OF BUSINESS, INNOVATION 13 March 2019 Ref: DOIA 18194013 Thank you for your email of 9 January 2019 to the Ministry at Business, innovation and Employment requesting, under the Official Information Act 1931 (the Act), theiollowing information: copies of all training material provided by zx Security for the "advanced social media training course" delivered above. The contract explicitly refers to so those and any course notes would be a good place to start, Vourrequest is refused under section 6(c) olthe Act, as the making available olthe inlormation would be likely to prejudice the maintenance of the law, including the prevention, investigation, and detection of olrenoes, and the right to a tairtrial. The information requested is also withheld undersection olthe Act, as the withholding or the inlormation is necessary to protect inlonnation where the making available of the informatlon would be likely unreasona bly to prejudice the commercial position of the person who supplied or who is the subject ofthe information. i do not consider that the withholding or this information isoutweighed by public interest considerations in making the information available. However, please find attached a copy of the document procedures [or MBIE staff using social media for verification and in vcstigation purposes to support regulatory, compliance and en/orcemcnt work which applies to all MEIE employees. Please notethese procedures are currently being reviewed. Some information in this document has been withheld under the following sections of the Act: - section as the the making available ofthat information would he likely to prejudice the maintenance orthe law, including the prevention, investigation, and detection of offences, and the right to a fiir trial; and section to maintain the effective conduct of public affairs through the protection of such Ministers, members of organisations, officers, and employees from improper pressure or harassment I do not consider that the withholding of this information is outweighed by pubiic interest considerations in making the information available MBIE has pmcedures and guidelines in place in relation to the use olsociai media lor both verification and investigation purposes. These procedures help ensure the use of social media for verification and investigation purposes is being carried out in a safe and appropriate manner. They are supported oy staff training provided by zx security as well as by internal processes. MBIE is a regulator and therefore has the responsi lity to ensure that regulations are complied with and enforced, and we need to be assured of the information we reoeive and on which decisions are taken. As per the MasterAgreement for advanced social media search training with zx security, a number ol optional modules have tseen oriered to MBIE, including topics such as methods for automated harvesting image metadata analysis and creating a dossier. To date, no MBIE staff have participated in these optional modules. As a result of the State Services Commission?s external security consultants? inquiry ?ndings, MBIE is reviewing its current arrangements and taking a number of additional steps to ensure we are responding fully to the inquiry?s recommendations. This includes appointing a senior leader to check we have the systems and processes in place to adhere to the new model standards for information gathering. ZX has not run the advanced social media training for MBIE staff since June 2018. You have the right to seek an investigation and review by the Ombudsman of this decision. Information about how to make a complaint is available at or freephone 0800 802 602. Yours sincerely AMH General Manager Enterprise, Risk and Assurance cg g? MINISTRY OF BUSINESS, EMPLOYMENT t. HIKINA WHAKATUTUKI Procedure: Using social media for veri?cation and investigation purposes to support regulatory, compliance and enforcement work Contents Contents 2 Overview . .. . . .. 3 Assess risk of using social media and determine access method 5 Con?rm access option for using social media . .. . 7 Complete training for using social media 10 Obtain approval for using social media . . . . 10 Set up systems for using social . 12 Monitoring the use of social .. . 