NIH POLICY MANUAL

1. Explanation of Material Transmitted: This chapter provides policy and guidance on the use of social and new media at NIH, including, but not limited to, NIH hosted and/or funded social media sites, Web applications and mobile Web sites.
2. Filing Instructions:

Remove: None.
Insert: Manual Issuance 2809, dated 11/04/11.

PLEASE NOTE: For information on:

• Content of this chapter, contact the issuing offices listed above.
• NIH Manual System, contact the Division of Management Support (DMS), OMA on 301-496-4606, or enter this URL: http://oma.od.nih.gov/manualchapters/

A. Purpose:

The policy and guidance set forth in this manual chapter provide parameters to ensure NIH use of social media, also known as “new” media, presents reliable information consistent with applicable law, regulations, policy, and guidance and that personal opinions are not misrepresented as official NIH, Department of Health and Human Services (HHS) or Federal Government positions.

As NIH increasingly relies on the use of new technologies such as social media networks (also known as Web 2.0 and/or new media) for promoting the goals of transparency, public participation and collaboration, it is essential that the NIH implement a social and new media policy that defines appropriate use of these tools by NIH employees and its contractors (or non-federal employees including students, fellows, and volunteers) for communications between NIH and members of the public, while protecting privacy and minimizing risk to NIH systems and data, whenever Web-based technologies are used.

B. Scope:

This policy applies to the use of Web 2.0 tools and technologies that allow a person to share information, inclusive of, but not limited to blogs, social networks, forums, micro blogs (i.e. Twitter), automated data feeds (e.g., image/video sharing sites, social bookmarking services, as well as future and emerging technologies and environments. Such tools offer important opportunities for promoting the goals of transparency, public participation and collaboration. However, end users may share information about themselves without always realizing the potential consequences. With respect to personally identifiable information, the presumption shall be in favor of openness (to the extent permitted by law and subject to valid privacy, confidentiality, security, or other restrictions).

This policy applies to all NIH staff, contractors and other personnel working on behalf of the government when on official work duty or when they are using NIH IT resources for authorized personal use in accordance with the NIH Policy on Limited Authorized Personal Use of NIH Information Technology (IT) Resources.

C. Background:

Social media, social networking and Web 2.0 technologies represent new ways for NIH Institutes and Centers (ICs) and the Office of the Director (OD) to communicate and engage audiences; they also present the potential for mismanagement and misuse. Such risks include damage to NIH’s credibility or reputation due to a loss of public trust resulting from failure to comply with Federal, Department and NIH requirements for online communications.

NIH staff, contractors, and other personnel working for or on behalf of the government use social and new media to connect with the public and address their interests. NIH staff and others who work in the intramural community and are involved in patient research may, under appropriate circumstances and in compliance with applicable laws, regulations and policies, use social media tools to recruit or interact with potential or actual participants in clinical research.

Third-party Web site and application tools are Web-based technologies that are not exclusively owned, operated or controlled by the government, and usually involve significant participation by nongovernment entities. While the use of third-party tools represents a significant opportunity, it also presents some risks. For example,

1. Some participants in social media environments may not understand the degree to which information may be shared or how long the data might be retained and that it cannot be changed.

2. Some participants may think shared information is protected from public view when it is not.

3. Some participants may want to retract or revise something that was posted only to learn it cannot be edited.

Staff who plan on using these tools need to understand how social media platforms work and how any and all data is managed by the site to ensure it complies with this policy and applicable laws, regulations, HHS and Government-wide policies and guidance.

It is important that users are familiar with the information security practices, user agreements, and privacy policies of the sites they are using and implications to the user and to NIH. More specifically, care must be exercised when using social and new media tools to ensure that users fully understand (1) how any shared data is managed by the social media platform and (2) the implications of their participation. For example, the data shared on third-party sites rests in the hands of the firm that hosts the service, not NIH. To that degree, NIH cannot guarantee how that data might be used by the host corporation. Therefore, NIH personnel:

1. Need to exercise care when engaging the public in online spaces dedicated to specific topics and user interests.

2. Respect various codes of behavior of the online spaces they employ.

3. Exercise courtesy and respect the norms of any groups in online spaces.

4. Should not share personal details about themselves to avoid personal attacks and minimize the chance of information being harvested for the purpose of social hacking and impersonation of NIH staff.

5. Should not encourage users to share personal information or details for the same reason above.

This policy also provides employees, contractors, and other personnel with guidance to ensure limited authorized personal use of social and new media complies with Office of Management and Budget (OMB), HHS, NIH policies and minimizes information security risks to NIH systems and resources.

D. Policy:

OFFICIAL AND PERSONAL USE OF NIH SOCIAL MEDIA ACCOUNTS

NIH staff are permitted to establish social and new media accounts to further the IC or NIH mission; however, staff that establish accounts for both official purposes and for their own personal/private use must be cognizant of the important distinctions that exist between the use of their official and their personal accounts as described below.

Accounts for Authorized Official Use

NIH encourages the use of appropriate social media (Web 2.0) technologies by NIH staff while in their official work capacity to enable communication, collaboration, and engagement with the public in support of NIH’s mission. ICs may establish a presence on a non-government third-party site, such as Facebook, GovLoop or LinkedIn for the purpose of furthering their mission when appropriately managed and monitored.

