Comments on HF 1185 Keith Carlson, Minnesota Inter-County Association if, Minnesota Inter-County Association Data Practices and Records Retention Are Two Distinct But Related Things - By law, Records Retention requires the preservation all records necessary for a full and accurate knowledge of their official activities Records Retention policies or schedule approved by Records Disposition Panel Counties General Records Retention Schedule without updates is 191 pages long Data practices applies to all data in government entity?s possession. Policies beyond those in official records retention schedule are dictated by: Business processes Litigation holds Legal requirements Electronic records or e-mail retention policies Minnesota Inter-County Association 2 HF 1185 goes beyond above by requiring retention ofa_ll records, not just records necessary to preserve a full and accurate knowledge of official activities. requiring that all ?correspondence? including electronic text-based communication be retained for three years Minnesota Inter-County Association Retention of all records creates a logistical nightmare - because ?correspondence? to be retained would include Post It notes and other transitory pieces of paper ?correspondence? and - text message or transcribed voice mail messages that never touch current government computer networks would somehow have to be captured and retained. This raises substantial personal privacy issues for our staff Many counties do not own employees? smart phones but reimburse employees for business use of their personal phones. There is no way to distinguish between personal texts and business?related texts that would have to be captured and retained. Minnesota Inter-County Association 4 Substantially broadening the scope of records to be retained is not easy Private sector record/e-mail retention software not a solution because Its focus is on litigation holds where complete records wrthout redaction must be provided to litigants during discovery Gov?t. data practices requests are completely different because: any records retained must be reviewed and not public data redacted before being turned over (review and redaction is a manual process that requires the talents of knowledgeable staff usually attorneys, and multiple lines of business that stretch across multiple systems (several shared with the state). Private sector entities particularly smaller ones will only have one system Minnesota Inter-County Association 5 Substantially broadening the scope of records to be retained is not easy (continued) Requirement that any written or electronic text-based communication be retained breaks with current practice that it is the content, not the medium, that dictates whether a communication be retained or not. Current law requires e-mail be retained if it is an official record Minnesota Inter-County Association 6 Substantially broadening the scope of records to be retained is not easy (continued) Even though retention cost are a problem cloud-based solutions heighten risk of hacking/illegal disclosure), review and redaction is by far the larger problem Minnesota Inter?County Assocnation HF 1185 substantially increases volume of data subject to data practices requests increasing amount of data needed to be searched, much less reviewed and redacted Just to search all e-mails on Hennepin County system with 209 million e-mails retained under current law to find e-mails responsive to the Webster request was estimated to take 29 days using separate computer forensic software. That does not begin to account for time and costs to review and redact not public data - By way of comparison, request to Legislative Auditor for all correspondence relating to two investigations that generated 140 documents or e-mails took their staff over 4 hours. No data was redacted. 8 With increase in volume of records that must be retained the chance for disclosure of not public data goes up - Hennepin County in responding to one data practices request that resulted in the release of 8,000 e-mails accidentally released not public data. They have full time staff dedicated to data practices requests/management Most local governments do not, increasing risk of disclosure of not public data with increases in volume of data that must be reviewed and redacted Government entities and their employees are civilly and criminally liable for such releases 9 Even the Court of Appeals Recognized the Challenges Posed by Data Practices Request Under Current law In their decision on Webster, they said, ?We are cognizant that the nature of government data has evolved and expanded in recent decades. It may be that the time is right for a reassessment of competing rights to data within the context of effective government operation. It may also be that the proposed exception (for extraordinarily burdensome requests) reflects sound public policy. But when it comes to public-policy considerations, the task of extending existing law falls to the legislature or the supreme court, and not to this court.? Minnesota Inter?County Association 10