records (especially retention and disposition)
These guidelines are intended to help local governments and state agencies mitigate these and other risks associated with the use of social media.
Ensure that your use of social media is consistent with policy established by the state Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) in Cyber Security Guideline G10-001: Secure Use of Social Media.
In addition, the Federal CIO Council has developed Guidelines for Secure Use of Social Media by Federal Departments and Agencies, which address the system vulnerabilities caused by using social media. The guidelines emphasize the importance of technical controls, policy, and staff training.
When you have identified the social media tools that will meet your business needs, define how responsibility for developing and uploading content will be distributed. Several models for managing the development of content for social media sites are emerging.
- Model 1: Strict internal controls. One staff member is responsible for uploading information to all sites and to the official website, although that staff member solicits ideas for content from across the agency or via a designated team. Conversely, access to the sites is limited to a small number of staff, and those staff members who do have access cannot represent the organization in an official capacity and must follow policies on appropriate use. This model has been adopted by several state agencies and the U.S. Department of Defense (DOD). (To view DOD’s policy on use of social media, see DTM-026: Responsible and Effective Use of Internet-based Capabilities.)
- Model 2: Control distributed to units of the government or agency. Rather than create a single institutional account, a government or agency has multiple pages focusing on separate government functions or activities of interest to the public. This approach can be seen on the various sites of town governments, where the town clerk, often the most visible official in a town office, is the sole creator of social media sites and represents the town as an individual holding a particular office, giving that site a personal touch that may be more appealing than a generic government site.
- Model 3: No internal controls. This model assumes that social media technologies are not meant to be controlled at all. Instead, organizations should “embrace the unexpected” and allow staff and users to have unmoderated use of social media sites, to enjoy the full benefits of the technology, and to ensure that social media deployment is a spontaneous, grassroots activity. (For a discussion of and justification for this model, see Success with Web 2.0 Requires Risk.)
All of the above models are valid, depending on the needs and culture of the organization, although governments and agencies are especially reluctant to relinquish control. Presumably, a more centralized, controlled approach may help ensure appropriate use and facilitate compliance with records and other legal requirements. Conversely, the model with the least amount of oversight may have a higher level of risk.
Appropriate use by internal users
Support the business model you choose with written policies and procedures that include an appropriate use policy for government staff and officials. An appropriate use policy should
- specify who’s responsible for posting content to social media sites
- emphasize that all staff, regardless of whether they contribute to official content, should be professional, civil, and in compliance with privacy and other applicable laws
- mandate that staff indicate when they are speaking in an official capacity and when they are offering a personal opinion
- require elected officials to separate content they post on behalf of their governments from content reflecting the interests of political campaigns or parties
If you have a policy for the appropriate use of the Internet and email, it may be possible to adapt or expand that policy to cover the use of social media sites.
A perceived risk associated with social media sites is the potential for a government or agency to be held liable for public comments posted to its site. To minimize this risk, post an appropriate use policy for comments as well as a disclaimer stating that your government or agency is not liable for the content of comments posted to the site.
Before developing an appropriate use policy for public comments, be aware that many social media tools have use policies that you can incorporate into your policies. (For example, see YouTube’s guidelines at www.youtube.com/t/community_guidelines.) Also, consult with your legal counsel for guidance on how to keep conversation civil without violating free speech. The final step is to actually follow through on your stated policy, monitoring comments from the public daily—or more frequently, if necessary—and deleting comments that violate your stated terms for appropriate use.
The underlying tenets of an appropriate use policy for comments are similar to the principles that inform policies for the internal use of the Internet (including social media sites) and email, and may include prohibitions against
- violent, obscene, profane, hateful, or racist comments
- comments that threaten or defame any person or organization
- solicitations, advertisements, or endorsements of any financial, commercial or non-governmental agency
- comments that suggest or encourage illegal activity
- multiple off-topic posts by a single user
- repetitive posts copied and pasted by multiple users
See WebContent.gov for this and other examples of appropriate use policies for creators of content.
Most social media technologies are managed by companies that charge little or nothing for their services and deal with thousands, if not millions, of customers. Some of them rely entirely on ad revenue to cover basic operating expenses and are in danger of going out of business with little or no warning. These companies do not enter into traditional contracts with customers but rather provide a generic “terms of service” agreement for all customers. It is therefore important to know the terms you are accepting—and the implications those terms have on managing government records—when establishing a relationship with a social media service provider.
