23AO:0005
Date: September 21, 2023
SUBJECT: Limits on electronic records requests
This opinion is in response to a policy question raised with the Iowa Public Information Board (IPIB) concerning the cybersecurity protections and Chapter 22. Advisory opinions may be adopted by the board pursuant to Iowa Code section 23.6(3) and Rule 497–1.2(2): “[t]he board may on its own motion issue opinions without receiving a formal request.” We note at the outset that IPIB’s jurisdiction is limited to the application of Iowa Code chapters 21, 22, and 23, and rules in Iowa Administrative Code chapter 497. Advice in a Board opinion, if followed, constitutes a defense to a subsequent complaint based on the same facts and circumstances.
QUESTION POSED:
What limits can government entities place on electronic records requests to address cyber security concerns?
OPINION:
Cyber security importance
Governmental entities have increasingly become the targets of cyber security attacks in recent years. See, e.g. U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency, PROTECTING OUR FUTURE: PARTNERING TO SAFEGUARD K–12 ORGANIZATIONS FROM CYBERSECURITY THREATS, January 2023, https://www.cisa.gov/sites/default/files/2023-01/K-12report_FINAL_V2_508c_0.pdf (last accessed August 31, 2023) (“Increasingly, school or school district systems have been breached, with data deleted, misused, or even held for ransom. This trend has continued throughout 2022, and leaders across the K–12 community are coming to recognize that no school, district, or organization is immune from cyber intrusions.”). With the frequency and sophistication of attacks continuing to rise, it is imperative that governmental entities remain vigilant in assessing and remediating vulnerabilities in their networks, computer systems, and processes.
Criminals often breach an organization’s cyber security through the use of malicious email links and attachments. U.S. Department of Homeland Security, Malware Tip Card, https://www.cisa.gov/sites/default/files/publications/Malware_1.pdf (last accessed August 31, 2023) (“When in doubt, throw it out: Links in emails and online posts are often the way criminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete it.”). The ubiquity and frequency of email communication makes it a particularly effective and vulnerable point of access for cyber attackers to exploit.
Under chapter 22 of the Iowa Code, governmental entities must be responsive to requests for public records. These requests may be made “in person . . . , in writing, by telephone, or by electronic means.” Iowa Code § 22.4. The vast majority of public records requests today are submitted electronically, via email.
Despite the apparent tension between governmental entities’ need to protect against cyber-attacks while remaining accessible and responsive to public records requests, best practices and policies exist that, if utilized, will allow government entities of all sizes to safely respond to electronic records requests. The purpose of this advisory opinion is to assist government entities in implementing these practices and policies, which include placing reasonable restrictions on electronic records requests under Iowa Code chapter 22. Additionally, this opinion seeks to educate the public on best practices to better communicate electronic records requests.
Public Records Requests
Under Iowa Code § 22.4(2), individuals may request records “[i]n writing, by telephone, or by electronic means.” In addition, individuals may request records in person during the customary hours the government entity is open and available.
By their nature, requests made in person, by telephone, or in writing have built in protections for government entities. An individual can make a request in person when the government is regularly open for business. A telephone call can be answered during regular hours or a message can be left on voice mail. The number of ways a request can be made electronically, however, continues to expand and can create hidden risks to government entities’ computer systems that do not exist in the other delivery mechanisms. The level of risk in accepting electronic communications from unknown and potentially anonymous sources is too great to require that government entities be forced to do so without limitation.
While Iowa Code chapter 22 does not allow government entities to require that individuals make records requests through one communication method versus another, government entities are allowed to place reasonable restrictions on how electronic records requests are received to ensure electronic messages are free from malware or other cyber security risks. Placing reasonable restrictions on the form of an electronic request still allows requesters the option of making requests through any desired communication method under the statute. No entity can prohibit individuals from making a request in person, through writing, by telephone, or by electronic means.
Records Request Best Practices
In whatever format a records request is made, it is important to ensure that the request is made clearly and as concisely as possible. The request should clearly state that records are being sought. It should include the type of document sought, including any information that can help to better identify the records, such as the name of the individual or group involved in creating the document; the date it was presented or created; and any other identifying information that will help the custodian to properly identify and locate the document. Broad requests can be time-consuming and expensive--the more specific the request is, the more likely the records can be located quickly and efficiently.