While NIH recognizes the potential value of social media, there is also potential risk of mismanagement and misuse of social media tools that could result in a loss of credibility or otherwise cause damage to the NIH. Examples of misuse include misrepresentation of NIH policy or its official position on issues or the collection or release of confidential or personally identifiable information (PII). Therefore, each NIH IC and OD office shall:

1. Determine how to communicate the provisions of this policy to their staff regarding the use of social media tools as part of their overall strategic communication plan.

2. Develop internal guidelines and commit resources to effectively govern, create and maintain official social media sites and accounts.

3. Determine and communicate their internal policy to their IC on the use of social media tools based on the provisions of this policy and on its strategic communications plan and should commit its own resources to govern, create and maintain official social media accounts.

4. Consider the implications and risks when using ‘widgets,’ or embedded third-party applications on an NIH Web page (e.g., including YouTube videos on NIH Web sites).

5. Comply with the following guidelines when using social media tools for official communications to ensure compliance with Federal, HHS and NIH policy and ensure public trust:

1. Terms of Service (TOS) Agreements: Many third-party social and new media sites have standard user terms of agreement that are unacceptable for the Federal Government. To mitigate risk, ICs shall use the pre-negotiated terms of service agreements provided by HHS (http://newmedia.hhs.gov/standards/tos.html) whenever possible and applicable. In addition, the Web Content Managers Forum, led by the General Services Administration (GSA), provides agencies with access to information about government-friendly business applications, productivity applications, cloud IT services and social media applications (http://www.apps.gov).

   These new media technologies are still subject to current standards and policies that govern Web communications (http://newmedia.hhs.gov/standards/tos.html). A signed TOS does not indicate that a tool meets these requirements and additional contractual agreements may be necessary to address any issues not covered in the TOS. Before using/purchasing the products and services, IC and OD offices shall carefully evaluate the TOS agreements to ensure that the product or service can be purchased and used in accordance with all NIH policies and procedures pertaining to procurement, information technology, cyber security, privacy, accessibility, social media, paperwork reduction and any other applicable Federal mandates.

   A list of government agency points of contact for the TOS agreements is available at (http://www.howto.gov/web-content/resources/tools/terms-of-service-agreements/agency-points-of-contact). To effectively mitigate risk, IC and OD office staff should coordinate as needed with contracts staff and the Office of the General Counsel (OGC) to ensure the IC or OD office can agree to the provisions of each agreement as well as the IC Privacy Coordinator and Information Systems Security Officer to make sure applicable privacy and system security requirements are met.

2. NIH Logo Use: NIH ICs and OD offices shall ensure that any use of the names, symbols, logos or identifying marks of NIH, its ICs, offices or programs be reviewed and approved consistent with the provisions of the requirements of the NIH Manual Chapter 1186, Use of NIH Names and Logos (http://oma.od.nih.gov/manualchapters/management/1186/). NIH ICs and OD offices are required to submit a request to the NIH Office of Communications and Public Liaison for review and approval before the NIH logo or name may be used on a social media site.

   Use of agency branding on social media tools must also be compliant with OMB Guidance for Agency Use of Third-Party Web sites and Applications (http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf).

3. Records Management: NIH ICs and OD offices shall ensure that NIH policy is extended to records associated with and/or shared via social media. IC Records Liaison shall be responsible for maintaining records in accordance with the NIH Manual Chapter 1743, Keeping and Destroying Records (http://oma.od.nih.gov/manualchapters/management/1743/).

4. Freedom of Information Act (FOIA): NIH ICs and OD offices shall ensure their social media communications are in compliance with FOIA requirements issued by the NIH FOIA Office.

5. Privacy: ICs shall ensure official social media accounts are compliant with NIH Manual Chapter 2805, NIH Web Privacy Policy (http://oma.od.nih.gov/manualchapters/management/2805/). Maintaining privacy is critical for ensuring public trust in NIH. Many third-party social media sites enable submission of user-generated content, which may include personally identifiable information (PII). ICs should evaluate the collection and security of PII on social media sites with the IC Privacy Coordinator to ensure they are compliant with Department and NIH privacy policy. The IC Privacy System Owner/Manager shall complete a Privacy Impact Assessment (PIA) on the use of a third-party Web site and application and/or Web technology for which they are responsible and ensure privacy policies and notices are posted as appropriate. Social media sites that are used to collect PII must provide users with clear notice and utilize opt-in functionality, in compliance with OMB guidance. Furthermore, ICs shall provide the public with alternatives for acquiring comparable information and services.

   ICs shall post a disclaimer about privacy and the use of cookies and tracking devices, including third-party social media sites, on their Privacy page on the external IC Web site.

6. Web Measurement and Customization Technologies: Use of Web measurement and customization technologies must be compliant with OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies located at http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-22.pdf and NIH Manual Chapter 2805, NIH Web Privacy Policy.

   “Persistent” Web cookies are defined as Web cookies that can track the activities of users over time and across different Web sites. “Persistent” Web cookies may be used on an NIH-branded social media site or application “widget” if there is a compelling need to gather the data on the site, appropriate and publicly disclosed privacy safeguards exist for handling any information derived from the cookie and the site gives clear and conspicuous notice.

