Laws like GDPR, CCPA, WPA, and others are springing up across the world giving citizens the right to request companies to disclose what personally identifiable information they store about the individual. For states, companies are required by law to respond to the submitted request within a day and they must to provide the requested information within a month. Scouring through petabytes of data for specific information can prove to be a challenge. Failing to respond on time can result in hefty fines, like in the Barnes v. Hanna Andersson case.
In this text, we’ll cover the six key steps in processing a Data Subject Access Rights (DSAR) request, what the main challenge is for each of these steps, and how DSAR software can make life easier for companies.
Step 1: DSAR Request Submission Portal
Companies should provide a DSAR Request Submission component linked to their corporate website where citizens can submit a DSAR form. This portal should be easy to use, secure, and if the portal supports creating and storing individual login credentials, tied with the login details of the person submitting the request.
The challenge in this first step is the ability of the company to capture the right information about the Requestor, so that the following steps are executed properly and on time. While this first step is not complex, people can easily mistype their name or their email or enter a different email address than the existing one in the system. This can cause problems later on as the request gets to next steps in the workflow.
An effective DSAR solution will have forms with field validations so that proper email formats are checked before submission. In some cases, form validation can go further and check for typographical errors. The benefit of form validation is that Requestors will ensure they are typing in the correct data, and when the form is behind an active login session, these fields can be pre-populated.
Step 2: Verification of Identity
When companies receive a data subject request, the first step is confirming the identity of the person by matching that identity to the requested content.
The challenge is verifying the identity of the Requestor remotely and securely. Chances are, that some of your customers, employees, etc. may need to provide additional information beyond their name, surname, address, telephone number to include login ID, email, IP address, etc. to identified themselves more precisely. In some cases, companies may need to collect a dozen other details to precisely identify who is submitting the request, and what personal data the company keeps.
The benefit of a good DSAR software platform is enabling corporations to quickly and even automatically identify any additional information the Requestor needs to provide in order for a proper and definitive identification. Automating this step is key in responding in a timely fashion and sending the right data to the right person within the 30-day timeframe.
Step 3: Searching for Personally Identifiable Information
As data storage becomes more and more affordable, companies are storing more of it. While this may be valuable for data-driven business decisions, each company’s vast data footprint is adding to the complexity of responding to DSAR requests.
The challenge: after a DSAR request has been successfully submitted, the DSAR software or with an integrated eDiscovery platform will need to search through all the repositories the company has, spread across different systems and potentially different locations to include SaaS based platforms. Companies may keep bits and pieces of personally identifiable data in dozens of locations:
- ECM system databases
- Office 365 / SharePoint folders
- Email servers
- Proprietary applications
- CRM systems
- Billing systems
- Internal chat systems
- External marketing platforms.
The solution will need to be able to securely connect to each of these data storage endpoints and quickly search through petabytes of data. These systems will need to be able to communicate via encrypted API endpoints at-scale, secured from interception or copying by hackers.
An effective DSAR solution makes all this possible. Without it, companies may not be able to respond to DSAR requests in a timely and a secure manner.
Step 4: Data Review and Approval
While companies can fully automate the data delivery, it is best if this data gets reviewed by a person before it is released to the Requestor. One risk is that a document may have PII about another individual that needs to be redacted.
The challenge of having the staff involved in DSAR review and approval is that people will need an intuitive user’s interface to do their job as well as assistive technology given the volume of information. In addition, the entire process needs to be audited so the organization knows how had access to the Requestor’s information.
The benefit of an integrated DSAR solution is the automation, collaboration, tracking, reporting and auditability.
Step 5: Timely Response
The key challenge of DSAR requests is that there is a strict deadline for companies to respond. Similar to Public Records / Privacy / FOIA requests where government have a statutory timeline to respond, companies have only 45 days to receive, verify, and respond to a DSAR request.
Even though many of these laws are fairly new, we already hear of lawsuits against companies who failed to respond properly and on time. Just recently we witnessed the Barnes v. Hanna Andersson case where Salesforce and Hanna Andersson LLC got fined for failing to comply with timely data disclosure under CCPA.
The benefit of using a DSAR application is that corporate staff will be able to follow these requests and get reminders of deadlines. To help assist with complying with the timeline, an integrated DSAR solution that includes eDiscovery and potentially RPA is recommended.