12 The Privacy Act and the use of social media 13 Official information Act requests for details about social media . . .. . Procedure: Using social media for verification and investigation purposes Date of Issue: 28 April 2017 Next Review (31/05/18 Protective Secauiry Requirements Governance committee. Procedure Own?: Manager prowmve Security Procedure Author; Lance Goodall Corpo'ate Governance ard In?ormation Page 2 of 20 Procedure: Using social media for veri?cation and investigation purposes to support regulatory, compliance and enforcement work Overview 1. Purpose The purpose of this document is to help manage the risks for MBIE staff who gather information through social media for regulatory, compliance and enforcement work by providing a process, procedures and guidelines that they can consistently use. This process takes immediate effect and supersedes the Interim Advice provided to INZ and MSG General Managers by the Health, Safety and Security Implementation Programme Director, Shayne Gray, on 23 November 2016. If you have any questions about this process, please contact the Manager Protect'v?Security in the Corporate Governance and Information Group. 2. Scope This procedure applies to all MBIE staff that use social media to ss'st there/egulatory, compl% and enforcement work. The procedures include: 1. Assess risk of using social media for work pur 2. Determine access option for using soci 3. Complete training for using social r? 4. Obtain approval for using 5 edi 5. Set up systems for us' oi? \rp la. Further guidanc I 5: 0 Moni- (In social me 1% - Rio/direments 0 Q05. manage ial Ing ran Act requests for details about social media. ct apply to the use of social media P'ocedure; Usmg social media for verification and investigation purposes Date of Issue: 23 April 2017 Next Review: 01/03/18 Approved Protective Security ?equ Governance procedure own?: Manager Protective Sammy Procedure Author: Lnnce Goodall Corporate Governance and Information Page 3 of 20 Procedure: Using social media for verification and investigation purposes to support regulatory, compliance and enforcement work 3. De?nition of terms Term Description Discreet active Accessing social media using an account with a false persona and engagement (false actively engaging with individuals - this is not encouraged in MBIE. persona) Discreet searching (false Accessing social media using an account with a false persona and persona) passively viewing information. Entity Any type of business, for example a company, trust, sole partnership. False persona A fictitious name or pseudonym used instead of name to conceal their identity. Individual A sin le named erson 3 it MBIE profile A social media account set na owned suffix, e. firstika? mbie. govt&\r Open (unregistered) Accessing socia 3'13le $329 generic search\ ?x \re no searching registration is re\ Overt passive A I Agmedia) by lo '0 apmedia forum or membership :f ye using an passively observing 6 Faceb fix Social media b> PMunication channels dedicated to ut, interaction, content- sharing and colla Ses and applications dedicated to forum ms, ial networkin social bookmarking, social curation nd ll examples of social media -alone com Ite Smmtop or desktop computer that can run local applications on its \f him without needing a connection to the MBIE network. Although it 6? may be connected to a network, it is still a stand- alone computer as long as the network connection is not required for its general use. Procedure U:.r:5 Lorna! for torifuc 3rd irlvl?2?r53'Im~ Aw? Eli ??i'izi 5 'v?urr Ru}. .1. 41,9 ll?" ?"hp?ll? (?uvl'mll' rum." lull." "Jinx. I'T'uuv. Ail-.152" I nil-m ?uihw Is'; "ll ~<1~li . Page 4 of 20 Procedure: Using social media for veri?cation and investigation purposes to support regulatory, compliance and enforcement work Assess risk of using social media and determine access method 1. High-level risks The use of social media for veri?cation and investigation purposes in support of regulatory, compliance and enforcement work needs to be a considered decision. information gathered from social media may or may not be valuable and, irrespectively, accessing the information carries risks that must be managed. At a high level, the risks of using social media to gather information for veri?cation and investigation purposes to support regulatory, compliance and enforcement work may be to: the rights of New Zealand's citizens and visitors I the personal safety of staff or their family 0 the security of network 0 reputation and legal liability the work of other agencies- domestically and internat?h wakag?wuld act "T?Ities inadvertently overlap with their activities. 