Slay the Public Records Request Dragon

Texas e-Records Conference 2019 Recap

The below is a transcript of a presentation given at The Annual TSLAC e-Records Conference held Friday, November 15, 2019. The theme this year was Better Together in a Digital World: Security and Retention. This event is organized by the Texas State Library and Archives Commission (TSLAC) and co-sponsored with the Texas Department of Information Resources (DIR) to promote electronic records management in Texas government.

Download Our Free Worksheet

Enter your email to download our 9 Requirements for Every Organization worksheet to help you plan for every requirement that your organization should consider as you mature your Records Request Process.

Read the Full Presentation Transcript

Jen Snyder: Thank you everybody. Okay. Today we’re going to talk about slaying some dragons, so when we look at the public records process, we kind of think that there’s about three different major dragons in your space that you’re dealing with on a daily basis. So we’ve taken some time to break out each one of these dragons and talk about not only some of the problems and complications, some of the trends that we see, but then also give you some tools to kind of slay those dragons as you move forward. Why we’re here to talk to you about that today is I’ve been providing software solutions to government for about the last 18 years, solely focused on the public records process for about the last 10. So I like to think I’m bringing a little bit of examples from across the country to you and also some additional focus specifically on the state of Texas.

Gary Geddes: Thank you, Jen. And I’m Gary Geddes. So if you’re a state government entity here, I’m you’re account executive. So if you have any… if you’re city, county, I cover state only, but the reason why I’m here is because I am a certified information security practitioner. I have many years of experience in guiding entities with public sector and private sector in security compliance and privacy and information. I’ll be taking that aspect of this conversation today.

GovQA Slay The Public Records Dragon Presentation Slides2
GovQA Slay The Public Records Dragon Presentation Slides4

Jen Snyder: Okay. So first, let’s talk about the complexity dragon. So you have so much complexity in your process today. I know basically when you look at the public records process, you think to yourself, “I’ve got to intake the request somehow, I’ve got to vet the request, I’ve got to get some assistance, I’ve got to review it, maybe I’ve got to redact it and then I’ve got to either respond or release information.” Sounds simple at the core but it’s very complex. You’ve got to intake it from multiple areas, it can be a walk-in, a fax, an email, maybe a form on your website. It’s got a lot of processing that has to be tracked and you’re asking for a lot of help from folks that you don’t manage.

Jen Snyder: In addition to that, you’ve got to review and exempt things and you’ve got to justify those. So that brings lot of complexity to those five steps that I just talked about. We did a survey and we got about a 52% response rate, and we got 52 respondents who said 83% of the time they have to ask for help from folks that they don’t manage. That in itself is complex and we can stop right there. Two to 10 departments are involved with 42% of the requests you’re doing today. That’s a lot to have to keep track of.

Gary Geddes: One of the things we see and it really drives the complexity of these multi-agents type of requests and maybe not only do you have stakeholders within your own organization, you’re having to collect data from, which could potentially be working on it right through [inaudible 00:03:40] that extends you out across multiple entities, maybe even across to a different state, for example. And so as you start to build these data sets of not just your own organization’s data, but data that could be another organization’s data, as you pull that together, now you become the custodian for that information and it’s critically important you understand the security or privacy recommendations of holding that and being the custodian of another organization’s data that you brought in.

GovQA Slay The Public Records Dragon Presentation Slides6
GovQA Slay The Public Records Dragon Presentation Slides8

Jen Snyder: Thank you, Gary. Litigation is our next dragon. So litigation today is becoming a huge trend in the public records space. People are understanding more and more what they think their right to data is and they are challenging you on a regular basis. There are groups out there that are doing this specifically with the intention of trying to catch you in a mistake. We surveyed our customers and we found out that 31% of our customers today have been a part of a litigation. That’s a huge number. Two years ago that number was half. So with that information we want to figure out how to give you more tools so that we can make sure that the litigation is minimized and that 31% number goes down, not up.