Step 6: Data Editing or Deletion
Under DSAR legal frameworks like GDPR, CCPA, or WPA, data subjects can request deletion or editing of the stored data. Ideally, an integrated DSAR software solution will be able to store the data sources of each piece of PII, tie it to a specific DSAR request, and have the ability to send Delete and Update requests through a secure API connection.
The challenge is twofold here. First, the DSAR software will need a way to send an Edit or Delete command to the exact data location for each DSAR request. Second, this data management will have to be auditable.
This means that qualified DSAR software solutions will have the ability to integrate with disparate data sources and have the ability to quickly respond to any Requestor’s demand for editing or deleting of PII.
Ideally, the DSAR software solution will be able to have a two-way communication with storage endpoints and fulfill a Delete or Edit request. This will allow the DSAR to track the communication that the request was fulfill and by which systems.
The benefit of a reliable integrated DSAR solution is clear. Without a software solution, companies will have a hard time adhering to the law and proving that it was accomplished if litigation arose. There is an added benefit too. While companies may have internal best practices for data management, de-duplication, etc., it is still helpful to have a visual map of all the locations that contain privately identifiable information.
As we already mentioned, companies need to be able to track how each DSAR case is handled, from the moment of its creation to the moment it was successfully processed. Every action done by the staff, every API call done by the software to send requests and receive encrypted information from external sources, every alteration of any data endpoint needs to be thoroughly documented.
Capable DSAR software solutions should have this auditing capability. In cases where the DSAR solution is built with proper case management capabilities, auditing should not be a problem. Most case management platforms on the market have this built-in.
One such solution is ArkCase, an open-source case management platform. ArkCase is built with auditing capabilities out of the box. Any time an action is done on a case, there’s an audit entry with a timestamp and clear details of who did what and where. Companies can extract the timeline for every DSAR form. These reports can contain timestamps, people involved, data sources, staff activities, IP address and even the Requestor’s responses.
The Data Subject Access Requests initiative, covered with legal frameworks like GDPR, CCPA, WPA and other variants, are enabling citizens to approach private companies and request data disclosure. Companies, under CCPA, have to respond to the request and disclose all personally identifiable information within 45 days. Failure to comply could mean hefty fines, as Salesforce already experienced first-hand.
Because of the complexity of what qualifies as personally identifiable information and the vast amounts of data that companies store, DSAR software is quickly becoming a corporate necessity. The only way companies can scour through petabytes of data spread across internal and external databases in a timely manner is by relying on an integrated DSAR software.
In most cases, DSAR software uses the same mechanisms as case management solutions. The forms, workflows, and user roles can all be pre-built and ready to be used out of the box.
The ArkCase team has implemented a DSAR solution that can be integrated within enterprises to automate this process. The ArkCase DSAR solution is a reliable option for any size organization that need to be ready to respond efficiently and effectively to Requestors.
For more information on this subject, feel free to reach out to us via the Contact form, or using the Comments below. And, please help us raise awareness of the DSAR Software option by sharing this text with your social media connections.
With recent legislation developments ensuring citizens’ rights to request their personal data that companies hold, companies are facing a turbulent future. Compliance is not optional. Now, the race is on. Citizens will be reaching out to companies, requesting disclosure. Companies need to adopt a software solution that enables fast and reliable personal data search and reporting.
What is DSAR?
The Data Subject Access Request policy basically states that citizens may request, under the General Data Protection Regulation (GDPR), that a data controller (business or other organization) disclose the requester’s personal data that the organization holds about them.
Companies need to respond in a defined time frame and provide the information to the requestor. Companies also need to be able to edit or delete personal data upon request from a citizen. To successfully fulfill these tasks, companies and organizations need reliable Data Subject Access Requests (DSAR) Software solutions that meet all the requirements set by the DSAR initiative.
Different countries have different interpretations of the DSAR policy, complicating an already daunting challenge of compliance.
It all starts from the EU General Data Protection Regulations (GDPR) which replaced the old 1995 data protection directive. It was published in May 2016 and went live on May 25, 2018.
In the United States, the closest GDPR equivalent is the California Consumer Privacy Act (CCPA) that became law on January 1, 2020. It is the first US-based consumer privacy regulation.