2. Use of personal networks, devices and Wurgaje prohibitd Risks cannot be managed if staff use pers searching social media for verificatio prohibited. Staff are required to use lvaEO part of the approvals ces? 3. Methods of?erD I the use of? The risks a informa '.on identifiiQ with the mosisp 0 Es, ,personakdhb vice personal accounts for these methods are \net Qark, devices 0 arccoBIQB $standalone systems, as agreed as Kedia ary depending on the method used to access the ads for accessing information from social media. In order and least risk first, they are: 3a What this looks like To confirm or validate concerns using information that is publicly available and not subject to personalised privacy settings. Accessing social media information using a generic search engine where no account registration or logging in is required searching on a person's name using Google). ls undertaken using device and network. ?Avert passive membership ouse of @mbie.govt.nz account ~approval required To access and confirm or validate information that may be considered publicly available but is subject to personalised privacy settings that require an account login to view. Accessing information via social media community membership that requires an account and to be logged in, using an MBlE-profile and only passively viewing information. This applies to social media communities like Facebook or linkedln and when logged in to search engines like Google Groups. Page 5 of 20 Procedure: Using social media for verification and investigation purposes to support regulatory, compliance and enforcement work Discreet searching (false To investigate a specific 9(6) f" 2 . j. persona) personal entity in relation to a '7 3 ij?f' . 7 j? ?3 specific task or case, when it 7 - 3'5 -use of false persona account . . .4 -. v- a roval uire would not be appropriate for . - . 1 pp eq the MBIE staff member?s . 1.: identity to be revealed. Discreet active engagement To directly engage a specific (false persona) personal entity in relation to a i :7 specific case, when it would ouse of false persona account . I . f. a roval uired not be appropriate for the . - - . spszems reequire MBIE staff member's identity -. . to be revealed. .. The diagram below summarises the four access methods and how the?f??rse Diagram 1: Accessing information a Requires Manager (Tier 4 or above) approval 0 Use MBIE network and MBIE account 0 devices )5 Requires spedalist knowledge and competence 0 Requires General Manager (Tier 3), Manager Protective Security and 00 agreement .3 610). .. itequlres specialist lrnoirriedge and competence 0 Requires General Manager {Tier 3). Manager Protective Security and 00 agreement Procedum Using social media for ation and investigation purpose: 4? issue" )8 April 20); Nl'xl Ficvl-"vr Alma/1? vi In. 1-.- .. .r I. a. . . Apr raw-r. Htudzw em mm (mm narnr .V 0mm Manage: ??ame, SH uniy Fume-dun. humor Linux, Goodall (arporau and Page 6 of 20 Procedure: Using social media for verification and investigation purposes to support regulatory, compliance and enforcement work Con?rm access option for using social media 1. Open (unregistered) searching Description MBIE's preferred search method is to use a generic search engine to gather information from social media on individuals or entities.1 In practice, this means using the MBIE ICT network and then typing the name of the person or entity directly into Google (or another search engine) and observing only what is returned. Social Search Engines are another option that allow you to view material without laying In to any speci?c social media platform, for example: ,3 6(c) x. If you are gathering information via social media for the purpo @n?rming or validathaSpeg of a case or decision to be made, this Is the recommended p?io Eatotake. Training All staff using open (unregistered) searching? he Social MQa?for verification and Investigation Foundation training course NR ?ab Learn WW Approval Open (unregistered) searchi rk purposesw d$ Ire approval. Essentially this approach Is a Google sear ot need pa Eamon-loan searching of the internet. Everyone searches Goo/\e a ind socia MS I I tion, not subject to privacy settings, in this way. Ex 50 members? rto open egiste searching, except that you are required to register and log in, I the ris el. engagement method should only be used to verify and confirm fo mation management approval. As soon as x0 er any information that may lead to a formal investigation, you must obtain I pprovals and switch to discreet searching (false persona) or discreet active a se persona). \ggistering with the social media site, you must be clearly identi?ed as part of MBIE and so tn create and use an MBIE branded profile, i. e. {Irstname Iastnamemeie. govt nz. Training All staff using overt passive membership must complete the Social Media for Verification and Investigation Foundation training course available through Learn@MBlE. Depending on the privacy settings of the account holder, staff may be able to View all, some, or none of their social media information. Page 7 of 20 Procedure: Using social media for verification and investigation purposes to support regulatory, compliance and enforcement work Approval Overt passive membership for work purposes must be approved by your Manager (Tier 4 or above). The request and approval should be made by email, using the template at Appendix 1, and saved in your branch ?ling system for future reference. Approving managers also have discretion to jointly grant permission to undertake overt passive membership either at an individual or at a business unit level and on a one off or ongoing basis. Where ongoing approval is granted, this must be reviewed and updated on an annual basis. 