Keeping the Verbatim Record Secure in the Digital Age
11 years ago, the Illinois General Assembly amended the Open Meetings Act to require public bodies to keep a "verbatim record" of their closed sessions. The record could take the form of an audio or video recording (I would love to hear from any Illinois public body that does the latter). The closed session recording must be retained for 18 months, and can then be destroyed so long as the public body has approved written minutes for the closed session.
While controversial at the time, the bill has not created a lot of legal issues for public bodies. Most have adopted policies for regular destruction of the recordings after 18 months, and have procedures in place to make sure the recordings are kept secure and confidential, as provided under the OMA.
So, why a blog post about this law now? Recently, I attended a breakfast meeting where a question came up about the security of these recordings. It used to be pretty easy to keep the records secure - the clerk, secretary, or other designated government employee would tape the meeting, and then lock up the tapes for 18 months until they could be destroyed. That practice was pretty commonplace and worked well for a time, at least until government bodies began replacing their "tape" recorders with digital recording devices. Now that there are no tapes to lock up, the following question arises - how do we secure these digital records?
There may be little security risk where the digital recording remains on the device because the device itself is capable of being secured. But, what if the digital recording is saved on a computer network or server? That creates the potential for access by someone other than the authorized keeper of the recordings. Even if the keeper of the recording simply uses the computer as a "pass-through" to save the digital recording on a flash drive that is then secured like the tapes used to be, that digital recording has probably been archived on the computer's network or server. While password protection on the file or file folder can provide some security, the file could still be vulnerable to a hacker, cyber attack, or even a disgruntled employee with network/server password access (i.e., IT department) who wants to listen to the recording of the closed session that discussed the employee's performance. Even deleting the file after 18 months is not likely to permanently eliminate all traces of the file, as most files are archived on a regular basis and can be retrieved.
At our meeting, we talked about a variety of ways around this potential security issue. One option was to purchase a dedicated computer with no server/network access to use to store these files or as a pass-through to saving the file on a flash drive. The computer and/or the flash drives could then be secured. Another option that was raised was the use of a digital recording device that has the capability of transferring files directly to a flash drive or other storage device without the need for a computer pass-through. There may be other methods of protecting this data, and I'd love to hear from any of my readers who have implemented one of them.
As technology advances, we all have to consider changing past practices to address the unintended consequences. Or, consider buying up all of the mini-cassettes we can find on Amazon.com. I checked, and they are still available, at least for now...
Post Authored by Julie Tappendorf
Post Authored by Julie Tappendorf
0 comments:
Post a Comment