The state of Washington is currently working on legislation known as the Washington Privacy Act (WPA). The WPA regulation is stronger than CCPA and uses some GDPR concepts, therefore it is viewed as a leading example of consumer privacy regulation in the U.S.
There is obviously a movement towards nation-wide acceptance and formalization of the Data Subject Access Requests initiative, so citizens can claim ownership of their data, regardless of who holds this data.
Who gains from the DSAR and who are the stakeholders?
Clearly, the citizens are the main winners in this process; they gain new fundamental rights: personal data privacy and protection. Individuals get the right to ask companies and organizations to disclose what data they hold, and request further action such as editing, moving or deletion beyond recovery of that data.
Companies and organizations, also known as data controllers, must ensure that the Data Subject Access Request initiative really works. Companies and organizations are expected to deliver on DSAR. They will have to fulfill these new obligations by developing internal processes, workflows, and technologies that allow full compliance. Data controllers are expected to return a notice within 24 hours after receiving the data access, and they are expected to answer the data access request within a month after the request was submitted. Failure to comply can have legal ramifications and will also include fines
In some cases, data controllers can have external data processors who have the responsibility to handle these data access requests on behalf of the controllers. They should implement all measures needed to receive the request and respond to it in a timely, secure fashion.
While DSAR is a fairly straightforward high-level idea, the nuances are challenging. A citizen submits a to a company or organization, using their DSAR workflow processing software. The company’s staff receives this request. Then the controllers and data processors find all the data on that citizen and reply to the request. So-far, so-good.
However, receiving the request requires a more complex software that will help the organization verify that the requestor is the same person that would be the data-subject. Otherwise, the company would face the ramifications of disclosing personal information to third parties.
Then, the ability to pull all the data from all data sources, and combine it in a single report, is also challenging. If the data requester asks for data edits, the company should be able to send these data updates to the specific location, making DSAR not only a data retrieval but also a data modification process.
On top of that, this DSAR software would need to have auditing capabilities, which means strict user access level controls and logging of every single action that is taken around each case.
Why should you care about DSAR?
Compliance with these regulations is not optional. Companies and organizations must adhere to the DSAR initiative and the legal frameworks like GDPR, CCPA, and WPA.
Failure to comply will almost always result in fines. The Barnes v. Hanna Andersson case is the very first case for violations based on the CCPA. The minimum amount of that case damage is a million dollars. In just 30 days from the CCPA launch, this case was opened on February 3rd, 2020 against SalesForce and Hanna Andersson, LLC.
Fines from GDPR in Europe are an almost everyday occurrence, ranging from a few hundred euros to a 99 million pound fine against Marriott International Inc. for a data breach.
According to the latest Talend’s survey, only 42% of all companies and organizations were able to successfully respond to DSARs. According to a report by Gartner, the average cost to process a single DSAR request is $1400. Such a high fee implies that the process is manual and labor-intensive.
Companies and organizations are hard-pressed to process a growing number of DSAR requests under a threat of lawsuits and any company and organization storing personal data could be the next target.
The Microsoft Example: Preemptive DSAR Compliance
Microsoft has chosen to deal with DSAR requirements proactively by implementing their DSAR software solution nationwide, not just in California.
One recent review of the 50 companies from the Fortune 500 list made by the Data Protection Report indicated that it will be much more difficult to differentiate users in California versus the entire U.S. The complexity will grow when all new state regulation initiatives are in place: New York Privacy Act (S5642), Massachusetts (SD 341), New Hampshire (HB 1680-FN), and Virginia (HB 473), for example.
Hopefully, federal unification of the regulations will happen quickly. The process to unify regulations is being addressed through the Online Privacy Act (H.R.4978) bill introduced in the US Congress, which includes a provision that users have the “right to choose how long data can be kept and opt-in consent for the use of data for A.I. algorithms.”
Next Steps: Tools of the trade
While the Data Subject Access Request framework is relatively new, it is still a process that can be automated to a large degree. Using existing technologies for business process management, data storage, form submission, document search and redaction can significantly simplify the process of becoming DSAR compliant, regardless of the local legal frameworks such as GDPR, CCPA, WPA, etc.
Here are just a few trusted technology providers who have been in the document management and case management industry. Companies don’t need to build an entirely new technology stack from the ground up to get a solid DSAR software.
