Social media platforms

Government institution

Canada Economic Development for Quebec Regions (CED)

Government official responsible for the Privacy Impact Assessment

Gabrielle Joly
Coordinator, Access to Information and Parliamentary Affairs

Head of the government institution / Delegate for section 10 of the Privacy Act

Gabrielle Joly
Coordinator, Access to Information and Parliamentary Affairs

Name of program or activity of the government institution

Social media platforms

Description of program or activity

This Privacy Impact Assessment (PIA) measures the common uses of official social media accounts at CED.

The assessed uses are related to activities that involve official social media accounts widely used by CED in administering its communications program.

The common uses of official social media accounts were categorized under four types of communications program support activities, namely:

Description of the class of records and personal information banks associated with the program or activity

CED is authorized to collect personal information from official social media accounts for its communications program, under section 10 of the Privacy Act.

CED has implemented control measures and an internal procedure governing the collection and use of personal information from its social media accounts. A specific file was created in the information management system (GCDocs) to archive the information collected under section 10 of the Privacy Act. The file provides limited access to employees in the Communications team.
These employees collect the personal information directly from the individuals concerned, according to the terms of use of the official social media accounts.

CED limits the collection of personal information from its social media accounts to that which is obviously necessary—rather than helpful—to the management of its communications on social media.

The information collected as part of these activities is filed in the following personal information banks:

PSU 914 - Public Communications
PSU 938 - Outreach Activities

Risk area identification and categorization

This section focuses on social media management program characteristics that could have an impact on an individual’s privacy. However, its purpose is not to determine the exact nature of these risks, but rather the overall risk level of the initiative. The potential risks are designated and classified to ensure that the PIA is conducted in a manner proportionate to the overall risk level.

Type of program
The personal information collected from official social media accounts is used for the administration of CED’s communications program. In some cases, the management of social media accounts will require CED to make an administrative decision that directly affects an individual (e.g. modify, delete or block content that violates the guidelines for making comments, which are set out in the social media notice). In these cases, the administrative use of personal information, as provided by the user, is in line with the main goal of the collection, namely the administration of the communications program.
Level of risk: Low

Type of personal information and context
Social media account management could include the collection, use, disclosure and retention of personal information that is generally not considered sensitive. CED collects and uses the personal information from those accounts as part of the administration of its communications program and it is collected directly from the individuals.
Since the personal information is not used for any secondary purposes and the functionality, terms of use and protection policies of the selected platforms have been reviewed by the federal government, the initiative should pose a relatively low risk for the individuals.
Level of risk: Low 

Program partners
CED manages the official social media accounts using third-party private-sector platforms. The risk of any conflict with the Privacy Act during the handling and protection of personal information is high.
Level of risk: High

Duration of the program                                                                                       
The use of official social media accounts by CED will be continuous and without an anticipated end date. The extended use poses a high privacy risk for individuals.
The longer the initiative is in place, the greater the risk that changes over which federal institutions have no control will be made to the functionality of the platform or that CED’s use of the platforms will change, resulting in the collection of a greater quantity of personal information (individual or aggregate data).
Level of risk: High

Technology and privacy
The social media platforms assessed in this PIA allow for the creation, analysis, sorting, identification and retrieval of personal information. The personal information posted by individuals in CED’s official accounts is beyond CED’s control given that the social media platforms are subject to third-party terms of use and privacy policies. The use of social media therefore poses a medium privacy risk for individuals.
Level of risk: Medium

Personal information transmission
Platform suppliers can collect personal information from individuals (e.g. name, user name, gender, date and place of birth and other information on the profile) while the account is being created, which is beyond the control of federal institutions. To make users aware of this fact, CED’s official social media accounts include a link to a privacy notice, inviting users to read the terms of service and the privacy policies of third-party platform suppliers.
Given the high probability that the information posted by an individual in an official social media account could be transmitted outside the control of the institution, the privacy risks for individuals is deemed quite high.
Level of risk: High

Impact on individuals in case of data breach
Personal information collected from CED’s official social media accounts comes exclusively from publicly accessible third-party platforms. Since the personal information collected will be limited to information that is needed to administer the program and is provided directly and wittingly by the individuals, the privacy impact of a data breach by a federal institution is considered to be low.
Level of risk: Low

Impact on the institution in case of data breach
The personal information targeted by the initiative will be collected from publicly accessible platforms. The voluntary sharing of personal information by individuals on these platforms considerably reduces the right to privacy protection with respect to that information.
Level of risk: Low 

Categorization of risks using a common risk scale

The following table summarizes the results of the standardized risk assessment presented above.
Designated risk categories Total risk score
Number of low risk areas (level 1 or 2) 5
Number of medium risk areas (level 2 or 3) 1
Number of high risk areas (level 3 or 4) 3
Number of unexplained or other potential privacy risks o
Overall risk level for the initiative Moderate to low



According to the above summary and in line with the Threat and Risk Assessment and the legal review of the terms of use and privacy policies of the selected social media platforms, current use of CED’s official social media platforms should pose a moderate to low privacy risk for individuals. This PIA led to the following recommendations:

Notification to users

CED will post the following notice on the Terms of use of CED's social media accounts Web page. The notice will include guidelines on making comments and outline the consequences of non-compliance with these guidelines.

“Personal information that you provide the Government of Canada via social media accounts is collected under section 10 of the Privacy Act.

This information is collected to capture conversations (e.g. questions and answers, comments, ‘likes’ and retweets) between you and CED. It may be used to respond to enquiries or for statistical evaluation and reporting purposes. Comments posted that violate Canadian law will be deleted and disclosed to law enforcement authorities. Comments that violate our rules of engagement will also be deleted. The personal information is included in Personal Information Bank PSU 914 and PSU 938.”

Retention and disposal of personal information
CED will periodically review and monitor personal information elements from official social media accounts and, if necessary, conduct a further analysis to comply with the Privacy Act and related policy instruments.

Disclosure and limited use of personal information
Use of personal information from official social media accounts will be limited to the original authorized purpose for which it was obtained (i.e. to support the administration of CED communications). In some cases, personal information collected from official social media accounts will be disclosed and used for a purpose that is consistent with the original authorized purpose set out in this PIA or in subsection 8(2) of the Privacy Act.

Individual access and challenging compliance
CED will identify the presence of personal information collected through official social media accounts in Personal Information Bank PSU 914 (Public Communications) and PSU 938 (Outreach Activities) and will publish an annual report in Info Source on all personal information holdings, in compliance with the Policy on Privacy Protection.

Security and safeguards
CED limits access to the personal information collected through official social media accounts to authorized individuals who need the information to perform their official duties.
In compliance with the recommendations indicated in the Threat and Risk Assessment regarding the selected social media platforms, CED will conduct further security assessments, as needed, to ensure compliance with the security and protection requirements set out in the Policy on Privacy Protection, the Directive on Privacy Practices and the Policy on Government Security and related directives and standards.
Learn more about CED