3. Discreet searching (false persona) Discreet searching is used for veri?cation or investigation into matters wh re further information gathering have been identified. The decision to tray? ert passivei membership to discreet searching will be assessed on a case by case basis. there is a r' the staff member or MBIE, should the identity of the staff mem the anisation erfor the searching be revealed, it is recommended discreet searchin iQn false persona is??d Discreet searching is6(c) QV 3 6(c) {gm hare, message o?iK?iSdax fthe individuals or entities f/ passive -you must not you are viewing. Even with passive use you may show a Linkedln). Discr ea as risks to afety as well as for the security of ICT network. at)? ns, false per??3 se for discreet searching must be carefully established, nd replacemet in the Media Persona Guid Iin 5. You will agree the propriate . - . Our work with the Chief Information Of?cer and Manager Protective curity as partx . . al process. Trainin a need to access social media using a false persona must complete both the Social or erification and Investigation Foundation course and the Social Media for Verification sti ation Advanced course available through Learn@MBlE. In Approval Discreet searching (false persona) for work purposes must be approved using the template at Appendix 2, and saved in your branch filing system for future reference. Your General Manager (Tier 3) will approve any request to undertake discreet searching, confirming this is appropriate for the business. The Chief Information Officer will approve the information management approach and the technology tool used to complete the task. Page 8 of 20 Procedure: Using social media for verification and investigation purposes to support regulatory, compliance and enforcement work The Manager Protective Security will approve the approach from a security perspective. Approving managers also have discretion to jointly grant permission to undertake discreet searching either at an individual or at a business unit level and on a one-off or ongoing basis. Where ongoing approval is granted, this must be reviewed and updated on an annual basis. Where a request is urgent, that is, access to social media is required more quickly than the usual process allows, the request can be escalated to the respective branch Deputy Chief Executive to approve. 4. Discreet active engagement (false persona) Discreet active engagement is where a social media account is used with a fals?x actively expertise,{ requiring particular competence, and should only be used where - .. cropriate cau investigate using this method. MBIE does not encourage active engagement using a @because th and i reputational risks increase significantly. if you conside ix KR, ve engag egassary, 38% her 3), ?2 rotective then your manager must consult with their Gene . Security and the Chief Information Of?cer to dete steps. engage with an individual or entity. Discreet active engagement is a ?g is You must set up a new social media acc ;a false per ona ea investigation that media acnou Lt be used across more requires discreet active engagement. A than one investigation, to avoid ither the ace - investigation, as set out in the Social Media . \4 You will agree the most appropriate option f?ou /ork with ?fr/9U information Officer and Manager Protective Securi as art of"h a rocess. A. Wgy Training K330 6 Th eed to acce Wdia using a false persona must complete both the Social Foundation course and the Social Media for Verification ification lnves iation? va ourse available through Learn@MBlE. proval Discree i ement (false persona) for work purposes must be approved using the template at Qt) saved in your branch filing system for future reference. 