The Australian Information Commissioner has found that government agencies are regularly using phone-based messaging apps without adequate policies to ensure they meet their legal obligations.

In late 2024 the OAIC asked 25 agencies to complete a questionnaire to better understand Australian Government agency information governance practices and policies in the context of messaging apps. Twenty-two of the 25 agencies responded.

In a review of the 22 agencies, OAIC Commissioner Elizabeth Tydd revealed that while 16 agencies permitted the use of messaging apps for work purposes, only half of those had specific policies governing their use.

For the 8 agencies that claimed to have policies and procedures in place, 7 provided them to the OAIC. Of these, only one agency advised how messages are to be extracted from the app to its recordkeeping system, stating that a screenshot may be a means of extracting this information.

The report, the first of its kind published under powers in the Australian Information Commissioner Act 2010, highlights significant gaps in information governance across federal agencies. Most concerning was that existing policies generally failed to address freedom of information (FOI), privacy, and other key statutory obligations.

Only 2 agencies’ policies and/or procedures addressed the need for staff to search messaging apps in response to FOI applications. 

Two of the 7 that provided policies addressed the disappearing messages functionality of these apps, prohibiting its use. One of these provided instructions to turn off this function.

“The failure to preserve information may result in a failure to comply with Archives Act requirements and preclude the operation of the FOI Act,” the OAIC noted.

"While the technology being used to conduct government business is evolving, the need for agencies to equip staff to uphold legislative obligations remains," said Commissioner Tydd.

"Messaging apps raise novel considerations for key pillars of our democratic system of government, including transparency and accountability."

The review found that Signal was the most commonly endorsed messaging app, with 12 agencies actively encouraging its use. One agency also preferred WhatsApp. Three agencies explicitly prohibited messaging apps, while three others had no formal position on their use.

National Archives of Australia Director-General Simon Froude welcomed the findings, noting they would help develop guidance for agencies about managing these important Commonwealth records.

The Commissioner made four recommendations: urging agencies to develop clear policies on whether messaging apps are permitted; ensure adequate procedures addressing information management, FOI, privacy and security concerns, develop policies and procedures for individual apps; and conduct due diligence on how personal information is handled.

The OAIC flagged it will work with the National Archives to support agencies in understanding their obligations and will revisit the topic in two years to assess progress.

Read the full report here.