GDPR Primer

A few weeks ago, Chuck Piotrwoski of PIOT presented a great webinar on the General Data Protection Regulation (GDPR).  Although we weren’t able to record the session, he kindly provided his slides for sharing.

Chuck broke down GDPR into several basic principles:

  • data about a person belongs to the person
  • an organization can only work with personal data if permitted by law or with the consent of the individual

GDPR builds on the European Union’s 2007 Charter of Fundamental Rights, in which Title II (Freedoms) addresses privacy concerns:

Title II of 2007 Charter of Fundamental Rights

Chuck explained that GDPR protections applies to organizations that handle the personal data of EU individuals, regardless of where the organization is located.  For instance, if a researcher from Oxford pays for a scan from a U.S. archive, the personal data collected for this transaction is protected by GDPR.  Here’s the list Chuck provided of examples of personal data that are protected:

GDPR personal data

Chuck suggested all organizations begin with four basic tenets:

GDPR tenets

If you’re interested in gauging your situation, Chuck pointed to a data protection self assessment provided by the UK’s Information Commissioner’s Office.

Here are the most important points I took away from this webinar:

  • Integrating data privacy training into overall organizational training is more effective than specialized training because it’s more likely to get embedded into how people work.
  • Consent by individuals to collect personal data must be explicitly given — an opt-in model rather than the opt-out model frequently embraced in the U.S.
  • The process must be easy for individuals to withdraw their consent for an organization to hold personal data.
  • An organization must explain why it is collecting personal data.
  • There are currently no flawless automating tools for removing personal data.
  • Data erasure can be refused if the public good outweighs the need for privacy.

If you work for an organization that would be affected by these regulations, you may want to look at the To Do section of the slides Chuck provided.  He also listed some other resources at the end of his presentation.  Thanks for the great learning opportunity, Chuck!

 

 

Advertisements

How (not) to schedule electronic messages: Part II

Act 2: In Which Your Records Manager Gets Ahead of Himself, Thereby Tripping on His Own Feet

When last we checked in with the case of the unscheduled communications, your intrepid hero* had received a brief to write a memo to the City Information Management Committee explaining the “hidden costs” of email retention, and had scheduled a meeting with his boss (the City Clerk), the City CIO, and the assistant City Attorney who deals with records issues to hammer out a scheduling solution for text messages. The memo itself was easy, because the content is pretty much textbook records management best practice. You can read it here, or you can see my clever Prezi utilizing a “tip of the iceberg” visual metaphor here.  (Regrettably I did not get to use this at the actual presentation because I didn’t finish it with enough time to clear it with my boss. But the information is still good!) I framed the issue in terms of time=money, specifically that employee time searching = that employee’s hourly wage x the amount of time searching for the total cost of retrieving records. Two complications did come up but were easily answered:

  • We can charge back ‘reasonable’ search fees over $50 for public records requests: true, but is doing so good customer service? The City Clerk’s office is trying to push the idea of cutting through red tape to allow the public to work more easily with government, so this argument resonated, I think. Plus, of course, Wisconsin State Law prevents us from passing on redaction/review costs to the requestor, so any time spent on that because of inadequate information screening was a cost the city had to eat anyway.
  • Email (and probably eventually texts) is physically managed by a SaaS provider. This kind of threw my “costs of running the server, costs of paying someone to run the server, costs of maintaining good digital preservation practices” arguments out the window, since Microsoft includes unlimited(!) email archives storage space with the package that the city purchased. I decided to leave the question of the environmental cost of storage to another day, but I was able to point out that “unlimited” really meant “unlimited until you reach an arbitrary cap, or the vendor decides to change the terms of service” (I think we’ve all had a bait-and-switch ‘unlimited’ mobile data plan…). Beyond that, if the City ever moved on to a new system, the cost of migration would suddenly bring the size of the email archives to be brought over into sharp relief.

So much for the written component. Now I had to prep for the meeting and make my case for appropriate retention schedules. I did an informal environmental scan and quickly determined that some sort of two-tier retention scheme was going to be the only way to manage the vast quantity of texts and emails that would need to be addressed. Using examples from the State of Wisconsin, the newly-approved Wisconsin municipal records schedule, and NARA’s Capstone model, I put together the below chart comparing solutions, and paired that with a couple of sample schedules to bring to the meeting. Text ChartFair enough… but once we got to the meeting, I ran into continued resistance to implementing any of my suggested solutions. IT didn’t want to get into the business of classifying texts and emails; legal was concerned about the transition from the active system to a separate archive down in City Records; my team doesn’t really have the time or skillset to review texts to the extent needed; none of us were confident that we could leave records declaration or classification to users. We decided that as a first step, we would try to submit a schedule giving all text messages a retention of 6 months, on the theory that that time period would give us time to put holds on relevant texts, but would not require us to hold onto the irrelevant ones for too long.

I was all set to put something together, but there was one hitch: I was asked not to include my standard disclaimer for series like this, “if a record is associated with a series governed by another schedule, retain it according to that schedule.” The consensus was that the disclaimer would be confusing to end users and would not be followed in any case, and that I should submit a straight 6 months schedule and hope for the best.

ian-malcolm-quote
I am, sadly, not as cool as Jeff Goldblum, but it’s still an appropriate GIF.

….Reader, I tried. I really did. I solicited advice from other records colleagues in Wisconsin; I asked around the Records Management Think Tank for their experience with scheduling texts under a restriction like this; I sent out requests to the RMS list and to Twitter for more policies. I couldn’t find anything that supported a *blanket* 6-month retention for all texts. As I wrestled with the language for a single schedule, I thought back to the Matthew Yglesias article about exempting email from discovery that I so thoroughly mocked on this blog lo these many years ago. If every text is retained six months, with no consideration for content, what stops people from using texts for everything, with a high likelihood that evidence of questionable texts is erased from the City logs after a certain period of time? At the same time, how can anyone possible go through all of the texts being sent by city employees to determine value? I decided at this point to play the same percentage game that NARA is playing with Capstone for emails—the significant/historically important texts, such as they are, are more likely to originate from accounts higher up in the hierarchy, so it makes sense to retain those archivally (possibly deaccessioning later through use of machine learning or similar); the rest could stay at 6 months. As such, when it came time to submit schedules, I turned in not one text schedule, but two—one for Elected Officials and Critical Staff, and one for everyone else.

 

Here’s your takeaway for today’s installment: do not blindside your stakeholders on schedule creation. In retrospect, I absolutely should have held on to those schedules until such time as I had a chance to consult with the relevant parties and explain to them why I thought one schedule was so problematic. I suppose I was anxious to get something through the approval process, which can take up to 6 months between City and State approval, which is why I didn’t wait, but the effect of my impatience was to anger EVERYONE involved. The CIO was annoyed because of the technical capacities that I assumed in my schedules (IT had since decided not to pursue a contract with the vendor of the solution described). The assistant city attorney was annoyed because he thought I overstated the ramifications of having only one schedule for all text messages. Everyone was annoyed because I made this change unilaterally and submitted it for approval without so much as a by-your-leave.

I own it—this was absolutely an unforced error. I 100% should not have rushed to get something/anything approved without checking in with the stakeholders about major changes. I stand by my reasoning for putting in a two-tiered schedule for text messages, and I did not withdraw the schedules at that time, but I almost certainly poisoned the well for getting the schedules actually approved by CIMC. Principles and best practices are all well and good, but they don’t do anyone any good if they alienate the people you need to sign on in support. Plus, of course, as it stands the retention of text messages is sort of the Wild West, so I’m not doing myself any favors delaying it for that reason either.

Next time (tomorrow?): Brad tries to make up for lost ground, plus the followup meeting/discussion and where we go from here.

*Possibly the first time anyone has referred to a records manager as “intrepid”. Definitely the last time.

How (not) to schedule electronic messages: a case study/cautionary tale

Welcome to RIM Month! I have been promising/threatening my fellow Steering Committee members to write this post for a while now. My ability to write it, however, has been significantly impacted by the extent to which I have been absolutely BIFFING the process. Stakeholders have been angered; records management best practices/commandments have been violated; capstone models have been altered; hair has been pulled out in frustration; records managers have been called on the carpet*. The worst part is that it’s not even done! I’m at, at best, a holding pattern to a point where I can maybe, MAYBE submit a schedule to be approved by the state board next quarter. The frustration continues.

The tl;dr of the below: Scheduling electronic messages is COMPLICATED, particularly in the public sector. You are walking a fine line between the dictates of the historical record, the operational needs of the organization, the technical capacity of your IT department, and the political/legal considerations of the public officials affected. These four factors are, more often than not, diametrically opposed (yes, there’s four of them and they’re ALL diametrically opposed; that’s how complicated it is). I, frankly, did not walk the line very well. If we represent the hazards as shark tanks on all sides, I am currently on dry land, but bloody and scratched and missing some chunks. So: Learn from my mistakes! Don’t go charging in without considering the ramifications! This is a case where “better to ask forgiveness than permission” definitely does not apply.

This is, as per usual, going to be a long one; I’m probably breaking it up into at least 3 installments. For the purposes of this blog post (and what I was actually focusing on), I am going to refer specifically to scheduling text messages below, but the lessons learned can apply to emails, social media, and other forms of electronic communication as well (and, to a certain extent, to all formats of record). Read on after the jump.

*”Passive Voice is the refuge of scoundrels”—Unknown Continue reading “How (not) to schedule electronic messages: a case study/cautionary tale”

HQ2 and the Right-to-Know

Regardless of what camp you find yourself in on the topic of Amazon’s HQ2 courtship with North American cities, the process has triggered open record requests and questions about the degree to which cities are required to disclose the documentation of their overtures to the corporate giant.

This is especially true in Pittsburgh, where inclusion of the region’s bid, titled PGHQ2, as one of 20 finalist cities led to renewed demand for the full proposal to be released via the state’s open records law. Why is this important? Many cities have offered significant tax and civic incentives to sway Amazon’s interest. With promised results of $5 billion in economic investment and the creation of 50,000 jobs, an argument can be made that it is in the public interest to know how elected officials believe HQ2 will influence the social, political, and economic fiber of their region.

These desire for details have manifested themselves in open records requests throughout many candidate cities, to varying degrees of success. Pennsylvania’s mechanism for open records requests, the Right-to-Know Law, was signed into law in 2008 and is facilitated by the state’s Office of Open Records. Like many open records laws, all records are presumed to be public and are deemed “open” unless one of several exceptions bars their disclosure. Thus, the burden is on the government agency to argue why certain records, for instance a proposal with wide-ranging public impact, should not be made publicly available.

AmazonHQ2Finalists_AmazonDotCom
https://www.amazon.com/b?node=17044620011

So what’s happening in the Steel City? Like hundreds of other cities across North America Pittsburgh submitted its bid in October 2017, the details of which were not publicly disclosed. PGHQ2, led by elected city and county officials, first cited a confidentially agreement with Amazon. The reasoning for secrecy soon shifted to “protecting a competitive advantage.” Right-to-Know requests for the proposal were refused. Requests for secondary records (letters, emails, notes) pertaining to the process, not the proposal itself, were met with half hearted gestures. The City initially stated those weren’t public either; the county responded that “the records do not exist.” Eventually these secondary requests were fulfilled through state intervention (Harrisburg itself is a big proponent of Pittsburgh’s bid).

But what of the PGHQ2 proposal? As is often the case with open records requests, persistence pays off. Fast forward two months to January 24, when news broke that Pennsylvania’s Office of Open Records issued a ruling on a Right-to-Know request filed by local WTAE reporters ordering Allegheny County and the City of Pittsburgh to make the full PGHQ2 proposal and corresponding documentation public within 30 days. In a coincidental twist, both entities have 30 days to appeal, the same period one has to return unopened items to Amazon. If delivered, there’s no doubt Pittsburghers will open this proposal package.

peduto-amazon-1511917863
Pittsburgh Mayor Bill Peduto holding the PGHQ2 proposal. Image Credit WTAE Pittsburgh.

The jury is still out on whether or not it’s truly in the region’s best interest that the PGHQ2 push is successful. With revived economic sectors, oft-touted cultural amenities, regional charm, and room to grow, Pittsburgh’s case is compelling. But the records and documents supporting that case shouldn’t be kept from the very citizens that make Pittsburgh so alluring. Open records laws, like Pennsylvania’s, are meant to serve the public good and promote transparent and accountable government. If Pittsburgh officials baited the PGHQ2 hook with tax incentives, public domain authority, or questionable civic inducements, the citizens of Southwest Pennsylvania certainly have a Right-to-Know.

Dispostion and its Discontents

As many records managers note, recordkeeping decisions are in the news on a daily basis (with today’s accelerated news cycle, it often feels like an hourly basis!). Our last Resourceful Records Manager interview astutely noted, “As I first assumed RM responsibilities, I sat in on a conference talk by a leader in the field, who cited a news headline on records mismanagement and dissected it with great enthusiasm. As I realized that records implications are everywhere, the massiveness (and potential massiveness) of the profession made an impression on me.”

It’s increasingly clear that one of the major areas of public discontent is around disposition. Disposition is the decision that guides what should happen to records once they have reached the end of their useful value from the records creator’s point of view. Disposition can either take the form of destruction, or transfer to archives. I am enormously sympathetic to concern over this topic – there are very real worries that public records and data will disappear because it does happen – sometimes for normal reasons, sometimes for scary Orwellian reasons. However, not all disposition is created the same, and one of the most valuable things that records managers can communicate to the public is explaining the difference between what’s normal and what’s not normal when it comes to what should be destroyed and what should be saved.

This isn’t something that only records managers and archivists struggle with – our library colleagues navigating the rocky paths of weeding old books and media have their own public relations horror stories. Librarians and archivists know that a collection development policy is there not only to guide collecting decisions, but to protect librarians and archivists from future headaches (in this case, getting saddled with tons of out of scope collections or donations). A collection development policy is also in the public interest – a library or an archive so bogged down by a backlog of unprocessed and out of scope donations doesn’t serve the general public well at all.

I think of records retention schedules – in many institutional archives, the de facto collection development policy – performing a very similar role. You can’t keep everything due to resource constraints, and even if time and money were no object, you still shouldn’t keep everything from a liability perspective. On a hypothetical basis, the general public understands that all records can’t, and shouldn’t be, kept forever in an institutional setting. Where things break down with public understanding are questions of how long to keep those records, and what should happen to them after they are no longer actively needed.

This was vividly illustrated during some recent research I’ve undertaken on regulatory failures concerning hydraulic fracturing. The short version is that fracking technology and proliferation is far ahead of existing oil and gas regulations. The current regulatory environment cannot keep up with fracking’s environmental impacts, and failures of recordkeeping are a prominent part of larger regulatory failures. Many groups have been filing open records requests to try to understand the impacts of fracking on rural land and water. The Pittsburgh-based investigative reporters of Public Herald has done enormous work in this area, scanning citizen complaint records from Pennsylvania’s Department of Environmental Protection, and making them available through a public files website, and mapping the complaints. Many of these complaints trigger subsequent investigations into whether fracking has resulted in an impact on local water supplies. In other words, a “positive determination of impact” would mean that the Department of Environmental Protection found that fracking affected water supplies.

As much as I admire the work of the Public Herald, I strongly object to one of their assertions about a very normal recordkeeping issue. In their article claiming that the Pennsylvania Department of Environmental Protection systematically cooks the books, they laid out nine different methods to substantiate their argument. Some of the recordkeeping practices are indeed serious cause for alarm, but the final one (“DEP Retention Policy for complaint records says complaints are to be kept on file for five years, “then shred.””) struck me as a complete misunderstanding of retention scheduling. Scheduling records for destruction is not a method for manipulating records, and it’s disingenuous to claim otherwise.

DEP-OGM_retention_PublicHerald
Pennsylvania Department of Environmental Protection Oil and Gas retention policy, as presented by Public Herald

The Public Herald wrote the following:

Around month twenty-eight of this investigation, sitting down to scan the last remaining complaint files, a paper with everything blacked out except one paragraph was left on Public Herald’s file review desk by a veteran PA Department of Environmental Protection (DEP) employee. It read “DEP retention policy.” In a paragraph about “Complaints,” the document revealed that the Department should only hold complaint records for five years after resolution – “then shred.”
Initially, Public Herald figured these records would be kept on microfiche or a digital PDF and that shredding them would only ensure space within the records office. But, after careful questioning with an employee who’s been with the agency for decades, the staff person revealed that only those records which could be considered “useful” would be kept on record at all, turned into microfilm, and “useful” meant only those listed in DEP’s 260 positive determinations. What shocked us even more is that, according to this whistleblower, there is no review committee in place to sift through the “non-impact” complaint records before they are shredded.

The Public Herald rightfully raises important and compelling questions about how DEP assesses the question of fracking’s impact. But only part of the retention schedule is posted – the remainder is redacted. Without having the full context of the retention schedule, we do not know what other information is kept for say, 100 years (as one of the redacted record groups appears to be), and it very well may be that information otherwise in the public interest is kept for much longer. I tried to do a quick search for the full schedule online – although I could not easily find it (one of my biggest pet peeves common to state agencies – for some reason, I find it easier to obtain municipal and federal agency records schedules), one could almost certainly obtain an unredacted version of it by filing a Pennsylvania Right to Know request.

Perhaps this is the first time Public Herald has encountered a retention schedule, but the presentation of this as a shady and strange document is truly unfortunate. Furthermore, the write-up demonstrates how little the public understands about why records are scheduled the way they are – which is that the vast majority of retention decisions begin, and often end with, “How long must we keep these records to fulfill legal obligations?” Simply put, what is to be gained by maintaining complaint records for more than 5 years, given that most local, state, and federal agencies can barely keep up with managing records as they are currently scheduled? Proposals to retain records even longer would have to make a very compelling reason for why.

Many of the applicable statutes of limitations associated with potential liability brought by complaints would fall within 5 years, so a 5 year retention period for both impact and non-impact determination records doesn’t seem abnormal. Furthermore, the suggestion that a review committee should determine the final disposition of individual records is a recipe for disaster. Public comment absolutely can and should inform the broad formulation of retention scheduling decisions – for example, if members of the public could make a compelling argument for retaining the complaint records more than 5 years, that is something that should be seriously considered and perhaps incorporated into retention policies. But a committee to review the final disposition outcome for individual complaint case files is not realistic, and would almost certainly result in far more political bias. Who would be on the review committee? How would they document their decisions? How fast would they be expected to work? Witness how slow and controversial federal records declassification is if you want a glimpse of what individual-record-determination-decision-by-committee would almost certainly look like in practice.

Bottom line: as many archivists have pointed out, there is almost nothing that is neutral about the world of records and archives. Many records retention scheduling decisions are areas that significantly misunderstood by the general public. It would behoove more records managers to talk openly and transparently about why and how we schedule records the way we do. Others may disagree with our decisions, but at least the process will be clearer to those encountering records retention schedules for the first time.

Update: At their request, this post has been updated to more accurately identify the Public Herald as investigative reporters.

 

Managing Federal and Presidential Records

Mark your calendars for the next Records Management Section Google Hangout!

On Thursday, July 6 at noon Eastern, the Records Management Section will be hosting a hangout on the Federal Records Act and the Presidential Records Act. We will be joined by Gary Stern, (General Counsel), Hannah Bergman (Assistant General Counsel), John Laster (Director, Presidential Materials Division), and Laurence Brewer (Chief Records Officer for the U.S. Government) all from the National Archives and Records Administration (NARA).

You may have additional questions after reading NARA’s Role in Preserving Presidential and Federal Records by David Ferriero, Archivist of the United States, in the latest Archival Outlook. Here is your chance to ask!

Be sure to tune in live to ask questions or watch later at your convenience. You can view the Hangout here.

We will be accepting questions for our speakers from you.  If you have a question or topic for discussion please leave it as a comment here or use the #saarmrt hashtag on Twitter.  We will also monitor the comments on the YouTube live streaming page.

Legislating the Creation, Access, and (not) the Retention of Officer-Worn Body Camera Records

As more and more law enforcement incidents are captured on police officer-worn body and dashboard cameras, states are obliged to consider legislation that governs the creation, retention, and public access of such records. Regulations, where they do exist, often lack uniformity between municipalities, cities, and states, as illustrated by the Brennan Center’s guide detailing police body camera retention policies across the U.S.

Awareness of such regulations, and navigating their inconsistencies, is an important part of how records managers execute their positions. What happens when retention and preservation provisions are absent from legislation governing the creation and access of such police records?

The Pennsylvania General Assembly is currently considering a bill that would legislate law enforcement use of body-worn cameras, and more importantly, public access to such records. Approved by the PA Senate (currently pending a vote in the House) on October 19, Senate Bill 976 – an expansion of Pennsylvania’s current Wiretap Act – would essentially do two things.

First, the bill would increase areas where police officers are permitted to use body cameras, such as within private homes and in public spaces. Under the bill, officers would not be required to directly inform individuals they were potentially being recorded. Second, the bill would place a considerable burden on those attempting to access these records.

SB976 stipulates that within 14 days of the incident a written request be submitted that includes, in “particularity”, the date, time, and location of the incident. Each individual in the footage must be identified by the requester, or at the least, described. If a request is denied – grounds for dismissal include lack of “sufficient particularity” –  an appeal must be filed in a PA Court of Common Pleas within 14 days of the denial, a $250 filing fee will be applied, the written request must be resubmitted, and finally “if the requested audio or video recording was made inside a structure, [identify] the owner and occupant of the structure.”

The amendment seems to contradict itself in that it specifically states that “an audio or video recording by a law enforcement officer shall not be subject to production under the act of February 14, 2008 (p.l.6, no.3), known as the right-to-know law” (Section 6702) while stipulating that that a court may grant release if a “preponderance of evidence” are met, including that “disclosure of the audio or video recording would be permissible under the right-to-know law.”

Pennsylvania civics and policy aside, you may be asking where records management fits into all this? While legislating officer-worn body camera use and record access, the bill does nothing to address appropriate retention periods and preservation methods law enforcement entities could be required to employ uniformly across the state. The bill actually removes language concerning retention periods of certain recorded communications. Primary sponsor Sen. Stewart Greenleaf, R-Montgomery, has acknowledged that provisions governing how long footage and accompanying data must be retained before it’s erased, as well as when a body-worn camera is turned on or off, are not considered in the bill.

The intent of the SB976 may be noble (“body cameras have a civilizing effect on both the officers and members of the public”), and there is no doubt that balancing public transparency, individual privacy, and the integrity of police investigations presents public policy and records management challenges alike. However, constraints to access and record keeping oversights may only serve to distance the citizenry from law enforcement and public officials, rather than fostering the transparency and trust the bills seeks to instill.

As states continue to consider legislation governing the use and access of police officer-worn body and dashboard camera records, records mangers should be engaged in this dialogue. If creation and access to such record can be legislated to serve the public interest, so too can record keeping policies. Records mangers must continue to be advocates for clear and consistent retention and preservation provisions that benefit the public good, in Pennsylvania and across the nation.