Government Compliance Checklist for Data Archiving and FOIA
For compliance officers and staff in federal and state agencies across the US
- In this government compliance checklist, you will get an overview of key compliance requirements for NARA, FOIA, Federal Records Act, and Federal Rules of Civil Procedure.
- The checklist has been compiled consulting laws, opinions, and research by industry experts, and you can find a list of resources at the bottom of the page.
- Each chapter contains a compliance checklist, followed by key background information on the respective law.
- The guide was written with the idea of using it on an as-needed basis, so go directly to the regulation you want to check your compliance for.
- If you have any questions and suggestions on how we can improve this checklist, or would like to contribute to its improvement, drop us a line at marketing@jatheon.com.
Chapter 1. NARA
NARA Regulations Summary
NARA (National Archives and Records Administration) is an independent US government agency that oversees the documentation of government records and that works to ensure public access to national archives.
It regularly issues guidelines that federal agencies need to follow when collecting, storing, and managing the records, some of which could be of national importance.
We’ll start this chapter by going through some basic information on how NARA rules work. We will then look at the essential records management requirements you need to meet when managing your records in line with NARA guidelines. We’ll also look at NARA-compliant email management to help you manage the records in your agency.
How NARA Works & What You Need to Know
According to NARA rules, the documentation that shows how a government agency works needs to be complete and accurate “to the extent required to document the organization, functions, policies, decisions, procedures, and essential transactions of the agency”.
Plus, this documentation needs to show all the information required to protect the legal and financial rights of the Government and of persons who are directly affected by the activity that an agency carries out.
It’s important to note here that all the federal records are broadly divided into two categories – records with temporary value, which can be destroyed after a retention period and records with permanent value, which must be preserved and which agencies need to transfer to the National Archives. It is the US Archivist who determines which documents fall into which category.
NARA Records Management Compliance Checklist
(Based on the Federal Records Act and NARA guidelines)- the head of your agency (this applies to federal agencies) makes and preserves records that contain proper documents of the agency regarding its function, policies, procedures, processes and transactions
- the head of your agency (this too applies to federal agencies) establishes and maintains an active, continuing program for the economical and efficient management of the records of your agency
- under your records management program, you have effective control over how these records are created, maintained and used in day-to-day business
- you work together with the Archivist and the GSA Administrators in order to apply standards and procedures to improve your record management, to decide which records should be preserved permanently, and which records have a temporary value and can be destroyed
- you create and maintain usable, reliable and authentic records and keep them in this state during the officially required retention period
- you create and capture all business endeavors of your agency through proper records
- you ensure the records are unaltered throughout the retention periods
- you can provide and disclose records at any time, in any place, and in a format that can be used to conduct agency business
- you follow all legal and regulatory requirements, standards and agency-specific policies
- you protect all your records, regardless of the format they are stored in, in a safe and secure environment
- you remove or destroy the records in line with the records schedule
- you have a records program in place, such that allows you the continuity of operations
- there is a person in your agency tasked to coordinate and oversee the implementation of the records management program
- you adopt directives that clearly set objectives and responsibilities for creation, maintenance, and removal of agency records, and these directives need to be disseminated throughout the agency, but you also need to send a copy of it to NARA
- there are clearly defined responsibilities in each program, such that all your recordkeeping requirements and practices are integrated into the agency’s everyday programs, processes, systems and procedures
- you’ve integrated records management and archival requirements when designing, developing and implementing your electronic information system (archive)
- you and your fellow employees have access to the advice and training on your responsibilities in terms of your records management
- you develop records schedules for all the records that your agency created and received, with prior approval from NARA
- you abide by the applicable policies, procedures and standards that govern records management and recordkeeping that the Office of Management and Budget, Nara, GSA, and other agencies issues, where it applies to your agency
- you make sure that all your records, in all their formats are properly organized, classified or indexed, and described, and that all appropriate staff in the agency can access them
- you carry out formal evaluations to check how effective your records management programs and practices are, and you make sure they are in line with NARA guidelines
Chapter 2. NARA Email Management Checklist
In addition to the requirements from Chapter 1, NARA has published a set of special policies that you as an agency need to follow in terms of how you manage your emails.
