While messaging apps offer immediacy and convenience, the use of these tools creates significant challenges for government record-keeping, writes Elizabeth Carroll.
Messaging apps such as WhatsApp, Signal, Facebook Messenger and Telegram are central to how many people today communicate. With recent international events highlighting the potential security pitfalls of the platforms, the Office of the Australian Information Commissioner has raised concerns about the risks to proper record-keeping practices these tools pose, particularly those with disappearing messages. The OAIC’s latest guidance on managing records in the age of messaging apps provides useful lessons and practical solutions to address these concerns.
On 19 March 2025, the Australian Information Commissioner published the report Messaging apps: a report on Australian Government agency practices and policies, which examined the prevalence and use of messaging apps by Australian Government agencies. The report aims to raise awareness of information governance obligations, contextualise requirements around technology use, and provide effective regulatory guidance.
In late 2024, the OAIC surveyed 25 agencies to better understand their information governance practices relating to messaging apps. The survey included a questionnaire and a request for policies and procedures regarding their use of these apps.
The report reviewed the practices of 22 Australian Government agencies that responded to the survey and focused on messaging apps such as Signal, WhatsApp, Telegram and Facebook Messenger, where a common function is the ability to send messages that disappear after a period. The report did not consider Microsoft Teams or Webex because these are generally agency-hosted and messages do not automatically disappear. SMS was also excluded as it is widely used, does not typically offer encryption, and messages do not disappear over time.
A key issue was the impermanence of these apps due to their ability to automatically delete messages, which conflicts with public sector requirements for record-keeping. Australian Government agencies are required to retain records of decision-making processes, correspondence, and actions in accordance with the Archives Act 1983 and other relevant legislation. If conversations disappear, this creates a compliance risk as information may be lost contrary to legal requirements, creating issues for accountability mechanisms such as responding to freedom of information requests.
Under the Freedom of Information Act 1982, the term ‘document’ covers information in any recorded form. This means that text and instant messages, whether sent from personal or work devices, can be subject to FOI requests if they are used in the conduct of government business.
Recommendations for government agencies
Recent events in the US, including a national security discussion on Signal that mistakenly involved a journalist, have highlighted the risks of using messaging apps in government. The OAIC’s report, released around the same time, could not have been more timely.
Calls to strengthen Australian Government record-keeping have been a consistent theme in the findings of royal commissions, audit reports and public inquiries. The OAIC has taken an educative approach to this issue by raising awareness of the risks and helping agencies take steps to strengthen their policies. The report also offers practical examples, including one agency that developed comprehensive policies and user-friendly task cards to support staff in using messaging apps appropriately.
The commissioner, with input from the director general of the National Archives of Australia, recommends that agencies review existing policies or develop new ones that clearly set out whether messaging apps are permitted for work purposes. Where their use is allowed, policies and procedures should address information management, FOI, privacy and security considerations. These should include how to extract information from messaging apps, whether official accounts and agency-issued phones are required, when to disable disappearing messages functionality, and whether staff are allowed to use messaging apps when handling personal information about members of the public.
Agencies should also examine the features of messaging apps needed to support official work, consider implications for communications with other agencies, and conduct due diligence to ensure any preferred app handles personal information appropriately, for example through a privacy threshold assessment.
Today, digital communication tools are commonplace in both personal and professional spheres. The OAIC report is a timely reminder of the breadth of documents that can fall within the scope of FOI requests and highlights the need for agencies to have up-to-date policies to support record-keeping obligations.
Implementing the OAIC’s recommendations will help agencies better meet their record-keeping, FOI and privacy obligations when using messaging apps. The recommendations also offer broader guidance for managing digital communications effectively and lawfully.
Elizabeth Carroll, ACT managing partner Holding Redlich
Leave a Reply