Gary Geddes: So when… are you familiar with the Freedom of Information Foundation of Texas? All right. So if you’re not familiar with that organization, FOIFT, really they… to me, they give an interesting perspective of the requests for side of the house. We talk a lot of times as the providers of information, I think it’s useful to look at the perspective of how do those other organizations view the legislation, how do they view the rules and what’s their real agenda. So not thinking of it in a hostile way or just … or as the enemy, but just being on the other side of the equation, the more you can understand and interpret their agendas and strategies can help you build your reference process better, especially when it comes time to stay in line with their view of legislation.

Jen Snyder: Speaking of legislation, so legislation today is constantly changing. We see this as a trend across the country, whether it’s statewide reporting that has to get done that you weren’t prepared for and you’re not capturing the correct data, whether it’s legislation that says you need to justify things in a different way today, or whether it’s that new things are now being part of the public records process very similar to SB 944. We’ll talk about a little bit more.

Gary Geddes: Yeah, so another bill that’s passing the ledge this past year is Senate bill 819 which is often called the open data bill. You guys familiar with the new bill? So it’s a pretty short read, it’s really around encouraging organizations to put their data online, make it more accessible and, but really has a big ramification for how people respond to register [inaudible 00:06:25]. So since we’re kind of talking about that new Senate bill and some of the things DIR is doing to help agencies deal with it. I think…

Jen Snyder: Great. And just to add to what Gary just mentioned, when you’re leveraging technology today in the public records process, a lot of those tools today will actually enhance or complement that open data portal. So if you’re doing all the work to be more transparent in your organization and you’re building these datasets, let’s add tools on there that’s going to help you with the public records process management and grab that data so you’re consistent data gets used over and over again and you don’t have to recreate the wheel. So as a final piece of our survey, we surveyed to find out how many of our customers were actually following the legislation and trying to proactively prepare for any changes that might be coming and make sure that their processes or their management of the process was going to fit that.

We found that only 37% were actually actively following legislation. We at GovQA, we actually do a really good job of following that across the country because those trends that are coming in legislation today, we’re finding that your manual processes will not fill the task. You don’t have the tools in place today to capture the data that’s necessary in a manual situation or you’re having to do a lot of backend legwork to gather that data, compile that data to fulfill those reporting requirements. So that’s just one area of legislation that’s a big hot topic today is reporting.

Gary Geddes: Yeah. And then with all legislation that reads back to you the security or privacy of the information that you’re holding. So when you think about security and privacy, we tend to… often those terms are commingled that… and security and privacy as it’s one thing, but it’s really important as you’re handling the data that security is one aspect, privacy is a different aspect. So security is really around ensuring that the data you’re putting in your dataset is appropriate for public release. Is it… should it be held confidential due to your internal policies or other legislative requirements and is it… are you protecting the integrity of the data? Do you know that the data you’ve provided in that dataset is actually the right data? That it’s accurate, that it hasn’t been somehow altered in some way where it’s not the correct dataset.

So security is around kind of that data protection piece of it, where privacy is really around the context of which the data was collected. How did we get the data and what was the expectation of the people giving it to us in terms of was it going to protect their privacy or not? So if you think about a survey form or something where a citizen might submit some information with expectation that data would not become public, even though it’s really technically public information, the fact that it was released could have a perception that it violated privacy. And so you need to be understanding about that privacy around how the data is being used and then security being around how policies apply to their data in terms of disclosure and integrity. So are they two sides of the same coin? It’s definitely important to have a view of both security and privacy as really separate aspects of the data.

Jen Snyder: That brings up a good point, Gary. So using some technology today, you can actually secure that data even further. So that privacy data, the person who intended to give it to you for a specific use, is probably assuming that it’s being used by you and you specifically. So leveraging technology today can allow you to isolate that data so your entire staff does not have access to it, and today that’s really important.

Gary Geddes: Yeah, you see lots of legislative, especially out of California now, with looking at GDPR and things like that and then privacy is going to be trumping security in terms of the way we handle data going public.

GovQA Slay The Public Records Dragon Presentation Slides9
GovQA Slay The Public Records Dragon Presentation Proactive Sharing

Jen Snyder: Okay. So we’ve talked a little bit about the three dragons. So we’ve got complexity, we’ve got legislation, we’ve got litigation. What Gary and I would like to do now is actually give you some tools. So we’re going to give you nine ways to help you battle those dragons and all of those nine ways really kind of touch upon each one of those dragons because they all kind of fall in line together, but we’ll point out some very specific ones as well.