Alfresco Digital Business Platform
Alfresco recently announced several changes to their software solutions according to GDPR and CCPA regulations. This makes the Alfresco platform a reliable DSAR Software solution:
“Alfresco has updated its Alfresco Governance Services, introduced new Federation Services that enable ‘Manage in Place’ records management, enhanced its E-Discovery and ‘Legal Hold’ with Artificial Intelligence (AI), and added Governance to Desktop Synchronization.”
Here are a few key benefits that Alfresco brings on the market:
- Alfresco Federation Services enables users to perform a search through different business and content repository types from a single application with no need for content migration. Now they can search, view and manage information even from non-Alfresco repositories from a single user interface and take any action they like – place the data on hold or export it for further use in e-discovery or review tools. This is a so-called “Manage-in-Place” feature – a single point of access without migration.
- Alfresco Governance Services now has AI-powered e-Discovery. It eliminates the complexity of the “Legal Hold” process and speeds up e-discovery tasks. Now companies can process requests faster, even with information stored across geographical borders or different systems.
- Desktop Synchronization is now synchronizing not just the data through different repositories but also the data record management policies that are associated with that data. The predefined level of governance will remain associated with different repositories or user’s desktops.
- Automation of digital filing and detection of Personal Identifiable Information (PII) provides greater data security and protection in the DSAR process.
With Governance Services as a part of the open source Alfresco Digital Business Platform -the platform can serve as a part of a DSAR software solution.
ArkCase Open Source Case Management and DSAR Solution
If we see DASR software solutions from a workflows perspective, we can easily recognize that any data privacy request, at its base, is a new case. Creating, managing, tracking, and responding to these requests is similar to responding to any other case: legal, FOIA, complaint, etc.
Companies with experience in service request management solutions are developing and promoting DSAR software solutions. ArkCase is one of these DSAR software solutions.
ArkCase is an open source case management system that integrates with the industry leaders such as Alfresco, Content Server, Documentum, Mobius, Ephesoft, etc. With its modular open source platform, configuring specific workflows is fairly straightforward.
The ArkCase Data Request Management module provides a fully functional DSAR software solution out of the box.
For years, ArkCase has supported receiving, processing, tracking, and responding to requests for similar use cases, and has been optimized to support a DSAR application for fast, secure, reliable case management solution.
In ArkCase, editing forms and workflows use a low-code, drag-and-drop technology so that even non-technical staff can easily verify or adapt the functionality to their specific needs. It provides standard but customizable request forms and workflow solutions.
ArkCase can also be easily deployed in different environments in compliance with data storage and security regulations.
The DSAR initiative spawned legal frameworks like GDPR, CCPA, and WPA, and more regulations are in the works until a nation-wide data privacy law is enacted. Only one month after the CCPA law went into effect, there is already a major lawsuit based on its requirements.
Companies should follow the Microsoft example in erring on the side of caution and adopt a DSAR software solution as soon as possible. Luckily, established companies like, Alfresco and ArkCase have developed software solutions to address these regulations.
If you’re looking for a DSAR software solution, hopefully this post was helpful. For more information, don’t hesitate to write us or give us a call. Armedia has been supporting agencies and companies with their data management and case management needs as a solutions integrator. Feel free to give us a call for a no-obligation consultation.
In the meantime, don’t forget to share your opinions in the Comments section below, and share this blog post on social media.
Cyber-security is a hot topic in federal, state and local government agencies. The year 2019 will be remembered as the cyber-security horror year. With hundreds of security breaches that resulted in significant costs to repair the damage, cyber-security is not just an abstract concept anymore, even for municipal and local government agencies.
Because of resource limitations, cyber-attacks are especially threatening for government agencies. Budget restraints are limiting their ability to train their staff for social hacking, but even more importantly, these agencies find it costly to modernize their software solutions. Outdated software is the second most common reason for security breaches. Outdated FOIA management software is a perfect example. It’s used by the public and usually integrated with document management systems, making it an easy target for hackers. It’s used by multiple government employees, making it easy target for social hacking.
Basic statistics of most recent cyber-attacks
Based on the 2018 report of the White House’s Office of Management and Budget (OMB) – from 96 investigated agencies – only 25 were declared safe and implementing proper tools, policies and modern FOIA software. The majority, 59 of them, were declared at risk, and 12 were at a high level of risk.