7. Accessibility: NIH ICs and OD offices shall ensure that their social and new media applications are set up and managed in accordance with Section 508 of the Rehabilitation Act of 1973. Specifically, each IC shall ensure that (1) individuals with disabilities who are Federal employees have access to and use of information and data that is comparable to the access to and use of information and data by Federal employees who are not individuals with disabilities; and (2) individuals with disabilities who are members of the public seeking information or service from NIH have access to and use of information and data that is comparable to the access to and use of the information and data by such members of the public who are not individuals with disabilities. This includes, but is not limited to all social and new media services purchased under a contract as well as third-party Web sites and embedded application widgets.
   

   NIH ICs and OD offices shall give preference to third party social and new media sites that are Section 508-compliant and/or accessible to persons with disabilities. Alternatively, an exception or accommodation may be requested in accordance with NIH Section 508 Accommodations Process; the respective IC Section 508 Coordinator should be contacted for current information. All requests must be documented with an appropriate justification and approved by the NIH Section 508 Coordinator in advance of use.

8. Plain Language: NIH ICs shall comply with the Plain Writing Act of 2010 (Public Law 111-274) which was signed into law on October 13, 2010. The Act requires the Federal Government to write in simple easy-to-understand language. Specifically the Act defines “plain writing” as writing that the intended audience can readily understand because the writing is clear, concise, well-organized and follows best practices for plain writing. Furthermore, the Act specifies that plain writing must be used in any writing that is relevant to obtaining Federal benefits or services or complies with Federal requirements.

9. Moderated Commenting: Some Third-Party Web sites and Applications (TPWAs) allow individuals to leave comments that other users/individuals may see. The realities of TPWA engagement are that individuals will leave comments that are off-topic, misleading, contain offensive or personal attack language or provide inaccurate information, etc. Moderated Commenting Policies describe acceptable uses of the commenting feature, including a clear description of material that is allowed and what types of information will be removed. Per HHS, public interaction is encouraged with the following caveats:
   

   1) All comments must be reviewed and cleared (moderated) before they are posted whenever possible.
   2) A comment policy must be clearly stated or linked.
   3) Comments must not be cleared for posting if they contain:
   

   a) Blatantly partisan political views
   b) Explicit commercial endorsements
   c) Discriminatory, racist, offensive, obscene, inflammatory, unlawful or otherwise objectionable statements, language or content.

10. Recruiting Study Subjects: ICs who plan to use social and new media applications to recruit study subjects shall adhere to the human subject protection regulations at 45 CFR Part 46 and 21 CFR Part 56, which require that an Institutional Review Board (IRB) review and approve all research activities, including the use of advertising and plans for protecting the confidentiality of actual and prospective subjects. See Office for Human Research Protections (OHRP) guidance at http://www.hhs.gov/ohrp/policy/clinicaltrials.html and Food and Drug Administration (FDA) guidance at http://www.fda.gov/RegulatoryInformation/Guidances/ucm126428.htm.

    See Appendix 1 for detailed guidance and discussion on the subject of using social and new media to inform the public about the recruitment of subjects to clinical trials.

11. Security or Privacy Breach: If a security or privacy breach occurs or is suspected, the IC ISSO must be immediately notified per NIH policies and procedures regarding the reporting of breaches. Further information is available at http://ocio.nih.gov/security/sec_policy.html.

12. Paperwork Reduction Act (PRA): Do not include surveys, polls, questionnaires, etc., unless the questions have received clearance from the Office of Management and Budget. IC Project Clearance Liaison will coordinate OMB clearance with IC or OD office.

Accounts for Personal Use

NIH Federal employees, contractors and other personnel working for or on behalf of the NIH shall comply with provisions of the NIH Manual Chapter 2806, NIH Policy on Limited Authorized Personal Use of NIH Information Technology (IT) Resources that includes policies and laws governing the behavior of staff when using NIH owned information technology resources

NIH e-mail addresses should not be used to establish personal accounts or as an identifier during participation in personal or otherwise, unofficial social and new media activities. NIH staff who choose to disclose their affiliation with NIH, HHS or the Federal Government shall ensure that they do not post material or statements that could give the impression that they are representing NIH, HHS or the Federal Government. If there is a chance that the materials or statements could be misconstrued as NIH or Federal Government business, the user shall post a disclaimer stating that the opinions expressed are those of the individual alone and do not reflect those of the NIH, HHS or Federal Government.

E. References:

Laws and Regulations:

1. Code of Federal Regulations (CFR) Title 45, part 5, Freedom of Information Regulations:
   http://www.nih.gov/icd/od/foia/cfr45.htm

2. Executive Order 12674, Principles of Ethical Conduct for Government Officers and Employees:
   http://ethics.od.nih.gov/lawreg/EO12674.htm

3. Freedom of Information Act (FOIA) of 1966, (5 U.S.C 552):
   http://www.nih.gov/icd/od/foia/efoia.htm

4. Privacy Act of 1974, (5 U.S.C. 552a, as amended):
   http://www.justice.gov/opcl/privstat.htm

5. Plain Writing Act of 2010 (Public Law 111-274) (October 13, 2010):
   http://www.gpo.gov/fdsys/pkg/PLAW-111publ274/pdf/PLAW-111publ274.pdf

