Use of TikTok application policy

Document type:

Policy

Version:

v1.0.0

Status:

Current

Owner:

QGCDG

Effective:

April 2023–current

Security classification:

OFFICIAL-Public

Purpose

The protection of data is of the utmost importance and the Queensland Government is committed to minimising security risks associated with the use of information communication and technology (ICT)services, facilities and devices.

This policy states the Queensland Government position on using the TikTok application on government owned devices. This policy is aligned to the Federal Government Direction 001-2023 on the use of TikTok.

Scope

This policy applies to government provided information and communication technology (ICT) services, facilities and devices. It also applies to all employees, contractors, consultants, vendors and any other parties who have access to Queensland Government owned network, data or devices.

Separate advice related to the use of higher risk applications (including TikTok) on personally owned devices which have been authorised to be used for work purposes should be included in agency “Bring your own device” (BYOD) policies.

Policy statement

The Queensland Government prohibits the installation and use of the TikTok Application on any government provided information and communication technology (ICT) services, facilities and devices. This includes but is not limited to smartphones, tablets, laptops and desktops.

Policy requirements

1. Agencies must ensure that the TikTok application is not installed on any government-owned device

Agencies must prohibit installation of the TikTok application on all new government owned devices.

Agencies must also ensure the TikTok application is removed on all existing government owned devices.

Where the Agency Accountable Officer determines there is a legitimate business reason to have the TikTok application installed on a government owned device, agencies must undertake a risk assessment and implement mitigation strategies to reduce associated risks.

• Ensure the TikTok application is installed and accessed only on a separate, standalone device without access to services that process or access official and classified information.
• Ensure the separate, standalone device is appropriately stored and secured when not in use. This includes the isolation of these devices from sensitive conversations and information.
• Ensure metadata has been removed from photos, videos and documents when uploading any content to TikTok.
• Minimise, where possible, the sharing of personal identifying content on the TikTok application.
• Use an official generic email address (for example, a group mailbox) for each TikTok account.
• Use multi-factor authentication and unique passphrases for each TikTok account.
• Ensure that devices that access the TikTok application are using the latest available operating system in order to control individual mobile application permissions. Regularly check for and update the application to ensure the latest version is used.
• Only install the TikTok application from trusted stores such as Microsoft Store, Google Play Store and the Apple App Store.
• Ensure only authorised users have access to corporate TikTok accounts and that access (either direct or delegated) is revoked immediately when there is no longer a requirement for that access.
• Carefully and regularly review the terms and conditions, as well as application permissions with each update, to ensure appropriate risk management controls can be put in place or adjusted as required.
• Delete the TikTok application from devices when access is no longer needed.

Advice

Other government entities such as statutory entities and local government bodies are encouraged to adopt this policy.

Legitimate business reason means a need to install or access the TikTok application on a government device to conduct business and/or achieve a work objective of an entity. A legitimate business reason would include:

• Where the application is necessary for the carrying out of regulatory functions including compliance and enforcement functions
• Where an entity requires research to be conducted or communications to be sent to assist with a work objective (for example, countering mis- or dis-information), or
• Where an entity must use the application to reach key audiences to undertake marketing or public relations activity on behalf of the entity.

This direction applies only to the TikTok application and does not restrict access to TikTok through the use of a web interface (for example, accessing through a website).

Further information about mitigations is available in ASD’s Information Security Manual and in ACSC publication Security Tips for Social Media and Messaging Apps.

Applicability

Unless excepted, this policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). Accountable officers (not already in scope of the Public Sector Act 2022) and statutory bodies under the Financial and Performance Management Standard 2019, must have regard to this policy.

Implementation

This policy comes into effect from the issue date.

Policy benefits

This policy helps departments to manage the risks associated with use of the TikTok application and provides consistency with the federal government policy.