VA Announces Social Media Policy Adoption; Workers Must Ensure Data Privacy, Security

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

Department of Veterans Affairs employees must take steps to ensure the privacy and security of personal information that may appear in social media used by the department, according to a new VA social media policy made public Aug. 16.

Under the new policy, which is dated June 28, all department social media must:

• post a privacy policy on the introductory page;

• not be used to monitor an individual's exercise of his or her First Amendment rights;

• “be restricted to those VA personnel who have a need to know for the performance of their professional duties”;

• ensure the confidentiality, integrity, and availability of posted information, including “secure data storage as well as proper and timely data disposal”;

• not post data protected by the Health Insurance Portability and Accountability Act or the Privacy Act; and

• consider whether a Privacy Act system of records notice is required if social media captures personal information.

VA employees using social media to interact with the public must “draw a clear distinction between their personal views and their professional duties” and not infer that they are communicating the department's official position unless they are authorized to do so.

Under the policy, workers overseeing department social media must delete posted comments that are spam, advocate illegal activity, are clearly off-topic, infringe copyrighted or trademarked material, would result in the unauthorized release of VA sensitive data, violate the department's privacy policies, or promote particular products, services, or political organizations.

“Veterans should have consistent and convenient access to reliable VA information real time using social media—whether on a smartphone or a computer,” Secretary of Veterans Affairs Eric K. Shinseki said in a statement releasing the policy. According to the statement, the VA has “over 100 Facebook pages, more than 50 Twitter feeds, two blogs, a YouTube channel, and a Flickr page.”

The department projected that by the end of 2011 it will have a Facebook page and Twitter feed for each of its 152 VA Medical Centers.

A recent Government Accountability Office audit report concluded that while federal agencies have embraced social media as a communications tool, most did not have complete data security or privacy protection programs and policies in place for social media (see previous article).

The July 28 GAO report concluded that the VA did not adequately “document processes and policies and record-keeping roles and responsibilities for how social media records are identified and managed,” “update privacy policy to discuss use of [personally identifiable information] PII made available through social media,” or “conduct privacy impact assessment for social media use.”

By Donald G. Aplin

Full text of the “Use of Web-based Collaboration Technologies (VA Directive 6515)” transmittal sheet is available at http://op.bna.com/pl.nsf/r?Open=dapn-8ksk6x .