6. Standards of Ethical Conduct for Employees of the Executive Branch (5 CFR Part 2635):
   http://www.usoge.gov/ethics_docs/publications/reference_publications/rfsoc.pdf

7. Paperwork Reduction Act (44 USC 33501 et seq.)

OMB Memorandums:

1. OMB Memorandum M-05-04, Policies for Federal Agency Public Web Sites (December 17, 2004):
   http://www.whitehouse.gov/OMB/memoranda/fy2005/m05-04.pdf

2. OMB Memorandum M-10-06, Open Government Directive (December 8, 2009):
   http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-06.pdf

3. OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010):
   http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-22.pdf

4. OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Web sites and Applications (June 25, 2010):
   http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-23.pdf

HHS Policy:

1. HHS Policy for Section 508 Electronic and Information Technology (EIT):
   http://www.hhs.gov/od/508policy/508_policy.html

2. HHS Implementation Guidance for OMB Memorandums M-10-22 and M-10-23:
   http://www.hhs.gov/ocio/policy/implementation_of_omb_m-10-22_and_m-10-23.html

3. HHS Web Records Management Policy:
   http://www.hhs.gov/ocio/policy/policydocs/2007-0004.001.doc ; and http://www.newmedia.hhs.gov/standards/.

4. HHS IRM Policy for Usage of Persistent Cookies:
   http://www.hhs.gov/ocio/policy/2000-0009.html

NIH Policy:

1. NIH Manual Chapter 1825, Information Collection from the Public:
   http://oma.od.nih.gov/manualchapters/management/1825/

2. NIH Manual Chapter 2400 Series, NIH Ethics Manual:
   http://ethics.od.nih.gov/lawreg/Manual.htm

3. NIH Manual Chapter 2804, Public-Facing Web Management:
   http://oma.od.nih.gov/manualchapters/management/2804/

4. NIH Manual Chapter 2805, Web Privacy Policy:
   http://oma.od.nih.gov/manualchapters/management/2805/

5. NIH Manual Chapter 2806, Limited Authorized Personal Use of NIH Information Technology (IT) Resources:
   http://oma.od.nih.gov/manualchapters/management/2806/

6. NIH Manual Chapter 1743, Records Retention and Disposal:
   http://oma.od.nih.gov/manualchapters/management/1743/

NIH Guidance:

1. NIH FOIA Office: http://www.nih.gov/icd/od/foia/index.htm

2. NIH Information Technology General Rules of Behavior:
   http://ocio.nih.gov/security/nihitrob.html

National Archives and Records Administration (NARA)

1. NARA Bulletin 2011-02, Guidance on Managing Records in Web 2.0/Social Media Platforms:
   http://www.archives.gov/records-mgmt/bulletins/2011/2011-02.html

National Institute of Standards and Technology (NIST)

1. NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII):
   http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

U.S. Office of Special Counsel

1. U.S. Office of Special Counsel, Frequently Asked Questions Regarding Social Media and the Hatch Act:
   http://www.osc.gov/haFederalfaq.htm

Office of the Attorney General

1. Memorandum from the Office of the Attorney General, The Freedom of Information Act (March 19, 2009):
   www.usdoj.gov/ag/foia-memo-march2009.pdf

F. Definitions:

The following definitions are adapted from the GSA Social Media Handbook published July, 2009 (www.gsa.gov/graphics/staffoffices/socialmediahandbook.pdf)

1. "Social media" or "Web 2.0" technologies - Though many definitions of Web 2.0 exist, it is consistently characterized as the collection of Web tools that facilitate collaboration and information sharing. Web-based communities and hosted services include social-networking sites, video and photo sharing sites, wikis, blogs, virtual worlds, and other emerging technologies.

2. Internal Web 2.0 technologies - Web 2.0 systems running on agency-controlled servers (within NIH or via contract to NIH). This could include, for example, wiki and blogging software installed on the agency’s own infrastructure or a Web site on an outside server under contract with NIH.

3. External Web 2.0 technologies - Web 2.0 systems hosted on servers over which the agency has little control. This includes proprietary social networking sites such as Facebook, and GovLoop, as well as collaboration services such as Wikipedia, Blogspot and Delicious.

4. Blog - a Web-based forum with regular entries of commentary, descriptions of events, or other materials where the blog host posts material on the Web site, and others may provide comments. Blogs may be moderated by the host or may allow any material to be posted.

5. Micro-Blog - extremely short blog posts in the vein of text messaging. The messages can either be viewed by anyone or by a restricted group that is chosen by the user. Twitter, a popular micro-blog client, allows for posts of up to 140 characters in length to be uploaded and read online or through instant messaging or mobile devices via text messaging.

6. Cloud Computing – The use of applications hosted across the Internet by an independent service provider. An example of cloud computing is a Google Doc, in which the word processing program is accessible through a Web browser, and the content in the document resides in Google’s servers.

7. Mashup – a Web-based presentation of information that combines data and/or functionality from multiple sources. For example, a mashup would be a Google map showing average housing prices drawn from a city assessor’s online database.

8. Personally Identifiable Information (PII) - Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information)

9. Photo Sharing – Web sites which allow users to post and share digital photos. These sites typically allow commenting and meta-data to be attached to photos.

10. Podcast – a way of publishing MP3 audio files on the Web so they can be downloaded onto computers or portable listening devices. Podcasting allows users to subscribe to a feed of new audio files using software which automatically checks for and downloads new audio files.