Even without formal reports, in 2019 we witnessed hundreds of ransomware attacks on government agencies and private enterprises. These attacks were predominantly related to personally identifiable information stored on government and enterprise systems. In total, 966 institutions fell victim to the ransomware attacks:
- 764 of these breaches affected healthcare systems
- 113 breaches affected government agency systems
- 89 attacks affected educational institutions systems
Wherever there are large quantities of personally identifiable information, there will be a constant interest in penetrating these systems and stealing data.
Looking at the numbers, it seems that ransomware attacks were quite successful in institutions where there are freely accessible form-submission URLs, and there are large amounts of personal data stored at the backend.
The problem seems to be in these agency’s limited interest in cyber security best practices. As the Mississippi Office of State Auditor bluntly puts it, “according to survey results published in a report from the Office of State Auditor Shad White, many state entities are operating like state and federal cyber security laws do not apply to them.”
One way to address the cyber-security issue is to use software from trusted vendors that follow strict regulations and best security practices. Another strategy is using trusted technology integrators who will also train the agency staff to recognize and repel social hacking attempts.
Why ArkCase FOIA is Positioned to Fix Security Requirements
Armedia has been a solutions provider for government and enterprises for almost 20 years. During this time, we have had the opportunity to work with different agencies and provide various solutions using technology providers like Microsoft, Amazon, Alfresco, Ephesoft and OpenText.
While working on modernizing FOIA solutions for government agencies, we’ve found that using open-source software solutions can be a great strategy to get a cost-effective solution that is compliant with government regulations. ArkCase is a comprehensive platform providing case management that we’ve been using for FOIA solutions; it includes a strong set of out-of-the-box capabilities as described below.
Veracode Code Quality
Veracode verification is one of the certifications that software providers need to fulfil to be a good match for government agency needs. Most agencies understand that code security is quite important in decision-making. According to Veracode’s reports, 84% of decision makers are concerned with the security threats that may come with third-party applications. While functionality and cost of a software are important, code security should figure prominently in a Request for Proposal (RFP).
Veracode offers several tiers of code certification. Tier 1 is their standard code verification. Software products that fulfill this tier offer the needed security requirements at a reasonable price.
ArkCase holds the Veracode Standard Verification, which certifies that ArkCase followed proper development procedures to ensure a stable, secure platform for FOIA request processing.
When government agencies update their software with a newer, cloud-based solution, they need to follow certain best practices. The FedRAMP Product Provider certification ensures that software solutions comply with those best practices.
With cloud-based solutions, the platform provider plays a key role in how safe the software is, and how safe its data is. Amazon Web Services (AWS) as a Platform as a Service (PaaS) provider is FedRAMP compliant. This means that software providers using AWS as a PaaS can offer secure and scalable servers to run and store their data.
By using AWS, ArkCase meets the FedRAMP Moderate requirements.
DoD 5015.02 Compliance
The Department of Defense Design Criteria Standard for Electronic Records Management Software Applications, also known as the DoD 5015.02 Standard, defines the parameters of development for secure records management solutions. While this regulation was first defined for military use, since its publication back in 2002, it has become the standard even for non-defense records management applications.
Moderate compliance to the DoD 5015.02 standard is enough for most government agencies. There are more providers that offer moderate compliance. Alfresco is one of those providers. (We’ve covered the DoD Compliance in more detail in a previous blog post “Why Government Agencies Should Care About DoD 5015 Compliant Software.”)
You can learn more about the ArkCase FOIA solution and locate demos and sign up for webinars at the ArkCase website.
The Strong Case for ArkCase FOIA
By using ArkCase FOIA as a modern, cost-effective solution, government agencies can quickly and easily improve security.
ArkCase FOIA comes with hardened security thanks to the technologies used and the Veracode-certified development workflows. Thanks to strategic partnerships with trusted technology providers, ArkCase is also FedRAMP and DoD 5015 compliant.
The Added Benefit of Choosing Armedia as a Solutions Integration Partner
The National Association of State Procurement Officials (NASPO) is an organization that helps state government agencies make informed decisions and pick vendors and service providers that are verified by a reliable source.