0 neral Manager (Tier 3) will approve any request to undertake discreet active engagement, fir mg this is appropriate for the business. Q/l he Chief Information Of?cer will approve the information management approach and the technology tool used to complete the task. The Manager Protective Security will approve the approach from a security perspective. Approving managers also have discretion to jointly grant permission to undertake discreet active engagement either at an individual or at a business unit level and on a one-off or ongoing basis. Where ongoing approval is granted, this must be reviewed and updated on an annual basis. Page 9 of 20 Procedure: Using social media far veri?cation and investigation purposes to support regulatory, compliance and enforcement work Where a request is urgent, that is, access to social media is required more quickly than the usual process allows, the request can be escalated to the respective branch Deputy Chief Executive to approve. Complete training for using social media 1. Foundation course All staff using social media must complete the Soci I Verifi i nd Investl - Foundation course before requesting approval to access and use information from social media. The Foundation course is available through Learn@MBlE. 2. Advanced course Those staff that need to access social media using a false personam als rnplete the Social MedIa ation an Irw ation? Advanced course (or equiva affix The Advanced course is available through Learn@MBlE. Obtain approval for using social med 1. Approval form All requests to access and use information? Lmedia must be sub It ?using the appropriate template. See Appendices bra filing All approval forms must be sav em 2. Individual or gr? All staff usinge so p@gain appr val for the access option they use. Approval to use socia Q??iurposes @Uiven on an individual, case- by-case basis. Whereix he a@ial media Is of a business unit? 5 work, approving managers will s\eti@ grant ongoi to undertake information gathering via social media at WIevel %5 roval for ?Working overseas re will follow the same approval processes as other staff, with additional approv 5% Operations Manager, Risk Manager and Area Manager. Th ls required to assess the social media request to determine if there are any local sha ose an additional risk to MBIE. Local factors can include legal, operational or security I he Risk Manager is responsible for obtaining local advice on the legality of the request. If legal advice has been provided previously for a similar request, then the Risk Manager can take that into account rather than obtaining additional local legal advice. The Risk Manager and their local legal advisor will consult with MBIE Legal New Zealand, where necessary, to clarify any legal risks or concerns. Procedure. Usmg social media for vcrifIcat on and Investigation purposes Cato :Ii i'E .ApIil 2017 Non! Review. 01/05/18 Approved ?uh-IN" ?amt" FIWI??'??ment5 Governance Committim Pro'odurr- Owner: Mane Frat-"two Seruriiv Pratt-dun Author: Lame Goodall (?manure GI?WPIna'iif? and Infornia?n?m Page 10 of 20 Procedure: Using social media for verification and investigation purposes to support regulatory, compliance and enforcement work 4. Approvers? roles and responsibilities The approval roles and responsibilities are summarised in the following table. Role Responsibilities Chief Security Officer (CSO) Approve the process and procedures for MBIE staff using social media for verification and investigation purposes to support regulatory, compliance and enforcement work. Protective Security Review the process and procedures and recommend changes and or Requirements (PSR) acceptance to the C80. Governance Committee Managers (Tier 4) Approve requests to use overt passive member \ed/ia for verification and investigation purposes. V77 General Managers (Tier 3) Responsible for health, safety and their staff Approve uest2> use discreet searching and discr i ement of so a for verification and investigati Chief Information Approve use of tec 0% 20vides a saf ifcreet 0fficer(Cl0) searching and is\ a I gagement Cl Wedia for verification and investi tio \piiw Ensure info?? 3% gement is safe and appropriatgt\ Manager Protective Security -- at the approach rching and discreet active I . - nt use of rification and investigation purposes "iv vriately be for the maintenance of the process and (x cedures. MM (?Saki k/J All Manager-Q hnsure sMal media for verification and investigation purposes kvv/ the appropriate training and complete the appropriate I KGWXA Ens?v the use of social media for verification and investigation purposes is ?dertaken in an appropriate manner. Off-shore Ri 5 Approve requests for off-shore use of social media. Determines if there are and any local factors that pose an additional risk to MBIE. Rig Integrated Regulatory Compliance Branch responsible for the central register a summary of the individual unit registers. )kputy Chief Executive Approves urgent social media requests where social media access is required more quickly than the normal process would allow. 