I happened to read the Community Care piece on social workers and social media this week. I think it is a good piece, it is here
But I mentioned on Twitter that this paragraph troubled me
3. But debates continue about the impact of social media on the confidentiality of service users, and how information shared publicly on social media should be used by social workers, says Birchall. “If a social worker visited a home and saw a dangerous person who should not be present in the family home, they would be wrong not to act on this, but if they looked at a service user’s profile on social media and found out the same information there’s a sense that this breaches the service user’s confidentiality, even though the information is public. There are strong feelings on both sides of the argument. It’s a new world and we’re just getting to grips [with it].”
I mentioned that this is in contravention of the published guidance about members of the State looking at the social media of members of the public (even where the social media is on public settings and open to anyone to view)
Not in any sense a criticism of the author, or Community Care – the guidance has obviously gone under the radar, but it is important
It seems that many people didn’t know about this guidance from the Office of Surveillance Commissioners
Extract from OSC Procedures & Guidance document
Covert surveillance of Social Networking Sites (SNS)
288. The fact that digital investigation is routine or easy to conduct does not reduce the need for authorisation. Care must be taken to understand how the SNS being used works. Authorising Officers must not be tempted to assume that one service provider is the same as another or that the services provided by a single provider are the same.
288.1 Whilst it is the responsibility of an individual to set privacy settings to protect unsolicited access to private information, and even though data may be deemed published and no longer under the control of the author, it is unwise to regard it as ―open source, or publicly available; the author has a reasonable expectation of privacy if access controls are applied. In some cases data may be deemed private communication still in transmission (instant messages for example). Where privacy settings are available but not applied the data may be considered open source and an authorisation is not usually required. Repeat viewing of ―open source sites may constitute directed surveillance on a case by case basis and this should be borne in mind.
288.2 Providing there is no warrant authorising interception in accordance with section 48(4) of the 2000 Act, if it is necessary and proportionate for a public authority to breach covertly access controls, the minimum requirement is an authorisation for directed surveillance. An authorisation for the use and conduct of a CHIS is necessary if a relationship is established or maintained by a member of a public authority or by a person acting on its behalf (i.e. the activity is more than mere reading of the site‘s content).
288.3 It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.
288.4 A member of a public authority should not adopt the identity of a person known, or likely to be known, to the subject of interest or users of the site without authorisation, and without the consent of the person whose identity is used, and without considering the protection of that person. The consent must be explicit (i.e. the person from whom consent is sought must agree (preferably in writing) what is and is not to be done).
So this is guidance to members of the State (such as social workers) as to when they can view social media without consent of the author or going to obtain Regulation of Investigatory Power Act (RIPA) authorisation in the form of a warrant from a Magistrate. (which they are highly unlikely to get)
If a parent has privacy settings, then the ONLY way to view it is with the person’s explicit consent OR a warrant under RIPA from a Magistrate. Anything else is an offence.
The guidance is VERY plain that using dummy or fake accounts to gain access to another person’s social media presence is ‘inadvisable’
The tricky bit is here
Where privacy settings are available but not applied the data may be considered open source and an authorisation is not usually required. Repeat viewing of ―open source sites may constitute directed surveillance on a case by case basis and this should be borne in mind.
(It’s not clear about where privacy settings are NOT available, but as Facebook, Twitter, Instagram and all dating websites have privacy settings, I don’t think this is going to come up very often. Maybe if the parent is posting a lot on Reddit…. )
What this says is that even where a person has no privacy settings on their social media and it is ‘open source’ – i.e available to anyone to go and look at, “REPEAT viewing of open source sites MAY constitute directed surveillance on a case by case basis” (and if it does, RIPA authorisation would be needed)
Amendments to the Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010 (“the 2010 Order”) mean that a local authority can now only grant an authorisation under RIPA for the use of directed surveillance where the local authority is investigating particular types of criminal offences. These are criminal offences which attract a maximum custodial sentence of 6 months or more or relate to the underage sale of alcohol or tobacco.
And therefore, if in an individual case, the REPEAT viewing of open source social media by someone working for a local authority DOES count as directed surveillance, it will be unlawful. Because a Local Authority can only do this with authorisation, and the authorisation can only be given for investigating particular types of criminal offences (and the “we were doing it to prevent child abuse/drug misuse won’t cut it. Sale of cigarettes to children in a shop is the sort of thing that is okay for getting a warrant for directed surveillance – that sort of hidden camera thing)
And conducting unauthorised direct surveillance is an offence under RIPA. So serious stuff.
What’s REPEAT viewing?
Well, the guidance doesn’t say REPEATED (which implies multiple occasions) and my best guess is that REPEAT means what it says on the tin, more than once.
Any social worker that accesses a parents social media presence (even if they are available to the public) more than once, is at risk of committing the criminal offence under RIPA and having their actions potentially actionable in damages. Local Authorities are obliged to follow the guidance, they can’t just choose to ignore it.
During the Twitter discussion, some people felt that if a parent chooses to publish the material for the public (and doesn’t make use of the privacy settings) then they have effectively waived their privacy. They have, in so far as members of the public are concerned. Any member of the public can go and look at their social media presence.
But an agent of the State can’t do make REPEAT viewings of it, even if the accounts are open to the public. (and no, you can’t just take off your social work hat and put on your member of the public hat)
I look at it this way. The street outside your front door is open to the public – just like your social media account on no privacy settings. Anyone can stand in that street. If they stand there, they can see your front door, and if you don’t close your curtains, can see into your house. But if it is a member of the State doing that, they either need your permission or an authorisation to conduct surveillance without your permission.
It’s the same here – just because you’ve left your curtains open doesn’t mean that the social worker can stand outside your house in a public road and look through your window whenever they want.
As we can see from the case below, failure to obtain the evidence legally doesn’t make it inadmissible, and the family Court won’t be the place to punish any offence under RIPA (that will be a criminal court, boys and girls, so think on)
But I would imagine that representations would be made that if a social worker has made repeat viewings of social media, and not taken this guidance into account, that their assessment is tainted by this and their evidence should be viewed with caution. Whether or not Judges accept those representations is a different question.
Until there’s more clarity on this, given that it is a criminal offence, the advice must be ONCE without consent is as far as it is safe to go. I would also counsel against anyone immediately thinking “well, as long as I only do it once, there are seven workers in my team, so we can get seven bites at it” . If there’s even a tiny risk that what you are doing may be a criminal offence, don’t mess around with taking that risk.
If you get explicit consent from the parent “I’d like to look at your Facebook profile” “Yes, I agree to that”, then you are good. Otherwise, once is the only safe number.
There’s a tricky grey area where a parent has posted something they shouldn’t have done on social media and have been asked to take it down or something defamatory – how can that now be checked? I think the parent would have to consent. (or directed by the Court to produce evidence to show that the offending remarks have been removed)