1. Proactive Sharing

Okay. So the first thing I want to talk about is proactive sharing. So Gary had mentioned the open data portal and transparency and things of that nature, those are great ways for us to proactively share information that you’ve already compiled to fulfill a public records request.

And when you’re leveraging technology today, you can actually have that stuff auto presented to the requester so you don’t have to have any manual intervention to do that. So whether it’s an open data portal, whether it’s a section of your website, whether it’s just putting information into FAQs or proactively putting data out there in a format that people can follow are ways that you can proactively share that information and maybe never actually manually have to touch the request because the requester is satisfied.

Download Our Free Worksheet: 9 Requirements for Every Organization

Gary Geddes: Kind of show of hands, how many people today are using some type of data sharing as a way to deflect requests? Is that common? Maybe half the room. Okay, great. So yes, if you are a state agency, you definitely should be aware of the Senate bill, the open data bill, and take a look at some of the programs that DIR is offering to help with that. They have both an open data portal that’s for public data and they also have a closed data portal because I know there’s always a risk about when I share data, do I… is this really a part that can be shared publicly? So there is a way to also do data sharing across organizations through a closed data portal, but the idea of being able to use public sharing as a way to deflect and the work of the request, put the the work back on the requester and they’ll find the information they need, that may not always work.

We know sometimes you’re going to point them to a website and they’re going to, “Yeah, I’m not going can do that, go get the request for me.” We know that that can happen, but definitely trying to use data sharing as a way to deflect you, not just from the work, but also the risk of being the one that would bear the dataset. If you put that back on requester, then you’ve taken yourself out of the equation to some extent. So I definitely encourage you to talk with Ed Kelly, he’s the statewide data coordinator, about the open data portal. Another part of that bill is it requires all state entities to name a data officer for their agency. Are any of you a data officer in your own agency today? A couple of hands.

If you want to take a big step forward, but there is a requirement for every agency. I mean, that’s every agency, it’s not just a certain size and that’s a pretty big ask that we name and data person, but we will have a data officer for every agency. Ed Kelly’s actually up and was in Washington this week at a big conference, not a big conference but a consortium of 15 states, statewide coordinators getting together and looking at these kind of issues and trying to build some kind of national consensus of standards for that, like what should a data officer do? What kind of roles would they have in things like records request? So basically and exciting time right now, this open data bill’s created some interesting opportunities for those who are in state governments, you got to go explore this as a career path.

Jen Snyder: All right. And since Game of Thrones is gone, I want to make sure we keep talking about these dragons since I know it’s too soon, right? So just to kind of tie off on the proactive sharing, this is really going to help you with the complexity if we can self serve and it’s also going to help with litigation because if you’re going to be able to reuse information or point to information that’s already been approved or validated, that’s going to be very consistent, so you’re never going to be worried about, is the message the same as the last message I gave?

GovQA Slay The Public Records Dragon Presentation Slides Parallel Processing
GovQA Slay The Public Records Dragon Presentation Slides Collaborating

2. Parallel Processing

Okay, parallel processing, what the heck does that mean? So this means that this is when you can leverage tools today- So this means that this is, when you can leverage tools today to do the work of many in one. So how many of you today, show of hands, see a lot of repeat requests? Okay. I think Parallel Processing can really be helpful. So if you’re leveraging technology today, that technology can do a couple of things. One, it’s going to identify things that you may have already done. Hey, someone asked you the same thing last week. You should look at that, be consistent and use the same information. That technology can also do things like say, wait a minute, something’s trending, you’ve got five of the same requests, so you should manage them all as one. Save yourself some time and give everyone the same consistent message. These are going to be some tools to create some efficiencies. But overall they’re really about mitigating risk.

