Keep up with the issues and challenges that uniquely affect public-sector IT with TechRepublic's free Government IT newsletter, delivered each Tuesday. Automatically sign up today!
I was speaking with a colleague the other day and was flabbergasted to find that her "personal share" on the network had read-access for everyone on the network. Her reply was that this was the organization's policy, since nothing created in government was private anyway. I asked her if that included her supervisory notes on employees and works-in-progress. She said that she doesn't keep employee notes in electronic format and works-in-progress are o.k., according to how she interprets the Open Records laws.
That got me to thinking about how tough a job privacy is for a public organization. Even if there is a role for a "privacy czar" in the organization, a great deal of responsibility is shared among all employees that work in government for how they handle communication. Because IT controls many of the systems used to communicate and disseminate information, it shoulders much of the load for compliance with privacy rules; IT is tasked with understanding information policy and using that understanding to guide operations.
When your team is planning for network and application security, evaluating capacity needs, or setting up backup and retention schedules, does anyone even mention Open Records requirements? Often, these questions are asked only in the event of a crisis, whether it is through litigation or unintentional leaks of information. In fact, I am willing to bet that a large amount of governmental IT organizations unwittingly violate one or more rules regarding information handling every single day.
So, given such responsibility, how do you and your department rate? Are you an expert on Open Records laws? Do you understand all the rules and regulations regarding information storage, handling, and retention? If your answer is no, then here are a few things you can do to get up to speed.
Open Records laws vary by state and municipality
Open Records laws are those statutes that deal with the public's right to examine records (print or electronic) that government workers create, compile, or receive. There are exemptions for records that are deemed crucial to national security, or that have to do with ongoing criminal investigations. Generally, citizens have the right to access these public records, and the burden is on the government to demonstrate why any records should be kept secret.
There is no single set of legislation that governs all agencies in all states, although there are some federal guidelines, which I will discuss below. So first, you need to locate a copy of your state's Open Records laws, Freedom of Information Act, or whatever the legislation is called in your state (they do vary). You should also reference any additional rules that your municipality has created governing disclosure of information.
Most states' Open Records laws are based on the Federal Freedom of Information Act, specifically the provisions in 5 U.S.C. Section 552; however, since each state drafts its own laws, there are significant variations as well. So knowing how Open Records laws work in one state does not make you an expert in another. These laws are on the books for one reason—to make sure that government does not operate behind a curtain of secrecy. These laws specify what information is accessible to the public and the means to retrieve it. (Although it is targeted toward journalists, The Reporters Committee for Freedom of the Press Web site provides a handy resource to Open Records laws by state.) To ensure that your interpretation of these laws is on target, you should also discuss them with your organization's legal counsel, if possible.
To complicate matters even more, Open Records laws are constantly being amended. Most of these amendments have to do with electronic information; there are pending Breach of Information bills in 28 states in response to well-publicized information leaks, which have led to increases in identity theft. Like my colleague in the first paragraph, it would be easy to assume that everything that you do or say as a government employee is subject to Open Records laws. Assuming such transparency may be a good rule of thumb, but there are so many exceptions, you'd be better off familiarizing yourself with the rules.
You also have to consider the separate, and much more specific, regulations that affect your government sector, such as HIPAA or Gramm-Leach-Bliley. In general, these regulations will not contradict one another, but there may be some gray areas, depending on your interpretation.
Translating laws into IT policy
Once you research the regulatory environment, you must apply that knowledge in the operations of your IT department. Generally this application of knowledge pertains most directly to the areas of security and records retention (storage). In the first paragraph, I asked the question about supervisory notes and works in progress, for example. Should they be considered private? In the Open Records acts that I reviewed, the laws agreed and specifically stated that supervisory notes regarding an employee were not subject to Open Records. Conversely, they disagreed on works in progress (drafts), with some stating that they were private until disclosed to the public, while others stated that privacy was lost the minute they were sent to anyone else for comment—even in draft form.
So, in my opinion, this translates into the IT policy of providing "private shares" for management. Even if the law stated that they were subject to Open Records, I would argue that organizational policy should dictate that personal/private shares be made available to all employees who have network access—with the knowledge that anything stored there can be accessed if required by law.
What about retention periods for files and e-mails? Some Open Records acts explicitly state what the retention rates are for specific documents depending on their content. What a can of worms this is, especially if your file shares and e-mail content are mixed among departments! However, no matter how painful the process, these are the laws that must become part of your IT department's policy.
No one wants to be in the position of doing damage control after an incident, so it is in your best interests to be proactive about privacy law compliance. Here are the steps you need to follow:
- Create a training plan for the next fiscal year (if not sooner) that includes a refresher for your staff regarding the laws of information management.
- Coordinate the training with your legal counsel and/or Human Resources to ensure that the information is accurate.
- Perform a review (in house or contracted) of your systems and applications in light of the information learned.
- If there are gaps between the laws and your current IT policy, implement the changes on a priority basis.