Some social media services offer special memberships with more options for customization than what the general public would use or need. For example, YouTube offers a membership option for government that allows customers to use their own banner, link back to their website, and post videos longer than the standard ten-minute length. Flickr Commons is a special category for organizations with images that are used primarily for research. Service providers generally don’t promote these alternatives prominently, so you may have to be persistent when exploring your options.
Recently, the federal government successfully renegotiated its terms of service agreement with Facebook and other sites, because some agreements were contrary to federal procurement policies. The U.S. General Services Administration worked with each social media provider to allow all federal agencies to sign the same renegotiated agreement. However, states haven't had much luck renegotiating terms of service agreements with social media providers, with YouTube being the exception. (For a discussion of reasons why governments and agencies would feel the need to renegotiate agreements, see State and Local Public Agencies Grapple with Social Media Liability Concerns.)
Because the technology is new, it’s not yet clear to what extent traditional records retention and disposition practices apply to social media content. Some basic guidelines for managing retention are beginning to emerge.
- Determine whether content is substantial enough to constitute a record, especially if the site relates to a finite project or has not been maintained.
- Treat a site that functions as a form of content management (as in a blog that unites related information from diverse sources) as one discrete record, because extricating information based on the creator will destroy the integrity of the record.
- Examine the content of the record and determine whether it would be covered by an existing retention schedule. For example, a wiki may be part of a project file, and other content in social media may be equivalent to a government publication or a press release.
- Contact the State Archives to propose a new retention schedule or schedule items as needed. Since information on blogs, Twitter, and RSS feeds is often ephemeral, existing retention periods may be too long, especially if they involve executive office records, which usually have permanent retention periods.
- Manage emails and other communications sent or received via social media sites according to existing policies (if any) on email management. You may possibly equate email with correspondence for scheduling purposes.
- Create content that will not pose a risk if it is available on the Web indefinitely, because destroying it according to a records schedule may be a challenge. Some social media services may not delete profile or other information when an account is terminated, and information may be captured and used in ways not originally intended.
Preserving social media records
By law, you must ensure that records are accessible and are retained for the duration of their retention periods. This means you will usually need to manage most records—except for records with very short retention periods—in your own technical environment.
Consider how frequently you will need to capture information. This will depend on how frequently the content changes, the quantity of the content, the stability of the networking site, and the functionality of the tools available for extracting the information from the site.
The retention of some social media content may prove relatively easy. Retain and manage copies of the files you upload to YouTube and Flickr, which serve only as delivery points for moving images and photographs. Similarly, manage private wikis internally, as you would your other electronic records.
Content on some hosted sites is fairly easy to preserve. There are a few tools created by users which allow customers to extract data from social networking sites. Many blog services in particular have built-in tools for extracting data in Extensible Markup Language (XML), an open format increasingly used to preserve electronic records. These tools can be used to move blogs from one service to another and to make local backups. However, it may require some effort to access these XML export files in any environment other than where you created them.
The preservation of Facebook pages is problematic. There are “archiving tools” that capture text and other content posted on Facebook, but there are few resources that capture the cohesiveness and overall style of a Facebook page. The New York State Archives has been experimenting with a web harvester to capture its Facebook page, with limited success. Few state agencies and local governments may have the resources to purchase a web harvesting application, systematically harvest their own social media pages, and work out the more problematic technical issues.
To be continued…
There is a growing body of literature relating to the use of social media in government.
- For a particularly valuable resource on the effective implementation of social media, best models, and sample policies for government agencies at all levels, see the site Web Content.gov.
- The Center for Technology in Government has recently published Designing Social Media Policy for Government: Eight Essential Elements.
- The New York State Chief Information Officer/Office for Technology has published Empire 2.0: Suggested Practices for Social Networking.
Archivists and records managers around the world are starting to address the records management implications of these technologies. However, much more practical experience and research is needed. The comments made above reflect our initial thoughts regarding the management of these types of records, and we will continue to expand and enlarge these guidelines as the technology—and our own understanding of it—continues to evolve.