Follow this checklist to see how successful you are when it comes to email management in your agency:
- the system you use to manage emails in your agency can preserve the content, context and structure of emails
- the system you use to manage emails in your agency can protect these emails from unauthorized loss and destruction
- the system you use to manage emails in your agency ensures all your emails are discoverable, retrievable, and usable for the period specified in their retention schedule
- your processes and email management system allows you to manage email records in line with applicable requirements
- in particular, your system lets you manually or automatically dispose of email records using a Capstone-based or content-based record schedule
- your agency’s policies and training programs make it clear to staff how they need to manage email records
- your policies teach staff how to differentiate permanent, temporary, transitory, and non-record email messages
- your policies teach staff how to handle email messages containing classified national security information
- your policies teach staff how to deal with email messages created on non-official or personal electronic messaging accounts
- your agency has identified appropriate retention periods for email records
- you have introduced policies and systems to support the disposition of these emails as specified in an approved records schedule
What follows is a list of questions by the United States Archivist, David S. Ferriero, which is part of the Criteria for Managing Email Records in Compliance with the Managing Government Records Directive (M-12-18).
These questions refer in particular to the system, access, and policy requirements, and will also help you determined how aligned you are with NARA in terms of email records management and the email archiving system you use:
- What systems does your agency use to store and manage email messages?
- Who in your agency has the ultimate responsibility for the systems that manage email, how email is accessed, and how disposition is carried out?
- Does your agency manage email outside of the originating system in a dedicated records management system?
- Does your agency’s email system maintain the content, context, and structure of the records?
- Can your agency associate email records with the creator, their role, and their agency?
- Does your system retain the components of email messages identified in RFC 5322 including labels that identify each part of the header, the message content, and any attachments?
- Are departing employees’ email records preserved in accordance with NARAapproved disposition schedules?
- If your agency’s email system supports the use of codes or nicknames, or identifies addresses only by the name of a distribution list, can you provide the intelligent or full names of the sender and addressee(s) with the transfer-level documentation?
- Can email be migrated from one system to another or to an email archiving application to ensure consistent access?
- Does your agency use email systems to transmit classified information?
- Has your agency developed, disseminated, and implemented an approved email management policy throughout the agency?
- Who are the relevant stakeholders involved in the policy creation process in your agency (for example CIO, Records Management, IT, and General Counsel)?
- Does your agency have a NARA-approved disposition schedule in place that applies to email that are Federal records?
- Does your agency have policies and procedures in place to access emails in response to all information requests?
- Does your agency have policies and procedures in place to protect against unintended loss?
- Does your agency perform periodic reviews of records management policies with all relevant stakeholders?
- Does your agency perform periodic audits to make sure employees are in compliance with records management laws, regulations, and policies?
- Does your agency have the policies, technological means, and procedures to place legal holds on email records or accounts?
- Does your agency have policies in place regarding the use of personal or nonofficial email accounts?
- Have you trained all account holders on the requirement to copy or forward to official accounts Federal records created, received, or transmitted in personal or non-official email accounts?
- Does your agency comply with the requirements for managing security classified information in email accounts and systems?
- Can your agency use, retrieve, and interpret email records throughout the entire NARA-approved retention period?
- Is your agency able to access email from current and departed employees?
- If your agency uses digital signature or encryption technology, is email usable and retrievable across the lifecycle?
- If emails are stored on local or removable media, are they retrieved and searched when responding to an information request?
- Is your agency able to perform a federated search across multiple email accounts or multiple systems to find emails needed for agency business?
- Is your agency able to prevent unauthorized access, modification, or destruction of email records?
Chapter 3. FOIA
The Freedom of Information Act (FOIA) grants the citizens the right to make requests for federal agency records.
Note that FOIA applies only to federal agencies. In case you’re from a state agency, it’s best you consult the regulations in your own state.
Note that FOIA applies only to federal agencies. In case you’re from a state agency, it’s best you consult the regulations in your own state.
FOIA Compliance Checklist
- you must make available all records, including records in electronic format, such as email, instant messaging, and social media
- you must reply to a FOIA request that was sent in writing within 20 business days.* However, this means that you only need to reply to the request, not provide the records. This deadline can be extended in several cases:
- these records are not located on your premises
- you need extensive efforts to find them
- you need to compile a large number of documents
- in case you think that someone is requesting information that is private, you have a right to deny the request
- you need to publish in the Federal Register the procedural regulations that govern access to your data under the FOIA
- once you receive a proper FOIA request, you need to carry out a search in such a way that you uncover all relevant documents, either by manually or automatically reviewing the records
- once you find the records that refer to the FOIA request, you need to determine whether those records originated with another agency and consult with that agency
- you need to provide the requested record in the format/form requested by the person, provided of course that you can readily reproduce it in that form
Chapter 4. Federal Rules of Civil Procedure
The purpose of the Federal Rules of Civil Procedure is to safeguard the civil proceedings across the United States district courts.