11. Privacy Impact Assessment (PIA) - An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. (OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002)

12. RSS Feed (most commonly referred to as Really Simple Syndication) - a Web content format or “web feed” which, when used with an RSS aggregator, alerts users to new or exciting content on a Web site. They enable users to avoid the conventional methods of browsing or searching for information on Web sites. Once users subscribe to an RSS feed, they can gather material from Web sites of their choosing. Examples of an RSS feed include: blog posts, news headlines, website changes, job vacancy announcements.

13. Social Bookmarking - a Web-based service where users create and store links. Although Web browsers have the ability to bookmark pages, those links are tied to that browser on that computer. Social bookmarking, in contrast, is tied to an online account, which can be made public. These bookmarks can be shared and discovered by others. Examples of social bookmarking sites include del.icio.us, Digg, and, Reddit.

14. Third-Party Web sites or Applications (TPWA) - Web-based technologies that are not exclusively operated or controlled by a government entity, or Web-based technologies that involve significant participation of a nongovernment entity. Often these technologies are located on a “.com” Web site or other location that is not part of an official government domain. However, third-party applications can also be embedded or incorporated on an agency’s official Web site. (OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Web sites and Applications)

15. Video Sharing – Web sites on which users post video they have taken for others to view and comment on. Such sites allow viewers to “embed,” or display others’ video on their own sites.

16. Virtual worlds – imagined places where users can socialize, connect and create using voice and text chat.

17. Web Measurement and Customization Technologies - These technologies are used to remember a user’s online interactions with a Web site or online application in order to conduct measurement and analysis of usage or to customize the user’s experience. (Ex. persistent cookies, Web bugs, Web beacons, etc.) (OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies)

1. Single-session technologies - These technologies remember a user’s online interactions within a single session or visit. Any identifier correlated to a particular user is used only within that session, is not later reused, and is deleted immediately after the session ends.

2. Multi-session technologies - These technologies remember a user’s online interactions through multiple sessions. This approach requires the use of a persistent identifier for each user, which lasts across multiple sessions or visits.

18. Widgets - interactive tools with single-purpose services such as displaying the latest news and weather, a map program, or photos.

19. Wiki – a collection of Web pages that encourages users to contribute or modify the content. By using a simple Web interface, a community can collaborate.

G. Responsibilities:

NIH ICs and OD offices must review this chapter prior to using or creating social and new media sites to ensure compliance. The following are officials with responsibilities associated with this policy:

1. NIH Senior Official for Privacy (SOP) - The OPDIV official responsible for the NIH Privacy Program. Approves Privacy Impact Assessments (PIAs) conducted by IC and OD staff on NIH uses of third-party Web sites and applications as well as Web measurement and customization technologies. Provides advice to IC Privacy Coordinators.

2. NIH Section 508 Coordinator – Responsible for approving (or disapproving) Section 508 exception and accommodation requests.

3. NIH Chief Information Security Officer (CISO) – The OPDIV official responsible for the NIH Information Security Program. The CISO will ensure that all security and privacy policies and procedures are implemented if a suspected or known breach occurs.

4. NIH Records Officer - The OPDIV official responsible for the NIH Records Program. Responsible for ensuring adequate and proper documentation of all social and new media records. Provides advice to IC Record Liaisons.

5. Chief, NIH Project Clearance Branch – The OPDIV official responsible for clearance of information collections under the Paperwork Reduction Act. Ensures the quality and completeness of NIH requests for PRA approval. Provides advice to IC Project Clearance Liaisons.

6. NIH Freedom of Information Act Officer (FOIA) – The OPDIV official responsible for the NIH FOIA Program. This office is responsible for FOIA policy implementation and also responds directly on issues pertaining to the Office of the Director, trans-agency requests or in the case of a denial, those are to be forwarded to the NIH FOIA officer as described: http://www.nih.gov/icd/od/foia/. This office is located within OCPL.

7. NIH Forms Officer – The OPDIV official responsible for establishing new, or revising existing NIH forms used on Web sites to collect data from the public.

8. NIH Office of Communications and Public Liaison (OCPL) – Responsible for review and approval of IC requests for content clearances of materials, creation of new Web site, clearance of written materials, campaigns and multi-media productions as well as the use of the NIH logo or name on a social media site. OCPL is responsible, in collaboration with the ICs and OD offices, and with the Department of Health and Human Services, for the overall NIH strategic communication efforts.

9. IC Privacy Coordinator – The IC or OD office official who serves as the liaison between IC and OD staff and the NIH Senior Official for Privacy on privacy issues. The IC Privacy Coordinator shall ensure the IC’s social media sites are compliant with NIH Manual Chapter 2805, NIH Web Privacy Policy.

10. IC Privacy System Owner/Manager – The IC or OD office official responsible for a group of records under the control of the agency where information is retrieved by the name of the individual, by some identifying number or symbol, or by other identifiers assigned to the individual. In coordination with other stakeholders, completes a Privacy Impact Assessment (PIA) on the use of a third-party Web site and application and/or Web technology for which s/he is responsible and ensures privacy policies and notices are posted as appropriate.