Armedia is a NASPO ValuePoint solutions provider since early 2019. With close to 20 years of field experience, Armedia has been a solutions integrator for government agencies and blue-chip companies worldwide.
By choosing Armedia as a solutions integrator for your FOIA software needs, you leverage the experience and innovation that our team brings to the FOIA software industry. When we deploy a FOIA solution, we make sure that everyone who uses the software is well-trained to use it securely. Our security experts emphasize best practices to ward off social hacking.
For government agencies struggling with cybersecurity, there’s never been a scarier time than today. 2019 saw numerous security breaches that caused enormous material damage, and a loss of confidence of the general population in government agencies. But it has never been easier to mitigate those security holes. With ArkCase FOIA and Armedia as a solutions integrator, government agencies can quickly and cost-effectively gain full compliance with DoD 5015, FedRAMP, Veracode, and NASPO.
If you are looking for a cost-effective reliable way to solve your organization’s security concerns by updating your FOIA software, we’d love to hear from you in the Comments section below.
Or, if you prefer, feel free to reach out to us. We’d love to have a quick phone call to discuss the subject in more detail.
Most decision makers will agree that ECM modernization is not something enterprises are keen on doing. The risks that come with modernization are real and can cost a lot, both in terms of stress and in financial costs.
However, by not modernizing outdated ECM systems, enterprises risk spending much more time and money on daily operations, as well as the ongoing cost of maintaining the IT systems that are powering that old ECM solution.
Here are 5 key benefits your enterprise will get from modern ECM software, that will hopefully help your organization warm up to the ECM modernization idea.
Upgrading to a modern ECM software means moving to the cloud. And moving to the cloud means better accessibility.
Enterprises rely on modern ECM software to help make the company’s data more accessible by putting this data online rather than on paper or spread out in different data formats in an isolated intranet.
Adopting a cloud-based ECM software will make it easier for employees and other authorized users to retrieve that data from locations outside the office. The cloud stores all data in a secured location, making it easier for enterprise employees to log in securely, and access any needed data.
Better User Experience
Enterprise Content Management solutions will probably never become a fully automated industry. People will still need to fill out digital forms, and rely on workflows to process legal cases, medical cases, privacy requests and so on. That doesn’t mean that as an enterprise, you shouldn’t be looking for ways to make these repetitive tasks easier.
Modern ECM software solutions are far more flexible than older ones. These newer ECM platforms are built with low-code or even no-code ways to customize and even fully automate workflows. This enables non-technical staff to easily configure the ECM solution to fit your company’s specific needs.
Organizations that use legacy ECM systems find it very difficult to keep up with changes. The outdated software may be causing productivity hurdles within departments and across departments, when there is a need to collaborate or share data regularly and securely.
Modern ECM can change all of that.
Modern ECM systems include document clustering, advanced search, and metadata management capabilities that didn’t exist until just a few years ago. Smarter data management ultimately helps your staff be more productive and get more value from the corporate data.
Regular Functionality Updates
Outdated ECM software very rarely, if ever, get functionality updates. While companies do release patches and fixes, these are usually security patches. You’d still be maintaining an old product that’s been developed, quite literally, in a different decade, or even a different century.
Upgrading to a modern, cloud-based ECM system means that you will no longer worry about maintenance, and you’re much better positioned to regularly get new functionality upgrades. Companies who built these systems are regularly updating and optimizing the ECM platform and you’re always using a fresh version.
Also, adopting a cloud-ready ECM means that enterprises can offload the ownership, management, and cost of their hardware and software maintenance to the cloud provider. This is one of the key reasons why organizations opt for ECM modernization.
Many enterprises struggle to keep their data safe. This is especially true for organizations that store personally identifiable information. Banks, hospitals, schools, and universities are all prime targets for hackers who try to steal personally identifiable information.
Modern ECM solutions usually come with a hybrid or fully cloud-based solution. Industry regulations like FedRAMP, HIPPA, DoD 5015, and Veracode are there to help software developers build secure and scalable solutions. Companies who need a trusted ECM solution can easily find a supplier that is compliant with one or more of these regulations.
In some cases, cloud-based ECM Solutions come packaged with technology that meets most of these regulations:
- Using scalable and secure servers from the Amazon Web Services platform is one way to achieve compliance with FedRAMP.
