The National Archives of Australia has sought legal advice on the “pressing issue” of public servants using encrypted messaging platforms to conduct official business, according to agency director-general David Fricker.
Speaking at a public accounts and audit committee hearing on Wednesday, deputy chair Julian Hill asked Fricker what the NAA’s rules and expectations are in regard to the recording of encrypted messages sent on platforms such as WhatsApp, Signal and Telegram.
Fricker noted that public servants are required to keep records of any official business under the Archives Act, but there is a “grey area” when it comes to encrypted messages.
He said the increasing use of third-party, non-government, and non-Australian platforms for official business was a “pressing issue”, and encryption presents an “enormous challenge”.
“The Archives Act defines a commonwealth record as being a record that is the property of the Commonwealth. WhatsApp is not the property of the commonwealth; Facebook is not the property of the commonwealth,” he said.
“I’m a gadget freak. I think we should be embracing technology. It offers all sorts of benefits, but the record-keeping needs to be addressed.”
Legislation should be updated with “a more 21st-century definition of a commonwealth record”, by including platforms such as WhatsApp, the director-general said. NAA has sought legal advice on the matter, and has entered an “active discussion” regarding amendments to the Archives Act.
During the hearing, Australian National Audit Office deputy auditor-general Rona Mellor noted that the office’s powers are not necessarily constrained by the definition of a record under the Archives Act, but it has not attempted to access messages on platforms such as WhatsApp before.
“We can, using our section 32 powers, seek information from any person. If we chose to seek information on, for example, messages, we could do that through that process,” she said.
“The difficulty is: would we be able to get things that are not stored on servers through these companies? We haven’t at this point sought that sort of information.
“We’re more likely to interview a person … But we think it is important for the commonwealth to resolve whether those kinds of applications meet the requirements of record-keeping.”
Hill posed the question of how a public servant is supposed to know when they should be using encrypted messaging platforms, and how to keep a record of those conversations.
“I know that, as a public servant, you don’t always get the choice — unless you want to be very assertive and annoying people — about how you get interacted with,” he said.
“Ministers’ offices like using WhatsApp … How on earth is that individual public servant supposed to know the requirements if on one hand the Archives Act says this isn’t commonwealth property, so arguably you don’t have to keep it, but on the other hand there is a vague positive expectation from the audit office saying it would like access to everything?”
NAA has published guidance on the issue, Fricker said, and has reminded public servants of their obligation to maintain records, as well as accountability and transparency.
“Our advice is that, if you are using these other platforms and you are conducting important business on those and creating records, you need to keep those records in your information governance regime,” he said.
They could do this by screenshotting messages and emailing them to themselves, Hill noted.
Asked whether there is a policy on ‘disappearing messages’, which is a feature on Signal, Fricker said it is a public servant’s responsibility to maintain an adequate record of those messages.
The director-general confirmed that public servants should not use these platforms if they don’t intend to keep records of any business, but said he was unsure of whether public servants were taking note of that.
“The question remains: how well is that message being received and what penetration are we achieving in getting that message across?” he said.
“We don’t require every single WhatsApp or Telegram message, but we do require the important stuff. Public servants know when something is leading to a decision — this is a keeper.”
Fricker said he would be “very surprised” if his agency has ever received, under its record-keeping role, any copies of business from those messaging platforms. Audit office officials noted that they also couldn’t recall seeing any records of encrypted messages during their work.
When asked whether it was reasonable to assume that government business is being conducted on these apps, Fricker said “it’s an absolute certainty”.
“I think it’s well-known that government officials are communicating with WhatsApp and other platforms similar to that,” he said.