5. Approval costs Approving the request for use of social media con?rms the business manager agrees to fund the necessary training, systems or equipment required to enable their staff to use social media in a safe and secure manner for work purposes. Page 11 of 20 Procedure: Using social media for veri?cation and Investigation purposes to support regulatory. compliance and enforcement work An overview of the process for using social media for veri?cation and investigation purposes is given in Appendix 3. Set up systems for using social media 1. Establishment, maintenance and termination of false persona The ?e Persona Guidelines must be used to set up, maintain and terminate false personas to be used for Discreet Searching (false persona) and discreet active engagement (false persona). Where a team is a high user of social media for veri?cation and investigation purposes, it may be appropriate to set up and maintain a suite of false personas. 2. Register of accounts and use of social media 1,4 Each unit of a branch using social media must maintain a register of - JOClal Media< Usage Register template on the Critical Risk Management hubunit filing sy The register must be updated when social media is used for ver' ion an nvestigatio purp- in support of regulatory, compliance and enforcement WOW to change ur the Usage Register, this must be agreed with the Complia e? Where a social media request is declined, the de . and reaso @ech is to be logged in the decline table. (AS A central register will be maintained he py of the egisg must be sent to IRCB each month at socialmedia. re istries . he centralc" is rovide a summary of the use of discreet searching (false discreet a Oiv%% ent (false persona) and allow oversight of the use of soci $3 in 3. How to manage ran and st? Qence The collectio an informat @naged as agreed in the approval process. This will usuall i screensh5\\e savmg them into Word documents These documents Ithin an ax cure filing structure. The information collected should need egister. ment of social media - 6(c) a of social media requires th You will agree the most appropriate option for your we information Of?cer and Manager Protective Security as part of the approvals oring the use ofsocial media v?xs this Is a new process, it Is important to understand how staff respond to the changes In the use vof social media, while ensuring the procedures are ?t for purpose now and In the future as new social media platforms arise. The use of social media across MBIE will be monitored by IRCB and the Protective Security Team, to gather information on the use, benefits, costs and issues of using social media as set out in these procedures. The monitoring will be used to re?ne the procedures and ensure staff are Operating within the process to keep themselves safe online. Monitoring will include the: branch/units using social media Page 12 of 20 Procedure: Using social media for veri?cation and investigation purposes to support regulatory, compliance and enforcement work 0 use of social media access options 0 use of social media sites 0 value of the information gathered through social media for verification and investigation work, including number and type of cases 0 number of staff completing social media training and the cost of it 0 suitability and cost of equipment 0 compliance by staff with the social media procedure. The Privacy Act and the use of social media individual. The main requirements are that: Information posted on social media is subject to the Privacy Act 1993 if theQnSv \rI/?s about an the collection of the information Is necessary for a lawful pur se conn\)cted to the functi FD of the agency 0 information is collected lawfully and fairly and In a a does not unreaso? abL i trude on the individual 0 information Is accurate and where possixe? - information is held and transferre? urely reasons it Ae - information Is only used and are Staff using overt passive "10% iscreet sear Flsreet active engagement methods ati Q/o to access and collect?yg Il" gh social m< ?cation and investigation purposes to support enforce 65%,nt st comply with the requirements of the Privacy Act 1993. To evideno@ with the ct, aff must produce a plan that demonstrates why socia dia: 9i 3 used ark?S used. This plan must clearly document what staff at they re and what training they have undertaken, to adequately in we 'ons if Chane/heh d. Sta hould use the appropriate approval template to do this, and hat they co 1 tWocial Media Usage Register. Of?cial? ion Act requests for details about social media dation (OIA) Act request for details about social media information held about an gauged using the usual OIA process. cision is that the request is appropriate to comply with, details will be pulled from the Ig; Media Usage Register and agreed approach as given in the approval documents. 