Messaging apps and information management: Lessons for government agencies

In today’s digital world, messaging apps such as WhatsApp, Signal, Facebook Messenger and Telegram have become integral to communication, offering instant, real-time exchanges and convenience. However, these tools present significant challenges for record-keeping, particularly in government.

The Office of the Australian Information Commissioner (OAIC) has raised concerns about the risks these platforms pose to proper record-keeping practices, particularly those with disappearing messages. Recent international events have further highlighted the potential security pitfalls of messaging apps. The OAIC’s recommendations on managing records in the age of messaging apps provide useful lessons and practical solutions to address these concerns.

OAIC report on the use of messaging apps in government

On 19 March 2025, the Australian Information Commissioner published the report 'Messaging apps: a report on Australian Government agency practices and policies' (Report), which examined the prevalence and use of messaging apps by Australian Government agencies. The Report aims to apply the knowledge gained to:

• raise awareness of information governance obligations
• contextualise requirements around technology use
• provide effective regulatory guidance.

In late 2024, the OAIC surveyed 25 agencies to better understand their information governance practices relating to messaging apps. The survey included a questionnaire and a request for policies and procedures regarding their use of these apps.

Key concerns

The Report reviewed the policies and practices of 22 Australian Government agencies which responded to the survey. It focused on messaging apps such as Signal, WhatsApp, Telegram and Facebook Messenger, where a common function is the ability to send messages that disappear after a period. The Report did not consider Microsoft Teams or Webex because these are generally agency-hosted and messages do not automatically disappear. The Report also excluded SMS as it is widely used, does not typically offer encryption and messages do not disappear over time.

A key issue with the messaging apps covered in the Report was their impermanence due to its ability to automatically delete messages after a certain period. This conflicts with public sector requirements for record-keeping. Australian Government agencies are required to retain records of their decision-making processes, correspondence, and actions in accordance with the Archives Act 1983 and other relevant legislation. If conversations disappear after a set time, this creates a compliance risk as information may be lost contrary to legal requirements, creating issues for accountability mechanisms such as responding to freedom of information (FOI) requests.

Findings

The 22 responding agencies comprised a diverse pool. 4 were large, operational agencies with more than 10,000 staff, while 5 were small, specialist agencies with 250 or fewer staff. Of the 22 agencies:

• 16 agencies (73%) permitted messaging apps for work purposes, 3 had no position, and 3 prohibited their use
• no correlation was observed between the size of the agency and whether messaging apps were permitted for work purposes. However, of the agencies which responded, all the policy agencies allowed messaging apps for work purposes
• 16 of the 19 agencies that did not prohibit the use of messaging apps for work purposes indicated that it was at least somewhat likely that messaging apps are used by staff
• 13 of the 19 agencies that did not prohibit the use of messaging apps for work purposes were confident messaging apps were not used to convey personal information about members of the public, however the other 6 were unsure
• of the 16 agencies which permitted messaging apps for work purposes, 8 provided the policies and procedures as requested. Of these 8 policies and procedures:
  • 3 did not address essential security classification requirements, an important concern given recent events internationally
  • 6 did not address essential archive requirements, raising questions about the preservation of official records
  • 5 did not address FOI search requirements adequately, potentially creating issues in the event of a FOI request
  • 5 did not require the use of official accounts or devices when using messaging apps for work purposes, complicating efforts to maintain secure and accountable communication channels.

Recommendations for government agencies

The Commissioner, with input from the Director General of the National Archives of Australia, recommends that:

• agencies should review existing policies or develop a new policy to clearly set out whether or not they permit the use of messaging apps for work purposes
• if the use of messaging apps is permitted, agencies should adequately address information management, FOI, privacy and security considerations through policies and procedures
• the policies and procedures should:
  • adequately address FOI requirements and record-keeping obligations under the Archives Act
  • explain how to extract information from messaging apps
  • address if accounts created for official purposes with phone numbers linked to agency-issued phones are required to communicate official information
  • adequately address privacy requirements
  • address the security classification of information that can be discussed on messaging apps
  • explain when it is a requirement to turn off the disappearing messaging functionality and how to turn it off
  • confirm if staff are permitted to use messaging apps regarding personal information of members of the public.
• agencies should examine the features of messaging apps needed to support official work, consider the implications for communications with other agencies, and develop policies and procedures for individual apps
• agencies should conduct due diligence to ensure any preferred messaging app collects and handles personal information appropriately, for example, through a privacy threshold assessment.

Key takeaways

In an era where digital communication tools are integral to daily communications and messaging apps are becoming commonplace in both personal and professional spheres, the Report is a timely reminder of the breadth of documents which can fall within the scope of FOI requests and the need for Australian Government agencies to have up to date policies to support record-keeping requirements.

Implementing the OAIC’s recommendations will help agencies better meet their record-keeping, FOI and privacy obligations when using messaging apps. They also provide broader guidance for entities in their consideration of appropriate information management when using messaging apps.

If you have any questions about the Report or would like more information about how you can strengthen your agency’s privacy policies and procedures, please get in touch with our team below.

Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Elizabeth Carroll

Natasha Gibbons

Share this