These Rules ensure there is a “just, speedy, and inexpensive determination of every action and proceeding”, by prescribing requirements for retention and disclosure of data, including email management, ESI, network logs, and all other documents stored in a virtual format.
While you should follow the rules that safeguard the privacy of personal information, there are cases where even in the lack of a formal discovery request you need to disclose information.
These Rules ensure there is a “just, speedy, and inexpensive determination of every action and proceeding”, by prescribing requirements for retention and disclosure of data, including email management, ESI, network logs, and all other documents stored in a virtual format.
While you should follow the rules that safeguard the privacy of personal information, there are cases where even in the lack of a formal discovery request you need to disclose information.
- you must disclose the name, the address and phone number (if available) of the person that might have information, as well as the subject matter of that information, that would help the person involved in a civil procedure support its claim or defenses (but not if the use of this would only be used for impeachment)
- you must disclose a copy of all documents, electronically stored information that would again – help the person involved in a civil procedure support its claim or defenses
- you need to allow the inspection and copying of any insurance agreements based on which liability can be established in the procedure
- you have 14 days to disclose the records, though this deadline can be changed by a court decision
- you will need to make the initial disclosure within the 14-day deadline, or the deadline set by a court, regardless of whether you didn’t have enough time to fully investigate the case, or you think the request isn’t sufficient
- in case you’re using a witness in the procedure or at a trial, you need to disclose available information to other parties. Here, check the full list of information you need to disclose, depending on whether you invite an expert witness or not: Disclosure of Expert Testimony
- you need to submit additional information to the records you’ve previously disclosed in case you learn that some of that records are incomplete or incorrect
*Please note that the requirements above don’t include the exemptions prescribed by Rule 26(a)(1)(B) and don’t supersede any court orders.
Chapter 5. Government Compliance Software Requirements
Now that we’ve had a look at the key legislation on record management in federal and state agencies you need to comply with, let’s turn to the features your software should offer to help you ensure full compliance.
Your task is to meet requirements regarding monitoring, capturing, storing, archiving, and retrieving records, which are produced in a variety of formats.
On average, you need to be able to capture, monitor and store email, images, voice messages, text messages and much more.
This can be a daunting task, especially if you receive a large number of requests.
Before you start looking for record management compliance software, however, you should understand the needs and obligations that your archiving system needs to support.
Without understanding what you need to archive and preserve, no software will be a good match, as you won’t know how to implement it to the full potential. And, you might miss some of the essential information that you’re required to retain.
So, here are the crucial functionalities your data management system should have, alongside the benefits each of these functionalities provides.
Your task is to meet requirements regarding monitoring, capturing, storing, archiving, and retrieving records, which are produced in a variety of formats.
On average, you need to be able to capture, monitor and store email, images, voice messages, text messages and much more.
This can be a daunting task, especially if you receive a large number of requests.
Before you start looking for record management compliance software, however, you should understand the needs and obligations that your archiving system needs to support.
Without understanding what you need to archive and preserve, no software will be a good match, as you won’t know how to implement it to the full potential. And, you might miss some of the essential information that you’re required to retain.
So, here are the crucial functionalities your data management system should have, alongside the benefits each of these functionalities provides.
Compliance Software Checklist
- you can capture, monitor, and archive numerous formats of electronic communication
- you can find and retrieve information fast (this will help you answer FOIA and eDiscovery requests on time)
- you can use your archiver to ensure zero evidence spoliation (if there is a civil procedure, you need to ensure that data is intact)
- your software supports data backup (this helps you preserve all important information)
- you can use your software to set custom policies, rules, and roles (this helps you keep all your staff aware of regulations and you will reduce the chances of unwanted data removal)
- your software doesn’t put much pressure on your storage space (you need to be able to save millions of emails, texts, voice messages, images, and other unstructured data)
- your software has deduplication capacities (by preserving a single copy of your records, you save up space for more information to be stored)
If you need a quick guide, grab a PDF of these checklists as they might come in handy as you work on ensuring compliance in your agency.