11. IC Information Technology (IT) System Owner/Manager – The IC or OD office official responsible for the development, operation and/or maintenance of an information technology system defined as an organized assembly of IT resources and procedures integrated and regulated by interaction or interdependence to accomplish a set of specified functions.

12. IC FOIA Coordinator – The IC or OD office official who serves as the liaison between staff and the FOIA Officer on issues concerning the Freedom of Information Act. On issues pertaining to the Office of the Director, trans-agency requests or in the case of a denial, those are to be forwarded to the NIH FOIA officer as described: http://www.nih.gov/icd/od/foia/.

13. IC Information Systems Security Officer (ISSO) – The IC or OD office official who serves as the principal contact for coordination, implementation, and enforcement of information-security policies with the Office of the CISO (OCISO). Any suspected or known security breach should be reported within the hour to the ISSO in the IC or OD.

14. IC Records Liaison – The IC or OD office official who serves as the liaison between IC staff and the NIH Records Officer in overseeing the records management program within their IC or Office. The IC Records Liaison shall be responsible for maintaining the IC’s social media records in accordance with the NIH Manual Chapter 1743, Keeping and Destroying Records.

15. IC Project Clearance Liaison – The IC or OD office official who serves as the liaison between IC staff and the Office of Management and Budget for clearance functions concerning public information collection activities such as regulations, survey interviews, customer satisfaction surveys, Web site questionnaires and epidemiology research.

16. IC Web Site Owner/Manager – The IC or OD office official who serves as the principal contact responsible for IC Web product development and project management.

H. Procedures:

Online social and new media activities shall follow appropriate IC or OD procedures and clearances. In most cases, the procedures to be followed for print publication apply unless one is posting content that has already been cleared for public use.

For other types of less formal content, such as blogs, micro blogging, tweets and replies to comments in public online space, coordinate your activities through your supervisory channels, as defined in the IC or OD procedures.

At a minimum, contact the IC or OD office (1) Communications Office for approval to communicate outgoing messages on behalf of the IC or OD office and to ensure that content procedures are followed, (2) CIO Office or ISSO to learn of security procedures that shall be followed and, (3) FOIA, PRA, Records and Privacy liaisons to learn of requirements under the Freedom of Information Act, Paperwork Reduction Act, Records Act and Privacy Act.

I. Records Retention and Disposal:

All records (e-mail and non-e-mail) pertaining to this chapter must be retained and disposed of under the authority of NIH Manual Chapter 1743, Keeping and Destroying Records, Appendix 1, NIH Records Control Schedule, in accordance with the specific schedule item as applied to the kind of records.

Web 2.0 Information: A challenge associated with the use of Web 2.0 technologies, including government blogs and wikis and Web pages hosted by commercial providers, is the question of whether information exchanged through these technologies constitute federal records pursuant to the Federal Records Act. According to the guidance, records generated when a user interacts with an agency Web site may form part of a set of official agency records. National Archives and Records Administration (NARA) guidance indicates that content created with interactive software on government Web sites is owned by the government, not the individuals who created it, and is likely to constitute agency records and should be managed as such. NARA issued “Guidance on Managing Web Records” to help agencies make decisions on what records generated by these technologies should be considered agency records: http://www.archives.gov/records-mgmt/pdf/managing-web-records-index.pdf.

NIH e-mail messages: NIH e-mail messages, including attachments that are created on NIH computer systems or transmitted over NIH networks that are evidence of the activities of the agency or have informational value are considered Federal records. These records must be maintained in accordance with current NIH Records Management guidelines. Contact your IC Records Liaison or the NIH Records Officer for additional information.

All e-mail messages are considered Government property, and, if requested for a legitimate Government purpose, must be provided to the requester, employees' supervisor, NIH staff conducting official reviews or investigations, and the Office of Inspector General who may request access to or copies of the e-mail messages. E-mail messages must also be provided to Congressional oversight committees if requested and are subject to Freedom of Information Act requests. Back-up files are subject to the same information requests as original messages and documents.

J. Internal Controls:

The purpose of this manual issuance is to provide guidance to ICs and OD offices in meeting requirements related to privacy and the protection of personal information on NIH and Third-Party social and new media Web sites and applications.

1. Office Responsible for Reviewing Internal Controls Relative to this Chapter:
   Oversight of this policy will be carried out through a coordinated effort between the Office of Management Assessment (OMA), Office of the Chief Information Officer (OCIO), and Office of Communications and Public Liaison (OCPL).

2. Frequency of Review:
   Reviews will be ongoing. Appropriate internal controls must be in place before a social and new media Web site or application may be activated. Webmasters and programmers developing NIH social and new media Web pages are responsible for ensuring compliance with NIH policy.

3. Method of Review:
   Each year, a workgroup of members from OMA, OCIO and OCPL will survey a sample of NIH social and new media sites for compliance with NIH policy. External reviews may be used as alternative reviews for this purpose.

4. Review Reports:
   Reports will be sent to the NIH Deputy Director for Management (DDM), and circulated to NIH stakeholders, as deemed appropriate by OMA, OCIO and OCPL. Reports should indicate that controls are in place and working well, or indicate any internal management control issues that require the attention of the report recipient(s).

