Interview: Ian Forsyth on social networking and privacy
For the fantastic course ARST 575B last spring, we took a field trip up to the SFU Archives and Records Management Department. The archivists there gave us an in-depth look into the impact of privacy and freedom of information legislation in a university records and archives environment. Among the most interesting examples they gave was this Social Networking Key Messages document created to guide students and staff in using social networking sites for university purposes. Ian Forsyth, University Archivist and Coordinator of Information and Privacy, explained that the use of sites like Facebook in classes or for other university business raised some concerns around the protection of student and staff personal information. The Archives and RM Department does a lot of outreach on campus, including acting as a resource for privacy and FOI concerns.
In the context of LIBR 559M, this document should raise questions for other institutions, including libraries, which choose to use social networking tools. I sent Ian a few questions about the process of developing these key messages. In addition to being University Archivist and Coordinator of Information and Privacy for SFU, he is currently chair of the Canadian Council of Archives. His answers are below.
1. What (or who) instigated the development of these key messages?
Facebook first became an issue at SFU in August 2007 when a professor asked our advice about using Facebook for a course. He wanted students to download their course enrollment information from the University’s Student Information System to share it via Facebook. We subsequently received a number of other requests for advice from various units in Student Services about using Facebook as an outreach tool for their programs (e.g., posting photographs of student volunteers and student events). As a result, a Facebook ad hoc working group was formed in late Fall 2007 and we developed the key messages/guideline document, which have been in effect since April 2008.
2. Who was involved in the process? What was the role of the Archives and RM Department?
The working group membership included our office, VP Legal Affairs, IT Services, Library, Learning and Instructional Development Centre, Work Integrated Learning Centre, Student Services, HR and Human Rights. The Archives’ role was to provide expert opinion and advice on how the provisions of the B.C. FIPPA applied in the circumstances of university employees and departments wishing to use Facebook as part of their program activities.
3. What has the response been from students, faculty, or other departments on campus?
There has been little response. Although we’ve had requests for advice from University faculty and staff about using Facebook we have never received a student or employee privacy complaint about it.
4. Do you have recommendations for other organizations setting up guidelines for the use of social media tools? Anything in particular for universities or for institutions in Canada?
When we started to receive requests for advice on Facebook we first researched it to confirm if it raised any real privacy protection issues, understand the issues raised by it in order to draw correct conclusions, and decide what course of action was needed. We studied the service by reading all of Facebook’s policies, privacy statements, terms and conditions (tedious but necessary work to be fully informed and be able to offer reasoned arguments and justification for our opinion and advice). As a result, we recognized that there were privacy protection issues with Facebook. We then decided to be proactive rather than reactive in order to get out ahead of the issue and develop the key messages/guideline. When it was generally understood that all Facebook data is stored on computer servers located outside Canada and that such storage is illegal without consent under the B.C. FIPPA, people generally accepted why the key messages document emphasizes that when University departments use Facebook it must be completely voluntary.
It was important to use an inclusive, consultative process when developing the key messages/guideline in order to foster a common understanding of the issues and buy-in by the key stakeholders primarily affected/involved in this process.
The specific policy position an organization takes depends on the jurisdiction in which it is located. As we know, privacy law provisions can differ in substantive ways from one jurisdiction to the next. This needs to be considered carefully. Also, in that context, an organization should also establish at the outset that it has jurisdiction to deal with the matter that is at issue.