Keep up with the issues and challenges that uniquely affect public-sector IT with TechRepublic’s free Government IT newsletter, delivered each Tuesday. Automatically sign up today!
I was speaking with a colleague the other day and was
flabbergasted to find that her “personal share” on the network had
read-access for everyone on the network. Her reply was that this was the
organization’s policy, since nothing created in government was private anyway.
I asked her if that included her supervisory notes on employees and works-in-progress.
She said that she doesn’t keep employee notes in electronic format and works-in-progress
are o.k., according to how she interprets the Open
That got me to thinking about how tough a job privacy is for a
public organization. Even if there is a role for a “privacy czar” in
the organization, a great deal of responsibility is shared among all employees
that work in government for how they handle communication. Because IT controls
many of the systems used to communicate and disseminate information, it shoulders
much of the load for compliance with privacy rules; IT is tasked with
understanding information policy and using that understanding to guide
When your team is planning for network and application
security, evaluating capacity needs, or setting up backup and retention
schedules, does anyone even mention Open Records requirements? Often, these
questions are asked only in the event of a crisis, whether it is through
litigation or unintentional leaks of information. In fact, I am willing to bet
that a large amount of governmental IT organizations unwittingly violate one or
more rules regarding information handling every single day.
So, given such responsibility, how do you and your department
rate? Are you an expert on Open Records laws? Do you understand all the rules
and regulations regarding information storage, handling, and retention? If your
answer is no, then here are a few things you can do to get up to speed.
Open Records laws vary by state and municipality
Open Records laws are those statutes that deal with the
public’s right to examine records (print or electronic) that government workers
create, compile, or receive. There are exemptions for records that are deemed
crucial to national security, or that have to do with ongoing criminal
investigations. Generally, citizens have the right to access these public
records, and the burden is on the government to demonstrate why any records
should be kept secret.
There is no single set of legislation that governs all
agencies in all states, although there are some federal guidelines, which I
will discuss below. So first, you need to locate a copy of your state’s Open
Records laws, Freedom of Information Act, or whatever the legislation is called
in your state (they do vary). You should also reference any additional rules
that your municipality has created governing disclosure of information.
Most states’ Open Records laws are based on the Federal
Freedom of Information Act, specifically the provisions in 5 U.S.C. Section 552;
however, since each state drafts its own laws, there are significant variations
as well. So knowing how Open Records laws work in one state does not make you
an expert in another. These laws are on the books for one reason—to make sure
that government does not operate behind a curtain of secrecy. These laws
specify what information is accessible to the public and the means to retrieve
it. (Although it is targeted toward journalists, The Reporters Committee for Freedom
of the Press Web site provides a handy resource to
Open Records laws by state.) To ensure that your interpretation of these laws
is on target, you should also discuss them with your organization’s legal
counsel, if possible.
To complicate matters even more, Open Records laws are
constantly being amended. Most of these amendments have to do with electronic
information; there are pending Breach of
Information bills in 28 states in response to well-publicized information
leaks, which have led to increases in identity theft. Like my colleague in
the first paragraph, it would be easy to assume that everything that you do or
say as a government employee is subject to Open Records laws. Assuming such
transparency may be a good rule of thumb, but there are so many exceptions,
you’d be better off familiarizing yourself with the rules.
You also have to consider the separate, and much more specific,
regulations that affect your government sector, such as HIPAA or Gramm-Leach-Bliley.
In general, these regulations will not contradict one another, but there may be
some gray areas, depending on your interpretation.
Translating laws into IT policy
Once you research the regulatory environment, you must apply
that knowledge in the operations of your IT department. Generally this
application of knowledge pertains most directly to the areas of security and records
retention (storage). In the first paragraph, I asked the question about
supervisory notes and works in progress, for example. Should they be considered
private? In the Open Records acts that I reviewed, the laws agreed and
specifically stated that supervisory notes regarding an employee were not
subject to Open Records. Conversely, they disagreed on works in progress
(drafts), with some stating that they were private until disclosed to the
public, while others stated that privacy was lost the minute they were sent to
anyone else for comment—even in draft form.
So, in my opinion, this translates into the IT policy of
providing “private shares” for management. Even if the law stated
that they were subject to Open Records,
I would argue that organizational policy should dictate that personal/private
shares be made available to all employees who have network access—with the
knowledge that anything stored there can be accessed if required by law.
What about retention periods for files and e-mails? Some Open Records
acts explicitly state what the retention rates are for specific documents depending on their content. What a can
of worms this is, especially if your file shares and e-mail content are mixed
among departments! However, no matter how painful the process, these are the
laws that must become part of your IT department’s policy.
No one wants to be in the position of doing damage control
after an incident, so it is in your best interests to be proactive about
privacy law compliance. Here are the steps you need to follow:
Create a training plan for the next fiscal year (if not
sooner) that includes a refresher for your staff regarding the laws of
Coordinate the training with your legal counsel and/or
Human Resources to ensure that the information is accurate.
Perform a review (in house or contracted) of your
systems and applications in light of the information learned.
If there are gaps between the laws and your current IT
policy, implement the changes on a priority basis.