Appendix 1: NIH OIR Guidance for Use of Social Media for Recruitment of Subjects to Clinical Trials :

All of the items below are to be considered additional guidance and do not change the HHS regulations at 21 CFR Part 56 and 45 CFR Part 46 and implementing guidance at http://www.fda.gov/RegulatoryInformation/Guidances/ucm126428.htm and http://www.hhs.gov/ohrp/policy/clinicaltrials.html

Background

NIH Institutes and Centers with intramural programs increasingly rely on the use of new technologies such as social media networks (also known as Web 2.0) for informing potential participants about or recruiting them to clinical trials. Therefore, guidance is needed to define appropriate use of these tools by NIH employees, contractors, or partners who are engaged in OIR recruitment of patients to clinical trials.

Scope

This guidance is focused on social media tools and technologies that allow people to exchange information in real (or delayed time) on platforms that are public--including but not limited to--social networks (such as Facebook), micro blogs (such as Twitter), automated feeds (such as RSS), image/video sharing sites (such as YouTube), social bookmarking services, blogs, forums and other emerging technologies with the purpose of social interaction.

These media are inherently different from the print environments that have controlled messages in text where potential subjects come to the announcements of clinical research opportunities by reading papers, magazines, posters, or hearing/seeing radio and television ads that are pre—produced. (When a trial recruiter purchases an ad space or ad time for a recruitment, the information is contained and is placed where one expects it to appear and in the pre-determined form. Outlets are selected to reach appropriate populations.)

In the social media environment the movement and placement, context and content of information, may all be manipulated. Also, audiences may be highly-targeted without individuals in those audiences self-selecting to be reached (as in the purchase of a magazine, responding to a poster, or seeing an ad and calling an 800 number.)

Our Responsibility to Protect Potential (or Actual) Study Volunteers

To fulfill our responsibilities in using new and social media for recruiting research participants, the Investigators should consider the following questions.

1. Have I considered the full implications of privacy in this new and less-controlled environment?
   

   The Principal Investigator (PI) and Institutional Review Boards (IRB) should assure the procedures followed adequately protect the rights and welfare of the prospective subjects as well as the accuracy of information for decision making. The PI should assure the IRB that the information provided by individuals will be appropriately handled. [As with current policy: A simple statement such as “confidentiality will be maintained” is not sufficient to inform the IRB about the procedures that will be used]. When using social media, PIs need to be familiar with and should describe to the IRB the privacy/confidential/information practices of any platform being used to collect and store information that is not owned or operated by the U.S. Government. For example, some Web services maintain copies of all information submitted through their sites, including answers to investigator-posted surveys or screening instruments. In this scenario, an individual is no longer providing information solely to the government, but also to a third-party who is not necessarily bound by the same laws and regulations and who can analyze and search the data for its own purposes, monitor it at will, lawfully or unlawfully, or sell it.

   When considering whether a Third-Party Web site or Application (TPWA) is appropriate for NIH use, you must ensure all uses of Third-Party Web sites and Applications comply with existing OMB Guidance, HHS and NIH policies with respect to privacy, system security and data safeguarding standards.

   http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf

2. I need to carefully consider how my materials will be used.
   

   Although there has been a historic division between ads that are "purely informational" and "recruitment" ads, in the social media environment, this is much harder to distinguish and monitor. The outreach itself to groups or individuals with disease-specific interest may already allow for intrusion into personal privacy and result in disclosure of personal medical information not only to the PI but others.

   Investigators need to consider the possible venues of presentation of recruitment materials, including the ability of recruitment services to place ads on Web sites that the Investigators do not choose in advance. Might some of those Web sites be inappropriate for presentation of an NIH recruitment notice?

3. Have I controlled my informational data in a locked format?
   

   OHRP guidance provides that IRB review and approval is required for any information provided to potential participants beyond a directory listing that includes this basic descriptive information:

   -Study Title
   -Purpose of the study (in plain language)
   -protocol summary
   -basic eligibility criteria
   -study site location(s), and
   -how to contact the study site for further information

   With interactive media, the location of the information is not static—(as it is in printed posters, flyers, Web sites), so it is recommended that this information be provided in a controlled, pdf or other locked format, for distribution. If a locked format is not going to be used, the PI should make the IRB aware of how the information will be presented.

4. Have I made the contact for further information site protected for the privacy of interested individuals?
   

   Any contact information (such as a Web mailbox) should bring the interested person behind a security wall for any further information exchange. Until accepted in the study, individuals working on the study may not use intake and inquiry procedures for prior decision-making about potential subjects (e.g. using Google and commercial databases) to determine if someone appears to be an appropriate subject) until the individual has been fully consented.

5. Do I clearly understand that the interactive nature of social media escalates the speed of interaction, allowing for greater opportunities for errors in protecting private information? Have I planned to obviate those errors?

6. Have I accounted for problems related to the portability and secure handling of information, including the encryption of all government laptops, the encryption of sensitive information during transport, including but not limited to transport across the network or on portable media, and the reporting of unintended breaches of sensitive personal information in the government’s possession?
   http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf

7. Have I included my complete strategy for use of the social media and my strategies for protection of privacy and strategies for informed consent explicitly in my proposal to the IRB?

8. Have my team and I clearly understood the invasive nature of joining groups (i.e., support groups, disease groups, advocacy groups, etc.) for the purpose of recruitment? This can undermine the trust of government research and your IC.