Download Our Free Worksheet: 9 Requirements for Every Organization

Gary Geddes: Yeah, for those requests you do have to serve. Using automated technology can really reduce the complexity and reduce the amount of work. So we definitely recommend something like using advanced eDiscovery tool to really offload that work, offload these repetitive tasks. I’m not sure if you are using automated eDiscovery tools today. For those of you who are Microsoft customers, if you’re a state agency, then I’m pretty sure you load a good eDiscovery tool. Happy I can’t talk about that today, but happy on the break to talk about the technology. We have the new office 365. But you can reduce a lot of complexity, remove a lot of the repetitive work by letting machine learning do the work for you. This could really be helpful in using complexity as well as the litigation. We’ll talk about that too and the way that eDiscovery tools can really take the person out of the equation so there’s much less pressure on the individuals who are working on the cases.

Jen Snyder: Absolutely. And just to kind of point out the records process, the public records process, managing that process, a lot of times we see ourselves sitting in front of the eDiscovery platform because a public records process management system is going to be doing the communication and the liaison piece with the requester, but needs to go back to eDiscovery because eDiscovery is going to help them compile the data. So the two marry together very well.

3. Collaborating

Okay. Collaborating, let’s see a show of hands in this room, not my survey, who are working with multiple departments at the same time to fulfill request.

All right. Probably painful. So we want to see, today’s technologies can bring to you a lot of tools to help you get others involved and get that ask out there. You can do it simultaneously. But the beauty of it is you’re doing it in a secure, controlled environment that can be tracked. It can be escalated. You can send reminders and notifications. So all of that calendaring that you’re doing to keep track of everybody that you’ve asked to help in something, that all goes away. That whole manual piece can go away and systems today can actually take that work on for you. So when you’ve got to collaborate internally to get the work done, the tools are in place to help you do that. And again, as Gary had mentioned before, sometimes you have to go outside the organization to get that data. The systems that are out there today can do that in a very secure manner. It eliminates file size limitations. We’re doing away with CDs and junk drives. All of that goes away because these tools have been designed to allow you to move large datasets in a very secure, controlled environment.

Gary Geddes: Yes, there’s all kinds of great collaborations that affect way beyond the records process. But in general, state government is, this particular state, but it’ll probably really apply to a lot of cities and counties as well, is that there is no statewide identity management system or anything like that. Each individual agency maintains their own directories, their own identities. And so you go to try to collaborate across organizations, there can be a lot of friction in making that happen. The good news for you is that within the state of Texas you have a commonality of identity management system across all agencies.

And within that platform you have the ability to do cross organizational sharing in a secure way. So if you do need to set up a collaboration site, that’s something you can actually do and facilitate using your technology that can allow you to let the right people have access to it, only the right people, see what’s being done. You’re eliminating duplication of effort, allowing people to co-edit the documents, things like that. So there’s a lot of work you can do using your identity and access management system to ease that, either [inaudible 00:18:28] internal organizational collaboration to allow the right people to have access in the right way, in a secure way that you can document and audit.

Jen Snyder: Absolutely. Another way that we’re seeing trending today is there has to be a lot of collaboration around redaction. How many of you today are using a redaction… How many today are using a Sharpie marker? Sorry, I did not mean to shake you. Today there are a lot of tools out there that help with redaction. But what we’ve seen as kind of the next level of redaction is that a lot of times you have to get opinions. You’ve got to get reviews. You need to collaborate with multiple people because they’re subject matter experts involved in a response that you need help from. So today’s tools can be built in line with the process management system, and when they’re built in line, they allow you to do that sharing and collaboration to make sure that the document you are going to provide is going to be as at its best.

GovQA Slay The Public Records Dragon Presentation Slides ID Personal Info
GovQA Slay The Public Records Dragon Presentation Slides Accountability

4. Identifying Personal Information

So this ties into redaction as well. Now your Sharpie’s not going to help with this. But today’s tools allow you to build in things that will help proactively search for that information. So OCR, so how many today are dealing with documents that are not readable? Okay. So OCR tools can be built into these process management tools today and allow the information to be brought into the system and converted from an image to text. When they’re converted from an image to text, they also fully index all of your documents. So you no longer have to take the onus on yourself about how did it get tagged? What was the key word? How do I find it? The system will actually read all through the content of documents and now even the imaged ones so that you can find the information you need to use, and then you can leverage the redaction tools that are within the system to allow you to find that PII right up front.