- Using the Alfresco platform for data management, is one way of becoming DoD 5015 compliant.
- Using ArkCase for case management ensures Veracode compliance.
These security regulations, and software providers who meet these requirements, are your best bet when planning an ECM modernization project for your organization.
Any company that handles large amounts of data knows that having a solid ECM solution is a critical component of success and security. But, because of this very reason, some companies are hesitant to give ECM modernization a more serious thought.
In this short text, I hope that I listed just a handful of benefits that would help your organization warm up to the ECM modernization idea.
We at Armedia have been helping companies and government agencies make the right ECM solution choice for almost 20 years. In our history, we’ve helped organizations merge disparate data sources into a single data repository. In some cases, this meant joining local databases stored in various formats, online databases, and vast amounts of paper documents.
In all this work, we’ve developed workflows and technologies that are helping us do reliable data migration even when there are terabytes of data.
We’d love to hear your concerns and what’s stopping you from considering ECM modernization with more ease. Please use the comments section below to share your thoughts or send us an email using the Contact Us page. And, please don’t forget to share this article on your social media profiles. Perhaps, this is exactly what someone needs to see in order to make the next small step towards ECM modernization.
The Freedom of Information Act (FOIA) codifies government transparency and ensures citizens access to public records of interest. Despite these admirable intentions, often the volume and speed of public records request fulfillment results in frustrated citizens and overwhelmed government employees.
Activists, academics, reporters, and citizens share countless stories regarding delays and even denials of their requests for public records.
People wonder how, in an age of ever-growing data, agencies that deal with public records can still struggle to respond in a timely fashion. Unfortunately, government agencies still rely on outdated public records solutions.
Public Records in the Digital Age
The 24/7 television news cycle, the boom of social media, and a plethora of online news outlets are considerably increasing the public’s interest in government affairs. In 2018 alone, members of the press and citizens submitted 863,729 public records requests to federal agencies. The number of requests is growing every year.
Image Source: Summary of Annual FOIA Reports for Fiscal Year 2018
The increasing number of public records requests is a good sign that people have a keen interest in our democracy. That’s why FOIA exists.
But let’s see how many of these requests were answered on time by receiving agencies.
Image Source: Summary of Annual FOIA Reports for Fiscal Year 2018
As you can see from the chart above, out of 863,729 public records requests submitted, 830,060 got a response to their request. Even though the percentage of the processed requests is high, 93.8% released in full or in part, we’re still looking at 33,000 newly backlogged requests in 2018 alone.
Additionally, at the end of FY 2018 the total number of backlogged requests was 130,718, which is a 17.4% increase over FY 2017. Numbers speak for themselves: FOIA agencies struggle to keep up, and they’re losing the battle with the backlogged requests.
Increasing demands of transparency in the digital age combined with an ineffective review, search, and redaction process are constantly increasing the number of backlogged requests.
More Data = More Complexity
Every day, employees and agency officials generate massive amounts of new data. Our communications-heavy society is generating 18.1 million text messages and 188 million emails every minute.
Government officials and employees are no exception, creating internal and external crisscrossing trails of electronic communications. In addition to emails, PDF files, and Word documents, critical information is available from many different sources such as the Internet of Things (IoT), body cams, social media, audio and video recordings, smartphones, photos, and other devices.
Without an advanced technology to meet these digital age challenges, agencies are simply not able to manage and access the data necessary to complete adequate public records searches.
Agencies that use a modern public records solution can easily centralize and standardize all types of data and electronically stored information (ESI) and use advanced search features to find relevant information within. But agencies that still rely on basic search abilities, or those that develop proprietary search techniques, miss important information that the public has a right to know.
For public records requests to be completed as expected, FOIA employees should be able to search all the needed records. This means they should have centralized access to all the agency’s ESI and an effective way to search multiple file types to reliably identify all relevant information.
To see if agencies are effective in their FOIA searches, the National Security Archive and the Project on Government Oversight conducted an online survey of both FOIA employees and requesters. Here are some of the conclusions from the survey:
- Most agencies don’t have centralized public records search capabilities, meaning they cannot search large portions of the records.
- The employees often perform slow, imprecise, or incomplete searches for requested public records.