Appendix 2: NIH Social and New Media Checklist:

This checklist is also available as a PDF file for you to download and fill-in or print by clicking here: MC2809_Appendix2.pdf

1. Approval:

• Contact the IC or OD Communications Director for your office or program to determine the appropriate strategy and tools for your audience and mission and to obtain any required IC approval(s) to use social and new media.

• Notify the NIH IT Service Desk to request local access to the social or new media account for the individual(s) in the IC or OD office that is/are to be granted permission to create, maintain, and monitor the account.

• Notify the NIH Online Information Branch to have your account added to the NIH List of Subscriptions.

2. IT Security:

• Read NIH IT Rules of Behavior to be aware of how users of NIH IT are responsible for information security and are held accountable for their actions.

• Read NIH Manual Chapter 2806, Limited Authorized Personal Use of NIH Information Technology (IT) Resources for policy and other information on how NIH IT resources may or may not be be used.

• Contact your IC or OD Information Systems Security Officer (ISSO) to determine appropriate IT security practices and whether the technology meets applicable security standards.

3. Licensing:

• Check the list of HHS Terms of Service (TOS) agreements to determine if the General Services Administration (GSA) has negotiated a federally-friendly TOS agreement with the third-party vendor.

• Contact the HHS Center for New Media at newmedia@hhs.gov if you are interested in a tool that is not on the list and that you would recommend they should pursue.

• Contact the NIH Office of General Counsel (OGC) to determine if your IC or OD office can agree to the terms and conditions of the Third-Party Web site or Application (TPWA) and/or the licensing agreement supplied by the vendor.

4. Official Agency Sources of Information, Branding, and Copyrighted Content:

• Contact the NIH Office of Communications and Public Liaison (OCPL) to obtain permission to use trademarked images and logos.

• Read NIH Manual Chapter 1186, Use of NIH Names and Logos.

• Link to NIH’s official Web site.

• Use NIH branding that clearly identifies your program’s ownership or sponsorship as a government entity.

5. Accessibility:

• Ensure content posted or produced through the use of new technologies is accessible to people with disabilities and in compliance with Section 508 of the Rehabilitation Act of 1973; see http://www.hhs.gov/web/508/index.html for current Section 508 policy and standards, guidance and other information.

• Contact your IC Section 508 Coordinator or the NIH OCIO Section 508 Team (section508help@nih.gov) with questions or assistance on compliance.

6. Information Collection from the Public:

• Read OMB Guidance on Information Collection under the Paperwork Reduction Act (PRA) to determine if the uses of social media and Web-based interactive technologies are information collections subject to the PRA and require approval from the Office of Management and Budget.

• Read NIH Manual Chapter 1825, Information Collection from the Public for a description of NIH policies and procedures governing the collection of information from the public.

• Contact your IC or OD Project Clearance Liaison to determine appropriate clearance functions concerning public information activities (i.e., regulations, survey interviews, customer satisfaction surveys, Web site questionnaires and epidemiology research).

7. Soliciting Official Public Comment:

• Do not solicit formal or informal consensus advice from the public using Web technologies.

8. Protecting the Public's Privacy:

• Contact your IC or OD Privacy Coordinator to determine the specific steps to protect privacy. For assistance, contact the Office of the NIH Senior Official for Privacy at privacy@mail.nih.gov or call (301) 451-3426.

• In accordance with NIH Manual Chapter 1745-1, NIH Privacy Impact Assessments, complete an adapted PIA for your IC or OD office use of a TPWA.

• Review your IC or OD office Privacy Notice to ensure it reflects the use of the TPWA.

• Prominently post a Privacy Notice on the TPWA itself, to the extent feasible. It should be conspicuous, salient, clearly labeled, written in plain language, and prominently displayed at all locations where the public might make PII available to NIH.

• Read OMB Memorandum 10-23, Guidance for Agency Use of Third-Party Web sites and Applications to determine the steps necessary to protect individual privacy when using TPWAs to engage with the public.

• Read NIH Manual Chapter 2805, NIH Web Privacy Policy for additional guidance to determine the policy and procedures for ensuring the privacy and protection of personal information maintained and disseminated via NIH Web sites.

9. Use of Tier 3 Web Technologies:

• Contact the NIH Senior Official for Privacy at 301-451-3426 or email privacy@mail.nih.gov if using Web measurement and customization technologies (i.e., persistent cookies, Web beacons and bugs) that collect Personally Identifiable Information (PII).

• Read OMB Memorandum 10-22, Guidance for Online Use of Web Measurement and Customization Technologies to determine the requirements for agency use of Web measurement and customization technologies.

10. Record Keeping:

• Contact your IC or OD Records Liaison to determine appropriate records schedule and records management practices.

11. Comment Moderation:

• Determine and document a process to moderate (review and clear) comments.

• Clearly link to a comment policy if you will allow the public to make PII available to the agency (e.g., “friend-ing,” “following,” “liking,” joining a “group,” becoming a “fan,” and comparable functions).

12. Linking, Liking, Following and Endorsement:

• Ensure Web pages containing links to external Web pages not located on the NIH network provide a statement adjacent to the link or a "pop-up" disclaimer that explains that visitors are being directed to an external, government or non-government Web site that may have different privacy policies from those of the NIH official Web site.

• Determine what entities are appropriate to link/like/follow/endorse from your account.