So you can set up requirements that say, go look for anything that looks like a name. Go look for a phone number. Go look for a Texas driver’s license number, look for social security numbers, driver’s license numbers. So you can provide that information to the system. So it will do that searching for you at the beginning of the process. It’ll also allow you… Show of hands who are sending out multiple documents within a release. Okay. So the tools that are out there today can also compile those documents into one unit of work. So say you had to find John Smith’s name and his social security number, you could ask it to search those patterns and it will not just do one document at a time, but it will consistently do the entire packet of work. So talk about saving some time and efficiencies. But most of all, it’s actually removing a lot of risk. So it’s saving on the complexity and it’s keeping you out of litigation.

Free Worksheet – 9 Requirements for Every Organization

Gary Geddes: In the alternate stroke of irony, this morning I sat down out in the room out there to get to catch up on email, and the first email that pops up tells me that I’m under legal hold. I’ve had you e-records conference, I had to find out where all my emails are now I’m in legal hold, going back to 2012. I have no idea why. And I really have no need to know why. There’s some kind of a case. For whatever reason, Microsoft legal decided that I’m in the scope to be under legal hold. Well that’s seven years worth of email. And so there’s really two aspects to this. One, would be to utilize, as Jen talked about, just making sure we’re not going to just that within those emails, could there be sensitive types of data types, credit card numbers, social security numbers, identity numbers. I’m not going to deal with those kinds of things, so probably not.

But how relevant are those emails to the cases they’re looking at. I know I take seven years of email. There’s probably a tiny portion of any of my emails that are relevant to the case that they’re looking into. And so using an automated eDiscovery tool was a way to really hone the relevancy and avoid included information since it’s not relevant to the case, but also could be violating privacy or personal or business information that really shouldn’t be disclosed. So definitely in terms of both complexity and litigation to make sure you avoid including things that shouldn’t be included. Someone asks you for seven years worth of mail, they just want you to give them seven years worth of email. You got to go in and go through it all. I’m worried about what’s in my email, but I have confidence that I know they’re going to put it through some kind of a process to only give my emails up that are actually relevant to the case that they’re working on.

Hopefully it’s here. Because I don’t think there’s anything I’ve done involved in a legal hold, but who knows? Who knows what people are asking for? And I think from a user’s perspective, you think how that makes you feel when you’re the one who’s the a subject of that. So having confidence that my emails will be handled the correct way and appropriately. It gives me confidence as the organization that I’m working.

Jen Snyder: We’re excited to find out how many times Gary’s wife asks him to pick up mail.

5. Accountability

So this kind of plays in a couple of different areas. So in the past, accountability meant if I really need to prove that I delivered this to somebody, I probably had to send it via certified mail or I had to make them come into the office, pick it up and sign for it. And then we kind of got to a certified mail piece where we could send it out certified mail, and that [inaudible 00:23:52] our email and get a read receipt. And those things kind of work for us as well. But today with the technology that’s out there, you can deliver very large packages of information via an electronic process.

Jen Snyder: And when you do do that, the systems that are there today can track it so they know it’s been delivered, it’s been received, it’s been opened, it’s been viewed, downloaded, forwarded. All of those tools are built into the process. So from an accountability standpoint, if anyone ever challenges the delivery of that complete request, you have all of that documentation in what’s called an audit trail today. In addition to that, accountability with the requester themselves, leveraging technology today can also create accountability internally. So when you’ve asked others to help with the process and they need to participate, you now have that accountability piece built in because all of that is tracked. You know when you asked, you know when you set the expectation of completion and if it does or doesn’t get done. You have all of that data as well in your audit trails.

Gary Geddes: How often do you have to go back and revise out requests that you’ve fulfilled? Do you rework? Does that actually happen? Because one of the concerns, once you’ve burned it into a CD and mailed it out, well that’s it. It’s out there. There’s nothing you can ever do to get it back or change it. But another version that goes out, how do you know that the people you’re working with are using the newest version, the most updated version? So using automated technology and having a centralized location for that information where you only have one copy of record that everybody’s working from and there’s no risk of anybody having a different version then the one that you have is a tremendous benefit for reducing complexity and from litigation risks. And we recommend doing that in the cloud.