In some instances, requesters may have only limited knowledge of the types of records the government entity has and may not be able to describe precisely the records they seek. The records custodian should appropriately assist a requester to clarify their request when feasible. In general, there is no requirement that the requester give the reason for a request or identify themselves, however, providing some information about the reason for the request can be helpful in identifying the record or if the actual costs of compiling a broad request are a concern, the information could assist in appropriately limiting the scope of the request.
While there is not a requirement under Iowa Code chapter 22 to post public records on a website, providing access to public documents, such as minutes, budgets, agendas, ordinances, etc. that are frequently requested or useful can reduce the burden on both the government entity and the requester. Iowa Code § 22.3(1) encourages government entities “to provide the public record requested at no cost other than copying costs for a record which takes less than thirty minutes to produce.”
Upon receipt of a request for a copy of a public record, the lawful custodian should promptly acknowledge the request. (Promptly means using reasonable, good-faith efforts to respond taking into account the circumstances as they exist at the time the request was received.) The custodian should provide an approximate date by which an estimate for any reasonable expenses and the release of a copy of the public record or a response to the request will be provided. The custodian should also continue to communicate with the requester and inform them of any expected delay.
Email Requests, Generally
Electronic requests sent through email to the records custodian should include the specific request within the body of the email. There is no reason a request needs to be sent in an attachment or through a link. The email request provides written notice of the request and also includes the date and time when it was sent, so there is a documented record of the request. Including links or attachments to email increases the risk that the message may be automatically routed to a “spam” folder or quarantine filters to address cyber security and phishing concerns. Requesters should provide the request in a format that enables the government entity to receive and respond to the request.
Government entities should request the sender resubmit the request in the body of the email if requests are received that have attachments or other extraneous information. Like all requests, government entities should provide acknowledgement of the request and responses regarding the records and fees.
Request Portals and online forms
Some government entities have developed or are considering developing an online portal that allows records requests to quickly and easily be submitted and sent to the appropriate records custodian.
“[O]nline public record requests portals can save time and money and increase efficiency and responsiveness to request, process and disseminate public records.” National Freedom of Information Coalition, Portal to Compliance: A Qualitative Analysis of Online Public Record Request Services in Major U.S. Cities, September 2019, https://www.nfoic.org/wp-content/uploads/pages/2019-09/NFOIC%20Portal%20to%20Compliance.pdf (last accessed 08/30/2023).
Online forms that generate an email to the custodian of a government entity are slightly less sophisticated than an online portal, but just as effective at allowing individuals to contact a government entity quickly and easily to make an electronic, written records request.
Providing a portal or online request form is an appropriate and safe way to allow for electronic requests to be submitted. It will be important that the portal or form system provide requesters a copy of their request including when and to whom it was submitted. Acknowledgment of the request and other appropriate follow up information and documents should be provided as well. If a records request is such that fees are charged, communication about how the fees can be paid, including whether they can be handled through the portal, should be clearly communicated.
Summary
Iowa Code § 22.4(2) requires that individuals have the option to submit requests in person, by telephone, in writing, and by electronic means. Government entities have the ability to put reasonable restrictions on how electronic requests are received. These restrictions should be uniformly enforced. Individuals requesting records need to follow the restrictions or choose another method of communicating their request. Information should be provided for how and to whom individuals can submit their request if they choose to not utilize the electronic methods as outlined.
BY DIRECTION AND VOTE OF THE BOARD:
Daniel Breitbarth
Joan Corbin
E.J. Giovannetti
Barry Lindahl
Joel McCrea
Monica McHugh
Julie Pottorff
Jackie Schmillen
SUBMITTED BY:
Erika Eckley, J.D.
Executive Director
Iowa Public Information Board
ISSUED ON:
September 21, 2023
Pursuant to Iowa Administrative Rule 497-1.3(3), a person who has received a board opinion may, within 30 days after the issuance of the opinion, request modification or reconsideration of the opinion. A request for modification or reconsideration shall be deemed denied unless the board acts upon the request within 60 days of receipt of the request. The IPIB may take up modification or reconsideration of an advisory opinion on its own motion within 30 days after the issuance of an opinion.
Pursuant to Iowa Administrative Rule 497-1.3(5), a person who has received a board opinion or advice may petition for a declaratory order pursuant to Iowa Code section 17A.9. The IPIB may refuse to issue a declaratory order to a person who has previously received a board opinion on the same question, unless the requestor demonstrates a significant change in circumstances from those in the board opinion.