0Care will need to be taken to ensure information about staff and non-related individuals are redacted from any material provided. Procedure: Using social media for verification and InvostIgaticn purposes Date of iv; Ie: Hi Ann! 20:7 Non: Peview . . -. . . App oted. irotectwc Security Raoulre'nent. gov: Owner. M-mugI-I P'oteLtIve Secu Procedure Author. Lame Soc-dell Corpo'ate Governance and nformsfion Page 13 of 20 Procedure: Using social media for verifiation and investigation purposes to support regulatory, compliance and enforcement work Appendix 1: Template for approval of overt passive membership for an individual or business unit Request to access and use Information from social media - OVERT PASSIVE MEMBERSHIP Details of staff member Name, position, unit and group. requesting to use social Include whether the request is at individual or business unit level and whether media for work purposes ongoing use. A Rationale for accessing and This section must include the valid and lawful reason fo gifts social using social media media - the specifics on what the information Is int ?dx - Ith the purpose. Plan for collecting The plan must describe: i i t' fr I orma Ion om some 0 how the staff member wille" cial media se ??gme; media 0 how the staff memb Ii only infor va to the purpose is colle 0 how inform fi?n media will/\ 3 other sources. 0 how ri he public' In rela? es %?by the State are consi )1 protected. \v Where and how the Capture a \bh relevant material and then crop or information will be safel top and si to ensure that the account identity and securely stored gather th 79%} agfp?n not revealed. Ensure that the information is med with Xi es? 2 Providee ere the information will be securely stored, including wh?iasgk and directions to the unit? 5 Social Media Usage Register. \7 (lo/v \nv on that all staff members to whom this approval relates have com ed the Use of Social Media for Verification and Investigation @ndation training course. a This may be a physical signature or embedded email with agreement to this 10 (9 Egg eview plan sk Manager Details the outcome of the risk assessment and whether there are any local assessment factors that-pose an additional risk to MBIE. Local factors can include legal, '59 operational, or security factors. it 2 Risk Manager notes whether local legal advice has been obtained and when it q. 9- was obtainedArea Manager ThIs may be a phySIcal SIgnature or embedded emaIl WIth agreement to thIs approval plan and acceptance of the risk assessment. Manager (Tier 4 or above) This may be a physical signature or embedded email with agreement to this approval plan, date of approval and a date for review (usually annual). Page 14 of 20 Procedure: Using social media for verification and Investigation purposes to support regulatory, compliance and enforcement work Appendix 2: Template for approval of discreet searching or discreet active engagement for an individual or business unit Request to access and use information from social media - DISCREET SEARCHING ACTIVE ENGAGEMENT Details of staff member Name, position, unit and group. requesting to use social Include whether the request is at individual or business unit level and whether it media for work purposes is for a one off or ongoing use. Rationale for accessing This section must include the valid and lawful reason fora ocial media and using social media the specifics on what the information is intended to purpose. I Plan for collecting The plan must describe: information from social 0 what systems and tools will be us @fely acc 55 social medfi media 0 how the staff member will re 0 mediase 0 how the staff membe only infor a i re purpose is collected/vk 0 how inform ?so ia mediaw ve sr other sources 0 how the ?public es by the State are rotected :Q?e false persorpimliaiz and what will happen to the false A pe a at the end ?ogging gation. Where and how te K'j\v example: Ca 3? ?khot of the relevant material and then crop or information be lagging the frame to ensure that the account identity used and securely@ to gath ation is not revealed. Ensure that the information Is named wit - A Prov in to where the information will be securely stored, including who Q31 A as acce rights and directions to the unit? 5 Social Media Usage Register. c/ mpetence $onfirmation that all staff members to whom this approval relates have completed both the Use of Social Media for Verification and Investigation Foundation training course and the Use of Social Media for Verification and (2 Investigation Advanced training course (or equivalent). V) 1? bperations This may be a physical signature or embedded email with agreement to this Manager review plan. lo 3 73 0 Risk Manager Details the outcome of the risk assessment and whether there are any local 2 assessment factors that?pose an additional risk to MBIE. Local factors can include legal, operational or security factors. Risk Manager notes whether local legal advice has been obtained and when it was obtained. 