- Some agencies have access to eDiscovery tools to search for the requested records, while other agencies don’t search for records electronically at all, instead relying on a manual process.
Inefficient Review & Redaction
If full disclosure of the information is not allowed due to security concerns, federal agencies still are required to disclose some information. The sheer number of exemptions and exclusions makes reviewing protected information a very time-consuming process. Redacting hundreds of pages using outdated software is a painfully slow process prone to errors. There’s a much better solution than redacting with duct tape!
Image Source (The image was masked to hide personally identifiable information)
I think we can all agree that resolving these digital age challenges is important; especially in an era where modern public records solutions are more accessible than ever.
The delays in public records’ responses are a serious issue. In some states, requesters have a right for compensatory damages and attorney’s fees under FOIA. Also, disciplinary damages can be awarded under some public records laws if there is an unlawful refusal for disclosure or an arbitrary delay.
Unsatisfied requesters without administrative appeal options can file a lawsuit in Federal court. In FY 2018 there were 860 lawsuits filed against the government agencies. The backlogs of FOIA suits still waiting to be decided increased to 1,204 cases, an all-time high.
Adopting a modern public records solution will help agencies reduce the number of lawsuits, as well as the number of requests in the backlog.
The Importance of Adopting A Modern Public Records Solution
With a modern solution, FOIA agencies can use eDiscovery compliant, advanced search capabilities that can help them easily find specific keywords and phrases in audio and video files. Also, such a solution will help with organization and collaboration, review, redaction, and production challenges.
These modern FOIA solutions are designed to:
- Combine data from various locations and standardize different file types.
- Identify potentially related information faster by providing an early assessment.
- Automate certain activities as identification, classification and redaction of exempted, private, and excluded data.
- Allow employees easy access for date reviewing.
- Provide advanced, customizable reporting features to meet all FOIA reporting requirements.
By using a modern public records solution, federal agencies can make significant changes and implement cost-effective solutions for challenges that are responsible for incomplete responses, denials, and backlogs. Furthermore, agencies will be able to reduce the number of lawsuits and appeals while providing accurate responses.
How the ArkCase Public Records Solution Can Help FOIA Agencies
The ArkCase public records solution meets FOIA requirements with a modern, automated software solution. ArkCase has partnered with Alfresco, Snowbound, AWS (Amazon Web Services), and Ephesoft to create a highly configurable, intuitive, scalable, and compliant FOIA solution:
Using these platforms, ArkCase offers a modern, workflow-driven, web-based public records solution specifically designed to help FOIA agencies automate, manage, and quickly and easily handle Public Records requests.
The key benefits that agencies gain by adopting the ArkCase public records solution include:
- Centralized processing from various request channels (web, paper, fax)
- Simplified upload of documents, photos, and videos
- Compliance with security and records retention
- Cloud-based and mobile-friendly modules
- Electronic delivery of requested information
- Automated business intelligence
- Reduced risk of information loss
- Faster information assembling
- Quick access to information
- Improved workflow capacity
- Increased user productivity
- Faster response rate.
The ArkCase public records solution digitizes everything in the FOIA request processing for easy searching. Communicating with other offices and departments and managing documents is seamless, speeding up the response time. By using ArkCase’s modern public records request solution, agencies can now easily overcome the challenges they’re facing on a daily basis and keep citizens informed.
Let’s Sum Up
In FY 2018, all the agencies dealing with FOIA requests processing received 863,729 FOIA requests, an all-time record high. That is an increase of almost 6% from the FOIA requests received in FY 2017 (818,271 requests).
The number of processed requests in FY 2018 is 0.83% higher than the number of processed requests in FY 2017. According to the Annual Report, the agencies continued to maintain a release rate of over 90% for a tenth year in a row. Still, there is work to be done to make further improvements and reduce the backlogs in FY 2019.
With a modern public records solution like ArkCase, agencies can easily overcome their challenges in meeting their FOIA goals.
The ArkCase public records solution is a modern, open-source, secure, flexible, scalable, reliable, and cost-effective solution that will enable your agency process more requests, with less effort, without compromising work integrity. And it can help you achieve all of this from one place, at an affordable price.
To make the ArkCase public records solution meet all your requirements, please check out this webinar. If you have any additional questions, please, don’t hesitate to contact us.