The Four Stages to Government Compliance (Contributed)

eDiscovery and FOIA requests don’t have to consume so much time and expense. A methodical approach is the solution.

by / January 17, 2019

Government agencies have struggled to develop eDiscovery and FOIA request policies and procedures. Despite recent progress on those fronts, too often requests for public books and records are still met with resource-consuming efforts that interfere with ongoing needs and commitments. 

Reviewing and redacting information can be the real cost drivers of freedom of information requests, and with the number in the hundreds or even thousands each year, fulfillment can be a financial drain on the government organization that holds the information.

Last year, for example, Washington state spent more than $60 million fulfilling 114,000 records requests. Chicago paid $670,000 responding to FOIA lawsuits in 2016, while at the federal level, agencies received 713,168 FOIA requests in fiscal 2015 that cost $480 million to fulfill.

These costs can be cut by five and six figures when business process automation software is deployed to eliminate the manual copying, redacting, delivering and many other aspects of allowing access to public records while protecting security and privacy.

Ithaca, N.Y., for example, automated its Freedom of Information Law (FOIL) request process, reducing the time it takes to process a request by 35 percent and saving 7,000 hours of employee time in just one year. Because the system eliminated paper-based interdepartmental mail, the city could easily comply with state-mandated deadlines associated with FOIL requests.

An Intuitive Guide

In working with government and other regulated institutions, we have found that our D4 methodology — Decide, Define, Design, Deploy — provides an effective outline for developing document and email retention and document production. This four-pronged approach provides a simple guide that may be followed by leveraging internal resources. Moreover, the outline is intuitive, allowing state and municipal governments to use it in their review of where they are in the process and if there have been steps that may have been overlooked. 

Decide

Implementing new information systems or applications makes many employees, regardless of their department or seniority, uncomfortable and wary. Technology decisions are difficult because procurement professionals must decide whether employees can learn the new tools and protocols, and whether the learned tools will increase efficiency. For instance, a human resource department may use a locked file cabinet to store employee sensitive information [such as Personally Identifiable Information (PII)], while an emergency worker may have confidential electronic health records (eHR) on a laptop, both of which work well for the individual but are high hurdles to overcome for a project that transitions to a new repository. Convincing people and most of the rest of an organization to change how they manage information can sometimes feel like trench warfare and often takes a significant toll on project managers. 

Few individuals want to be the person who urges coworkers to change work processes, especially when the compliance and legal departments are the primary beneficiaries for such an endeavor. This problem is compounded by the fact that most departments have systems that work well for them but not for the entire institution. Nonetheless, during the Decide phase, you need to determine if transitioning to an integrated data gathering, data sharing and data distribution system is right for your organization. To start, you need to ask:

  • Which departments/divisions will be affected?
  • How much legacy data will need to be converted to the new system?
  • What regulations and retention will need to be incorporated, for instance, Health Insurance Portability and Accountability Act (HIPAA), HR, Employee Retirement Income Security Act (ERISA) or Sarbanes-Oxley Act (SOX)?
  • What types of messages will need to be captured? Messaging? Text messaging? Fax?
  • What FOIA/eDiscovery review capabilities does our legal department need?

The result of the Decide phase should be a five-page outline of corporate policies and priorities and, in turn, the presentation for executive signoff.

Define

The Define phase translates the general policies above into a detailed departmental system specification and, eventually, a Request for Proposal to feed into the Design state and an archive decision that will support these Define requirements. These steps include:

  • Meet with each department to discuss how to implement the corporate policies into new requirements and procedures. 
  • Define special archive folders for differentiated retention.
  • Define user access and permissions to archives, the size of the email information store, disposition procedures and backup plan.
  • Determine how to migrate existing archives and documents. 
  • Document the technical specifications and, in turn, present for executive signoff. 

Design

Once the requirements have been documented, the IT team typically will lead in determining the most appropriate technology solution for managing content. Fortunately, there are many great options available, including Microsoft’s Office 365 solution, OpenText and Veritas.

Many state and local governments already use Exchange for managing e-communications and SharePoint for electronic records, so we have included some of the elements for an Office 365 design below. These steps also apply to other archival and document management systems with similar records governance features and capabilities.

  • Set up preservation hold policies for each department and type of record.  
  • Configure SharePoint libraries (i.e., HR and emergency services), which should name specific users for access to documents in the library. For instance, an HR library.
  • Determine which documents cannot be sent out-of-house and set up a Data Loss Prevention or DLP policy, for instance, to restrict any HR document from being sent through email.
  • Create a user/permissions matrix so that access rights are appropriately controlled.

Deploy

Once the decision of an archive or repository has been made and licensing purchased, the following steps are necessary for a successful implementation and deployment:

  • Train users to understand the retention, access and disposition policies as defined above.
  • Set up review workflows and, if appropriate, document tagging to facilitate the type of content involved, such as an HR review, an emergency communication or a citizen complaint.
  • Work with the legal team to understand how to perform searches and export the responsive records for either an eDiscovery production or FOIA request. The legal team should document these searches to handle possible questions with respect to the types of records searched and keywords used to perform those searches. For instance, the HR library on SharePoint typically would not be searched by an FOIA request.

Keep Solution Costs Low with Best Practices

As with many government services, it is important to leverage the best practices and experience of other governmental agencies in deploying an effective records management and eDiscovery solution. Although there may be other areas in which a custom approach may be beneficial, we suggest that government agencies follow established and successfully tested solutions. Many consulting companies have similar approaches that may work as well, however, the approach as outlined above may be followed by internal resources without incurring large outside consulting expenses.

Douglas Weeden

Douglas Weeden, J.D., is director of compliance and e-discovery for 17a-4 LLC, a New York-based compliance software and services provider.