Jen Snyder: And speaking of versioning, so when you’re talking about redaction tools that are built into the software today, they actually save those versions for you so you can see the work that’s been done, the completion that’s been done. And they also do some things to protect you. So if you try to release a document in its original format, but someone’s already done the work to justify that some of that information is not for public consumption, systems will tell you, “Hey, this has already been redacted. You need to look at the redacted version.” And give you some protection there as well, which also helps mitigate some of that risk.

Download Our Free Worksheet: 9 Requirements for Every Organization

GovQA Slay The Public Records Dragon Presentation Slides Secure in Cloud
GovQA Slay The Public Records Dragon Presentation Slides Plan to Adapt

6. Securing In the Cloud

Gary Geddes: Speaking of cloud, we might get a lot of concerns like well is the cloud really the right place? Is it secure enough for me to do my records request? Is this really the right forum? And I would say absolutely. Not only is the cloud secure enough, it is probably more secure and more compliant than a lot of internal private net [inaudible 00:00:26:33] used today. So from my perspective, cloud is ideally suited as a platform for handling records requests. So public cloud today is highly secured, and public cloud providers are audited like all organizations against the regulation standards like [inaudible 00:00:26:51]. And so you can have confidence that the public cloud providers are doing a good job of maintaining good security in their environments.

Another big advantage of the cloud is the accessibility of it, the ability to take information that’s public, get it out there, and your request can be out there where actually you can drive more to self service. And then as a place where you’re not, you can give extra parties access to that data without having to allow them into your own internal networks. It’s almost impossible today to securely allow third parties to access data internally. So having data out there in the cloud makes it very accessible to your own stakeholders as well as third parties and requesters and things. So the accessibility aspects of cloud make it very desirable.

The other aspects just in terms of reliability, and what other risks internally of storing information on your own servers and storage and things? Because you could have a loss of data. You could have data that didn’t get backed up, got actually deleted. You can’t find it. You’re too late or the people have changed, and we don’t know who worked on the request. We got to go try to find that information. It’s not there anymore. Having it in the cloud, you have a record of that information for as long as you need it and can apply retention rules to it, ensure that even if people change, that information up there…

Rules to it, ensure that even the people changed that information up there is, you know, is there in a reliable fashion. And from compliance, you know, HIPAA requires everybody whether you’re government or not, but you know, very specific government requirements such as criminal justice information and federal taxpayer information, which are pretty unique to government entities. If you’re handling any information that falls under those two requirements, you want to make sure you’re using a platform that’s certified to handle that kind of data. And so as you look at, you know, potential cloud providers, choose one that’s built a dedicated government cloud and that is committed to achieving the standards referred to as CJIS and IRS 1075. And if you need a recommendation, I’m happy to provide one for a cloud provider.

Jen Snyder: So just to kind of talk a little bit more about the cloud, I spend a lot of time working through security audits with state CIO departments. There was a big initiative for folks to be taking on more SaaS products because it allows your IT department to use those resources in other areas. And they are building requirements that say a SaaS product that you want to use, especially when it comes to the public records process because you are moving around a lot of data that isn’t generally public yet. So CJIS data, HIPAA data, PII, all of that information.

So they set a lot of security standards and requirements when it comes to a SaaS product as to what it has to have when it comes to auditing, when it comes to processes and controls that are in place. So those tools are really important to your CIO’s, but in addition to that, if you find a platform and if you need one, I can help you with that… Sorry, I shouldn’t have [inaudible 00:01:41].

The things that are going to be required of you are things that you need, that your system is compliant with CJIS and HIPAA and all of those audits that are in place and you’ve got things that are protecting you and we’ll let the IT department sign off. In addition to that, what it’s going to do for you is you come to the table with, “Hey, I found a product that I like. It meets all of these requirements. It’s SaaS.” Your IT department is going to say it doesn’t read my resources. You go, go and do what you need to do. I’m not going to put you on a list of priorities that probably 2020 down.

So, it’s a really great space to be as long as you can cover that off as far as security goes.

Download Our Free Worksheet: 9 Requirements for Every Organization

7. Planning to Adapt

All right, planning to adapt. So we talked a little bit about Senate Bill 944. So this is an area where now public devices, which were always, you know, required to save the information that might’ve been business related if you did it on your public device, or I’m sorry your private device. But now what’s changed with SB 944 is that that information is now part of the public records process. So now you’re thinking to yourself, “Okay, here we go with legislation, that darn dragon, and what do I do? How do I get that information, and how am I going to use it in the public records process?”

So the good thing about using technology today to manage your public records process is there could be integrations back to whatever it is your organization has deemed as the house of that information. So wherever that information is being captured, whether it’s on another product, whether it’s on a server in-house, whatever it might be, the technology that’s out there today to manage public records can actually integrate and get that data for you. So there’s a lot of things you can do to leverage that and assist you in that process.

I would just say from a security and compliance perspective, and this is just a good general guidance, if you’re allowing like a bring-your-own-device type of a scenario where you’re allowing your employees to use a personal device to access your organizational content, you certainly need to have a mobile device level access management platform in place. So hopefully you’re already doing that.

Gary Geddes: But something, if you’re not happy to talk about some of the things you might have, be it Microsoft Office 365 which provides a really good mobile device capability, but you need to be using something and that is a way for you to quarantine that data that you know is organizational data, to keep that separate from personal data. And so when it comes time for, back to those privacy issues, when someone says, I need to get access to your phone and get this data, it’s like, “Well, hey, what about my personal stuff?”

“Don’t worry, it’s in this, you know, the MDM solution has your organizational data separate.” It’s really important that, when you allow BYOD that you have a way to quarantine that organizational data away from personal data to avoid those privacy risks.

GovQA Slay The Public Records Dragon Presentation Slides Logging Exemptions
GovQA Slay The Public Records Dragon Presentation Slides Reporting

8. Logging Exemptions

Jen Snyder: Okay. Logging exemptions. So in the past you would log in exemptions to, let’s just say redactions or time extensions or things of that nature. Anytime that you were leveraging an exemption, you were probably just kind of, you knew the law, you knew what you can exempt, you did it, you got it done, you sent it out to the requester. And the only time you ever had to kind of defend yourself is if it was challenged.

And then it got to a point where as the requestors started to get more and more savvy and we saw more and more watchdog groups and things of that nature who were kind of coming in and challenging that on more regular basis. We saw that there was a proactive manual build of exemption logs, let’s just call it. So that you had that information at your fingertips and could provide it if you needed to, or maybe you proactively provided it. But you did a lot of manual work to compile it.

Well, today’s technology tools, they focus on trying to identify all of your state requirements, build them into the tool so that you can leverage them in your justification of your exemptions and let that log auto build. So as you’re doing a very large redaction document, you’re pulling a lot of different, you know, exemptions throughout that. So those reason codes as to why you get to exempt that information.

The systems today can capture that information as you’re processing auto build that log and append it to the redacted document. So all your justification is there. You’ve proactively given that information to the requester. So we’re mitigating the challenge, we’re mitigating the appeals and definitely mitigating some of the reason that folks are going to litigation today.

Gary Geddes: Having a background as an auditor, I can attest that when we go into audit, what we’re looking for is, does your organization have a process and did they follow it?

So what do you think is worse, not having a process or having a process and not following it? That’s the onerous. Well, the problem and reckless today, there’s pretty well-documented processes. You really can’t be much of a leg to stand on and say you didn’t know what you’re supposed to be doing. You need to have a process. You need to be able to demonstrate you’re following it. That’s going back to that gotcha thing. It’s like if you’re inconsistent in how you handle requests, that’s going to leave you open to the possibility that someone can claim you handled that request special for a reason.

And so one of the things I like about advancing discovery towards is that, I can stay hunting for relevancy as opposed to asking a person to decide, is this email relevant to this case or not. Set up machine learning rules that say this is the set of rules we’re going to use to determine relevancy. You can even vet that with counsel and say, “Hey, do these rules pass muster and we’re going to use these rules to evaluate the data.”

