This article is one of a series written by Data Protection Education in collaboration with Litus Digital, a social media management company.  The articles came about from questions asked by Data Protection Education's customers, our own experience of working in education,  as school governors, parents and data protection professionals.  The articles raise questions about how social media can be used as safely as possible in a school environment,  security considerations, the law and protecting children.  It is not possible to cover every aspect of social media, but the articles aim to provide guidance, raise privacy questions and provide some support for safe posting.

The fourth article in this series discusses why access control is so important to your social media accounts and considerations if you are managing accounts or pages on behalf of your organisation.

Using 2-step verification or multi factor authentication is currently the most secure way to protect your accounts.

• The Cyber Aware website contains links on how to set up 2SV across popular online services such as Instagram, Snapchat, Twitter and Facebook.  
• For more information on why you should use 2SV wherever you can, read the NCSC's official guidance on 2-step verification.

Review the DPE article about multi factor authentication: A guide to multi-factor authentication.

Administrator Responsibilities and Post/Comment Control

When updating social media channels on behalf of an organisation, the following administrator responsibilities should be considered:

• Access Control: Administrators should be kept to the required persons, for those that need access. Consider the use of administrator and content editor type of roles. Administrators of an organisation’s page(s) should be regularly reviewed, i.e. when a staff member leaves their access should be revoked and the password changed.
• Administrator Responsibilities: When someone takes on the role of administrator, they need to be aware that it requires regular checking in with any social media pages, and might not be within office hours. Engaging with your audience when they post is how social media channels become successful.
• Exclusions: In the case of children, all administrators should be clear on which children can be posted and those that cannot. Sometimes there are restrictions because of safeguarding reasons, where the child’s location needs to be kept a secret and could be in danger if disclosed. The photo-exclusion list must be available to social media administrators. DPE Model Photo and Video Consent Form.  Review: Photo and Video Guidelines.
• Approval: Consider either setting posts for approval or not allowing posts other than those by the administrator of the organisation in order to control content and preserve reputation.
• Post Control: Admins also need to constantly monitor posts to ensure that appropriate language is used and information is kept on topic. It is safer not to allow posting of new posts by anyone other than the main administrators/content editors, otherwise things can very quickly get out of hand. 
• Messages: It is advisable to have ‘an out of office’ type message on messaging services if you allow messages to be sent to the page/channel. Ensure you direct any queries to the office staff, especially if this involves complaints/private information. Ensure questions and queries are not sent to individuals but kept on email through the appropriate channels (i.e. office@), rather than getting into personal conversations on messaging systems which may not be part of the school network.
• Trolls: Be wary of trolls on the page, and ensure they are quickly blocked/reported. There may be photos, comments, and emojis that need to be removed. Avoid getting into arguments with people and remove any unsavoury or argumentative comments while encouraging people to go through more appropriate channels to contact the organisation.
• Claim page ownership: Pages on most social media channels can be ‘created’ by people just checking in to the name of your organisation on a channel, or in the case of LinkedIn, this can be done by people that work at an organisation. They are able to do this even if the page doesn’t actually exist.  What this means is that someone that doesn’t work for the organisation could claim your page!  We would advise ensuring that you always claim your own page or where people have checked in, even if you don’t intend to post. That way you can ensure that no one is posting incorrect information about your organisation.

When something is posted on the internet, even if it is posted in a private group, someone could take a screenshot and post it elsewhere.  It can be impossible to take back a post that was added in error – a recent example of this is the data breach at the Police Service of Northern Ireland where lives have been put at risk. While not directly posted to social media, it has been put into the public domain and was readily available for a period of time.  While downloads can be tracked, screenshots cannot.

BBC News: https://www.bbc.co.uk/news/uk-northern-ireland-66467164

Guardians of Privacy: Social Media Articles

Other Articles about Access Control: