Your SlideShare is downloading. ×
0
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The ins and outs of the e-FOI process

1,559

Published on

A one hour presentation to Ontario FOI administrators in the hospital sector.

A one hour presentation to Ontario FOI administrators in the hospital sector.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,559
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Here's an outline of the presentationExcitedResource to our firm for the last five years or so on e-discoveryHow do we deal with production in civil litigation given the massive volumes of ESI now held by companiesThis is a problem that is truly threatening the viability of civil ligationAlways watching FOI and was interested in how the FOI process was doing pretty well -less adversarial -good IPC decisions -knowledgeable FOI administrators!
  • So I don't want to screw anything upI'm not suggesting you change your process overnightIf your process is working, greatBut I hope to give a little insight into e-FOI issuesI have a sense they are highly relevantAnd I hope you can take any insights that you derive from this presentation and apply them to your FOI process -more efficient process -with fewer unanticipated costs -and fewer unnecessary disputes
  • We have to start by discussing what ESI isThink about paper-all the data and information is on the page-think about receiving a big stack of paper like this-you have to do significant work to understand what the stack means -often you'll do this by putting the docs in date order -but that may not be ideal – might make more sense to organize by custodian -or, even better, it might make sense to organize by issue-lots of manual data processing here-once we've got the paper in some order we have to create a manual index -pull data outagain -can be hard because many documents have no standard form -doc name -doc date -author-paper is pretty inferior really
  • ESI is different – it has dimensions
  • There's the layer of data – subject matter of the filePicture = image you seeMusic file = the music you listen to
  • And then there's metadataData separate from the subject matter of the fileSee here
  • Here's a good definition of metadata that I pulled from a Cornell UniversityIt describes the data… gives it meaning… context and (most importantly for our purposes) organizationESI comes with fairly standard descriptors -file name -author -last modifiedManual indexing is not required, and you have a set of data you can organize and re-organize -you want chronological, arrange by a data metadata field -want a different view, maybe by person, sort by author -or interested in an issue, conduct a word searchIt's all there… that's ESIIt's great really – when you take that e-mail and print it you "degrade" the record – you strip out useful data and you're left with something less useableProblem, of course, is that our volumes have quadrupled, but we're stuck with that whether we process paper or not
  • Now let's compare and contrast the two processesHere's a traditional FOI processReceive request and interpret itSend search instructions to custodians-custodians keep control over the receptacle in which responsive records sit-field filter based on instructions… risk point rightCustodians apply the search by copying records (paper, forwarded e-mails)-neither are very good copies of the actual recordYou review the documents for responsiveness, exemptionsIndex them, manually record (create a tiff image)Prepare them
  • Move to electronic processing-make the point that I'm not making this up-this is something called the EDRM-a staged model for discovery-A few things about the model I should point out -It contemplates a process in which ESI is never converted to paper – zero degradation -It recognizes that this is a problem of volume = upward slope relevance, also upward slope in understanding -Arrows back and forth – iterative process
  • Here's the translation into your FOI worldYou collect, perhaps with IT's help – collect the receptacle or a very broadly defined subset of the receptacle-entire e-mail container file (.pst)-entire hard driveYou process for responsiveness-take all the receptacles, dump them in together-process-remove duplicates (if appropriate)-assess responsiveness-left with a smaller data setImport to a review tool-piece of software that allows you to work with the records – access pro, summation-tag and redact-usually working with tiffs or pdfs for redaction, but can be linked to the native file4. Produce electronically, no copies
  • Here's a comparison: -your control increases -you can instruction your custodians to search and produce electronically, but often you simply take groups of docs -handling of the records improves because you're using metadata to organize rather than manually indexingThe limit for FOI-In civil litigation you're really looking for relevance and privilege-lots of people are advocating for fully automated processing to reduce the cost of manual review-I don't know how to do that for FOI-There are fifteen exemptions and numerous exclusions in FIPPA -And section 10 says you've got to sever reasonably-Your job is just harder!-Need a good review tool and the time spent reviewing (all unchangeable right now) is going to be significant, even in an e-process-A good tool will facilitate review -Group similar records -If you need to produce duplicates you can at least group them -Some tools help you manage e-mail threats
  • So you can think about the pros and cons of an e-processThe IPC will likely give you the choice of using any reasonable processSee MO-2634Requester seeking nine specific e-mails sent and received by an employee who claims he never sent and received such e-mailsNo love lost between the requester and the municipal institutionNice search process set out by the senior employee himself (he was an IT administrator) [field-filtering though electronic]Error in spelling a name, but the City re-searched and provided another affidavitReasonable search upheld despite challenge to the independence of the employee who conducted the search[Note there is apparently a US case by a now famous e-discovery judge named ShiraScheindlin in which she suggests that field filtering is somehow irresponsible. Not a practical view.]
  • Go to two types of requests – database requests and e-mail requestsDatabases = structured data (easy to deal with)E-mail = unstructured data (a nightmare)Screenshot from some data journalism work done by Glen McGregor of the Ottawa CitizenHuge data dump of parking ticket data from City of Ottawa from which he created all these piecesIncluding a piece on the parking officer who has issued far far more tickets than his colleagues – the "Ticket Master"
  • In theory at least, these request should be pretty easy to deal withJournalists will say this – what's the problem, just export it to diskWe do see disputes though… listed the kinds of database disputes hereI'll discuss the first and fourth in more detail, so will touch on bullets two and three briefly herePO-3232 involves a recent Carleton University case involving access to student grades – Glen McGregor request -example of when a requester says I don't want to know who these people are -institution says all these people will be identifiable -Carleton lost this one… seems like it was reaching pretty far actually -Citizen did publish articles critical of the University's existence and use of external legal counselPO-3017 one I was involved in -database of lottery winners -security sensitive information -nice… structured… 65,000 records but dealing arguing about a one page schematicMO-2985 case about a third-party database software provider claiming that its proprietary intersts would be affected by the disclosure… mostly unsucessful
  • There are limits – main point is that they are extraordinaryTwo limits… can rely on either of them…
  • Toronto police serviceAbout a request that involves a technique for masking identityAbout the "normally used" limitSeems like the police had bad evidenceOwn affidavit suggested that replacing identifiers was possibleDecisions suggest that TPS position was that process was ineffective and costlyEnd up – can do it with what's normally used you must do it
  • This case was going through at the same timeExceeded because the Police adduced better evidence of unreasonable interferenceIt is extreme…-OTIS = offender tracking information system
  • The first three bullets are about a similar ideaReally important to develop a good relationship with ITSpeak their languageDon't accept their resistance at face valueBe a benign skeptic…If you do not you'll get into a fee and feasibility dispute and loseWatched a talk given by Glen McGregor on YouTubeTells a story of a federal ministry who started with a $400,000 fee estimate that was eventually reduced to $40There was a similar debacle that happened with an Ontario school board in the last yearI know why these happenIT doesn't want to do the work, doesn't feel it its job and tries to trick the person who's askingDon't let that happen…-developing a computer program chargeable at 60 an hour-costs in an invoice from an outside vendor are chargeable at 100%….-provide good evidence, from the technical person-there is a great case … can't recall institution (best) It person swore an affidavit and obviously thought he could trick the IPC-called out for that
  • Then there are database requests for personal informationHere's one
  • Recollection hazy = but may have been 8,000 affected individuals
  • E-mail is hardHere's why…-very important that institutions be given the opportunity to transfer reasonable costs-one thing I question is whether that review time (perhaps capped at a fixed rate) needs to be funded
  • This illustrates one tactic you can use to deal with a large requestRequester led with a broad request -asked for centralized search -asked for deleted e-mailsDriven to outsource -frankly any request for deleted e-mails will do that -need a forensic expertise -may use the "normally used limit" to deal with that (not aware of case law)Here the institution outsources and generates a large but particularized fee (which it proves) -upheldThink you need to have some basis for outsourcing, not the only option, but a basisI've done this -ask twice to narrow -got an estimate -presented the estimate -requester never proceeded
  • This is greatA request for e-mails includes e-mails stored everywhere – active and non-active formsReasonable search requirement does not require you to go to backups and other sources of inactive dataGreatEven if the requester tells you – right to be the receive the fruits of a reasonable search, not a right to control your search..But, beware of missing e-mails
  • Transcript

    • 1. The ins and outs of the e-FOI process Dan Michaluk September 26, 2013
    • 2. Outline • Electronically stored information • FOI and e-FOI compared • Handling database requests • Handling e-mail requests • The privacy problem 2
    • 3. I’m not selling the e-FOI process today. Paper processing can work well. This is to open options, which may lead to efficiencies, reduce risks and reduce disputes.
    • 4. Electronically stored information • The data you see is the data you get • Hard to organize • We manually index or code and link to each record by identification number 4
    • 5. Electronically stored information • ESI has dimensions 5
    • 6. Electronically stored information • ESI has dimensions 6
    • 7. Electronically stored information • ESI has dimensions 7
    • 8. Electronically stored information • ESI has dimensions 8 Metadata describes various attributes of information objects and gives them meaning, context, and organization.
    • 9. FOI and e-FOI compared Custodians “search” Custodians copy Coordinator reviews Coordinator indexes Coordinator “prepares” 9
    • 10. FOI and e-FOI compared 10
    • 11. FOI and e-FOI compared Coordinator collects Coordinator “processes” for responsiveness Coordinator imports to review tool Coordinator tags and redacts for exemptions Coordinator produces electronically 11
    • 12. FOI and e-FOI compared • Positive • You have greater control over search and retrieval • You’ll have access to metadata and searchable text • No more double or triple printing • Limit • With unstructured data (e.g., e-mails), you can’t avoid a record-by-record review 12
    • 13. FOI and e-FOI compared • But it’s likely your choice • Requester’s may make the “fox guarding the henhouse” argument • See, for example, MO-2634 • Order suggests that institutions and custodians should be trusted absent a reason to mistrust • Advice – be the benign skeptic, and never, never say you’ve found all the e-mails 13
    • 14. Database requests 14
    • 15. Database requests • Producing an “export” at point in time – usually “CSV” or “Tab Delimited” • Common disputes • Fee and feasibility disputes – TPS case from 2009 • Identifiably disputes – see PO-3232 from July 2013 • Exemption of fields – see PO-3017 from Dec 2011 • Third-party disputes – see MO-2985 from June 2013 15
    • 16. Database requests • The limited definition of record • You have to create a record nowadays, unless the information resides in your head (see M33) • But there two (extraordinary) limits • Not capable of production by means… “normally used by the institution” • “the process of producing [the record] would unreasonably interfere with the operations of an institution.” 16
    • 17. Database requests • Toronto Police Services (Ontario CA, 2009) • Confirms a duty to export and mask identity • If you can do it with means “normally used” you must do it subject to “unreasonable interference” • Still a question about whether the required use of hardware and software not “normally used” is a basis for declining to answer (though it is clear if you don’t have normal use of the expertise you are clear) 17
    • 18. Database requests • Order PO-2752 from January 2009 • Example of the “unreasonable interference limit” • OTIS request for data in “linkable” form • 1,377.50 hours of work • By specialized staff • Legitimate security concerns 18
    • 19. Database requests • Tips on fee and feasibility issues • Build a relationship with IT • Build a basic understanding of technical concepts • Be very skeptical of large fees and claims that “it can’t be done” • Consider using an outside contractor to deal with real operational concerns (chargeable at 100%) • Provide detailed evidence to the IPC in an affidavit 19
    • 20. Database requests • Gombu (Divisional Court, 2002) • Database of electronic campaign contribution data • Most of the information was already public, but in physical form • IPC finds and unjustified invasion on the balance • Divisional Court - Production of electronic information not reasonably associated with any greater risk of misuse 20
    • 21. Database requests • The notification problem • What if the requester wants identifying information? • Head’s duty mandatory – reason to believe might (and SCC says give notice in Merck) • Necessary, but costly and unfunded • This will lead institutions to deny access • IPC may bear the burden of notification on appeal, as in PO-3017 21
    • 22. E-mail requests • The problems with e-mail • There are duplicates and near duplicates • Search is expensive because they are unorganized • Review for exemptions is unfunded, very time consuming and very difficult to automate • There is an interest in e-mails not stored “actively” – i.e. in archive (good), on tape (bad) or 22
    • 23. E-mail requests • MO-2154 • Requester asks for e-FOI, asks for deleted e-mails • IPC denies cost of acquiring hardware • Affirms $12,500 for fees to outside vendor • Shows – requesters can get what they ask for • Shows – use of outside vendors can be legitimate • See also MO-2764 (also some evidence that outsourcing was reasonable) 23
    • 24. E-mail requests • Deleted e-mails and e-mails on backup • Go back and talk to the requester about cost • Talk about duplication in active storage • Backup is probably a more cost effective alternative to restoring deleted e-mails in most cases • Identify the number of backup tapes from the event to the date of the request • Let’s go to the first tape before the story hit the news 24
    • 25. E-mail requests • PO-3050 • In general, an access request for emails does not require a routine search of backup tapes for deleted emails unless there is a reason to assume that such a search is required, based on evidence that responsive records may have been deleted or lost. 25
    • 26. E-mail requests • Text messages • They are records subject to the two limits • They can be logged and logs are easy to deal with • If not logged, they may be stored on phones • Can be exported from phones, but the process is awkward given how people use text message services 26
    • 27. The privacy problem • R v Cole • Establishes a limited ( “not entirely eliminated”) expectation of privacy • If there is personal use there will always be a privacy issue, regardless of policy • Employers can act reasonably for a legitimate purpose 27
    • 28. The privacy problem • Policy prescriptions • Policy can’t eliminate privacy but can help • Prepare your public sector employees for e-FOI! • Tell them that the choice to engage in personal use on a work system comes with a sacrifice • Give an express warning about e-FOI • Also warn – work is done on our system unless pursuant to a reasonable BYOD policy 28
    • 29. Dan Michaluk daniel-michaluk@hicksmorley.com (416) 864-7253 www.allaboutinformation.ca 29
    • 30. The ins and outs of the e-FOI process Dan Michaluk September 26, 2013

    ×