Last September 27th, the Newfoundland and Labrador OIPC held that a municipality breached the Newfoundland Access to Information and Protection of Privacy Act because an employee, in the course of her duties, identified the Facebook accounts of two members of the public and messaged them through her own Facebook account.
The OIPC held that this use of Facebook led the municipality to engage in an improper use of personal information and breach its safeguarding duty. One problem, according to the OIPC, was the use of a means of communication not governed at all by the municipality:
Facebook is a social media website that is accessible from any computer or device which is capable of accessing the internet. In this sense, the use of Facebook by the Town employee may be akin to the removal of personal information from the Town office. This is further exacerbated by the use of the employee’s own personal account to engage in this communication. From this perspective, the information must be protected in the same manner as used by other public bodies which allow for the removal of personal information from their facilities.
The OIPC made clear, however, that communicating personal information through a Facebook account in a public body’s name is also inappropriate. It said:
For the various security and identification issues outlined above, there is no way to ensure that personal information is properly protected on these websites. If an individual requests that communications with a public body be carried out in this manner, the public body must first satisfy itself that the identity of the Facebook account holder is confirmed, and furthermore that express consent be obtained from the individual acknowledging that the privacy of the communication cannot be guaranteed.
The OIPC gives little reasoning about why communicating through a Facebook account in a public body’s name is less secure than communicating through other kinds of corporate email services, but the concept of channelling communications that include personal information through a consumer service like Facebook (which is neither designed as an email service nor targeted at business) raises obvious concerns.