Evaluate the data with all one set of rules and here’s the data set. It was objective. It wasn’t subjective. No one’s going to come back and say you had bias or intentionally tried to reduce relevancy. So I think that having an advancing discovery tools go to your report and maintain that defensibility of your process.

Jen Snyder: Exactly and the same holds true for the processing of the public records request. Once you build your desired process and a system and you’re working within that system, you have the ability to obviously prove your due diligence. So you can say, “I have a process, here it is, I’ve defined it and here’s how we bottle it.”

And all of that shows up in an audit trail within those kinds of tools.

9. Reporting

So we’re seeing a trend across the country where more and more states are requiring specific reporting up to them. They’re doing it in a manner where they’ve defined different kind of data sets that they want you to report on. And many today who are using a manual process are not capturing that kind of data. So if they’re not capturing that kind of data, how do they report on it? They do a lot of backtracking. They spend lots of time trying to compile this data, some of which they don’t even collect.

And it’s very, very painful. So when we leverage technology today, we have the ability to define what could be the potential captures needed, collect that information upfront and then build reports that will allow that information to be compiled automatically. It can be delivered automatically, it can be compiled and just waiting for you to use. And then as things continue to evolve, and more and more requirements when it comes to reporting are going to come your way, you have that information, you have the capabilities because you have a system to just add those additional data requirements. So it can be a very easy way for you to keep evolving in what we see as trending reporting requirements.

Another thing that reporting for you is it can do a lot of justification. If you’re tracking the amount of time and effort that you’re putting into requests and it has costs associated, use that for budgeting and resource planning so that you can see what it is that you actually need and what cost is actually causing you.


Download Our Free Worksheet: 9 Requirements for Every Organization


Gary Geddes: We can’t guarantee you that using automated tools are going to be less costly, but we know there’s a lot of costs in terms of the manual processes, the mailing, the printing, the postage, all this kind of things you can eliminate and potentially find the savings to pay for the automated tools and make this [inaudible 00:09:25].

Jen Snyder: Absolutely. So just to kind of wrap things up, we talked a little bit about the three big dragons. We identified complexity, litigation, and legislation. We’ve given you nine ways to kind of battle those dragons.

But what I really want you to take away from this slide is these are kind of nine things that you want to look for if you’re actually evaluating or searching for a product today to help you in this process. These are things, these are some of the latest and greatest technology ideas within the public records process to handle that, and we’d like to see you use those as kind of a requirement.

Gary Geddes: My attitude being, always starts with your process, that’s what you have… Always be the anchor to your North Star, is what’s my process. Then how can I smartly leverage the tools that I already own today because you may already own a lot of things you need. What can I add to supplement that process? The technology that make it more efficient, reduce complexity, to make it stand up better to litigation, and be always, most important thing, always be compliant. Thank you.

Jen Snyder: Thank you all. Any questions?

Speaker 2: Our institution was making a decision that if an employee asked for a copy of their file, that they would use the open record request to track it. I don’t know if that was appropriate, but you know, it gave us visibility. And I looked under like the state of New York, they actually said you can only do it twice a year. And it goes through open records.

Does it have to be used, open records be used for-

Jen Snyder: For employee data?

Speaker 2: Yeah.

Jen Snyder: Yes.

Speaker 2: But it’s only to the employee.

Jen Snyder: So we have a lot of folks who use our product about the ways to make their own public records requests. But when you’re leveraging technology, you can categorize that differently. So you can identify how many times has then an employee, a specific employee, how many times employees in general, and you can capture different data to figure out why it is that they need that information. Okay?

We just have like a minute left. Anybody else have another question?

Gary Geddes: Please stop by the GovQA booth if you’d like, we’ll be able to hang around for a few minutes and answer questions at lunch hour if you’d like to have a chat.

Jen Snyder: Thanks everyone for the time today, appreciate it. Enjoy the rest of your conference.

Download Our Free Worksheet

Enter your email to download our 9 Requirements for Every Organization worksheet to help you plan for every requirement that your organization should consider as you mature your Records Request Process.