Public servants across dozens of government agencies will need to delete TikTok from their work devices from Tuesday, but staff will still be allowed to use the app on their personal phones.
Subscribe now for unlimited access.
or signup to continue reading
Attorney-General Mark Dreyfus announced he had authorised the ban on Tuesday morning following advice from intelligence and security agencies.
The ban only applies to non-corporate Commonwealth entities, meaning agencies which are a body corporate, such as the ABC and SBS, are not required to remove the app.
There are 72 corporate Commonwealth entities, but agencies may choose to follow the advice.
Those affected by the ban can apply to their chief security officer for exemptions, but it is not yet known whether any of the 100 Commonwealth entities will do so.
According to data collected by The Canberra Times last month, nearly half of 137 federal government agencies had already moved to ban the app on work devices, while others reported they were in the process of reviewing their policies.
Three of the 16 government departments still allowed the app at that time - Industry, Infrastructure and Veterans' Affairs.
TikTok still allowed on personal devices
Ms Jones outlined that entities must prevent installation of the app, or remove it from devices where it had already been downloaded, unless they have a legitimate business reason to use it.
That covers agencies which use TikTok for regulatory functions, to conduct research or communicate (for example, to combat mis- or disinformation) or to reach key audiences for marketing or public relations activity.
READ MORE:
- 'Driven by politics': TikTok banned from government-issued devices
- TikTok banned at nearly 70 federal government agencies as 'patchwork approach' raises concern
- CSIRO will ban TikTok from devices in latest agency to prohibit popular app
- PM&C, DFAT, APSC join growing list of agencies to ban TikTok on work devices
Agencies that want to continue using the app must have the decision greenlit by their chief security officer, and ensure the app is only used on a separate, standalone device "without access to services that process or access official and classified information".
This device must also be stored away from sensitive conversations and information.
APS staff can still use TikTok on their personal phones, but where these devices are used to access official or classified data for work, safeguards will need to be enforced.
"Non-corporate Commonwealth entities that allow remote access to official and classified system data from personal devices, including through 'bring your own device' policies, must ensure that access provided to Government systems is done in a secure manner," a spokesperson for the Attorney-General's Department said.
The new direction will only apply to contractors or consultants who have been issued government devices.
"The area that we have control over is on the government issued devices," Public Service Minister Katy Gallagher said.
"So there would be some contractors that would have government issued devices as part of their work and of course that would apply to them."
The Canberra Times contacted Big Four consulting firms to ask whether they would follow the government's move to prohibit TikTok.
EY responded that staff are not permitted to download TikTok, but Deloitte and KPMG had not commented by the time of publication.
The direction also lists further steps, which must be taken where agencies receive exemptions to use the app on their work devices:
- Metadata must be wiped from all content uploaded to the app.
- Personal identifying content should not be shared where possible.
- The account must be created with a generic email, such as a group mailbox.
- Multi-factor authentication must be enabled when signing in, and passwords must be unique for each account.
- Phones which have the app must also be using the latest available operating system, in order to control individual mobile applications.
- The app can only be installed from trusted stores such as Microsoft, Google Play and Apple.
- Only authorised users can have access to the accounts and this must be revoked immediately when there is no longer a need for that access.
- Terms and conditions must be regularly reviewed, as well as app permissions with each update.
- The app must be deleted when there is no longer a need for it.