2 ?5 Area Manager . This may be a physical signature or embedded email with agreement to this plan approval and acceptance of the risk assessmentPage 15 of 20 Procedure: Using social media for verification and investigation purposes to support regulatory, compliance and enforcement work General Manager (Tier 3) approval This may be physical signature or embedded email with agreement to this plan. Chief Information Of?cer approval This may be physical signature or embedded email with agreement to this plan. Manager Protective This may be physical signature or embedded email with agreement to this plan. Security approval Deputy Chief Executive For urgent requests, the DCE for the group can approve the request. (urgent requests) This may be physical signature or embedded email with agree? to this plan. A Procedure: Using social media for verification and investigation purposes Date of issue: 28 April 2C 17 Approved; Protective Security Requirements Governance Committee Procedure Author: Lance Goodall Page 16 of 20 Next Review: 01/05/18 Procedure Owner; Manager Protective Security Corporate Governance and Information Procedme: Using social media and investigation purposes to support regulatory, compliance and enforcement work Appendix 3: Process Overview Use of Social Media [or Watt l" mam i: L. 33?: gnaw?. in?: mm .0 An n, 1. mm,_ I i 5 3m qpow ,0 to; pan)?: memo ?u ulna-\- bin-h u? QEZZJ Procedure? Using tonal mcd'a for verification and Investigation purposes Dale 0! issue )8 Apni 2m 7 Approved, Praia-Um: Scmrity quwiwnu-nls (unmiitleu i?m: Authm Linu- (.muhll Poge 17 of 20 Nuxt Re'vlcw. 01/05/18 Manage: \o-(lmiy Lnuxnuh- (mm-man? .md Inff?FH'Jtiwh Procedure: Using social media for verification and Investigation purposes to support regulatory, compliance and enforcement work Appendix 4: Social Media Usage Register Social Media Record of Use IWORTANT: Before carving out my investigative work using soda media. ensue you have Ohm mm Mint Ann on] mm w" MW Social It'll/lam form- ?elm-0mm mama Mutation-humanoid? Wally biotin-REM more? What Wu nu not?? Mine-aloud Ion? Decline Register A register of social media requests hat have been decined are to be logged. Work Brandi [Unit Social media triaer reason for access Procedure: Using social media for verification and investigation purposes Date of355112228 Avril 7017 Next Review: 01/05/18 Anprovod' Protect-v9 Security Gm-ernanno Committee Procedurv Ownvr; Manager Protective Security Procedure Author: Lance Goodall Corporate Governance and information Page 18 of 20 Procedure: Using social media for verification and investigation purposes to support regulatory. compliance and enforcement work Appendix 5: Supporting documents 0 Use of Social Media for Veri?cation and Investigation Purposes - Factsl'teet - . . . 0 Use of Social Media for 333.53.! . . httSocial Media for Veri?cation and Investigation Purposes - False Person Mb: 359? . . Veri?cation and investigation Purposes - Usage Register 31:2, m, 0 ICT Acceptable UsePolicy: . - ICT Acce table Use Poli 0 Code of Conduct: @g Code of Conduct 0 MBIE Social Media Policy: Social Media Poli 0 MBIE Records Management Policy: Records Mana ment Polic 0 Privacy Act 1993: Procedure: Using social media for verification and investigation purposes Date ol issue: 28 April 2017 Next Review: 01/05/18 Approved: Protective Security Requilemonts Governante Committee ?mom?, Owner: Manager Seannty Procedmc Author. Lance Goodall Corponate Govec name and tnionnatio?u Pneuofzo Procedure: Using social media for veri?cation and investigation purposes to support regulatory, compliance and enforcement work Privag Act 1993 Threat and Intimidation Response Procedure: Threat and intimidation Res onse Procedure 0 Staff Personal Security Procedure: Staff Secu ritv Procedure Procedure: Using social media for verification and investigation purposes Date of issue: 28 April 2017 Next Review: 01/05/18 Approved: Protective Security Requirements Governance Committee procedu'e Owner: Manager Protective Security Procedure Author: Lance Goodall Corporate Governance and Information Page 20 of 20