Compliance systems: At your service?

The Freedom of Information Act is now in full force and public bodies must respond promptly to requests. However, a public sector...

New Asset  

The Freedom of Information Act is now in full force and public bodies must respond promptly to requests. However, a public sector survey has shown that the majority of bodies cannot yet provide full data retrieval. Arif Mohamed looks at the systems required


The introduction of the Freedom of Information Act 2000 has made many public sector organisations look afresh at their data strategies. For many, achieving compliance with information legislation has been a challenge that has stretched both their financial and IT resources.

A number of data storage and management technologies are available to address the requirements of the new law. Many of these build on the existing systems that organisations put into place to meet the requirements of the 1998 Data Protection Act.

However, the Freedom of Information Act, which came into force on 1 January, created additional work, to the extent that many public bodies entered the new year with systems that were not compliant with the legislation. In a survey before Christmas of 100 public sector IT executives, largely drawn from local government, 78% of respondents said they believed their organisations would not be able to fully comply with the act by the 1 January deadline.

Updating the relevant IT systems can involve high levels of spending in areas such as document management and information lifecycle management. The typical cost of a document management system in the public sector in 2002 was estimated at between £80,000 and £500,000.

Andrea Simmons, principal consultant at public sector IT managers association Socitm, says that in practice local authorities have been too busy complying with other government initiatives to think about the act. "Many organisations have invested in customer relationship management systems to comply with other legislation, and there will be some attempts to harness these for storage and retrieval purposes," she says.

She adds that a lot of money has been spent in the past on document management systems such as Microsoft Sharepoint, and there came a realisation last April that such systems were not suitable for freedom of information requirements. She says councils have had to do a lot of backpedalling and trying to retrofit existing document management and CRM systems to meet data requirements.

The secret remains good information management. Public organisations do have good CRM, e-mail and storage, but it is tying it together coherently that is the key. "The mistake was to develop all the past strategies in silos, plus there was no government money to help," Simmons says.

Many organisations are spending on record management systems this year, and a lot of work is being done across the board to implement these.

"At the start of January, issues were already emerging," says Simmons. "We are already seeing the need for full-blown document management and record management systems that cover content, finance and logic systems, which can help to pull information out more easily."

Simmons says there is a need for knowledge management systems in some cases, as people have different interactions with external bodies and hold useful public information that has not been pooled.

Some of the content management and storage strategies being employed by public sector IT directors to comply with the act include digitising documents, using electronic tags and barcodes, and working with content management firms such as Interwoven, Open Text and EMC-owned Documentum.

Jim Murphy, senior analyst at AMR Research, says the options to help companies adhere to the act include document capture (also known as scanning and imaging) and optical character recognition (OCR), search and discovery, and access and retrieval.

Adobe Acrobat and Microsoft Sharepoint and Infopath are good options and have better security and document lifecycle management features than ever before, he says. "Electronic forms are much better than having to scan paper forms, and save rekeying words. US government organisations use Adobe, as do some high-volume institutions."

He adds, "There is always the move towards the paperless office, but public organisations often need an ink signature to cater for the common denominator. OCR tends to be an inefficient and imprecise way to capture information."

There are some high-end document capture products from companies such as Captiva, Cofax and Optika, owned by Stellent, which can identify and capture unstructured data on contracts and paper forms.

Newham Council in London is one organisation that has chosen to build on document management systems already used in its CRM system. Working with document management supplier Anite, the council is building keyword tagging and categorisation into its documents so that they can be filed and retrieved efficiently.

Richard Steel, Newham's head of IT, says the council has adopted the 80/20 method in terms of scanning and digitising old council records. This means it plans to create electronic records that should answer about four out of five requests for information. So, for example, with planning records going back to 1948, if it digitised all records from 1979, this should deal with 80% of requests electronically, says Steel. The council has so far invested about £300,000 in systems associated with the Freedom of Information Act.

Another option is to use a larger content management system. Content management supplier Open Text is currently in talks with a number of local authorities and a police force about using its platform to meet the requirements of the act. Organisations using products from Open Text include the Central Office of Information, Thames Valley Police, the Transport Research Laboratory, the Prime Minister's Office and the Cabinet Office.

"Electronic document and records management systems should play a central role in the overall strategy," says a spokesman for Open Text, but adds, "Open Text believes that technology alone will not ensure that organisations meet the requirements of the act. Technology needs to be combined with an overall programme to address cultural change, training and process re-engineering."

South Yorkshire Police has taken a different approach, implementing an information lifecycle management programme that it estimates will cut its IT costs by £1.1m by 2006.

The force uses network attached storage, based on EMC's NS700 high-performance integrated Nas device. It uses EMC's Legato Replistor to replicate and centralise remote site data in real-time. To extend this for freedom of information purposes, South Yorkshire Police is deploying an EMC Centera content addressed storage system, with Legato Emailxtender to automatically collect, organise, retain and retrieve e-mails. EMC Legato Diskxtender automatically moves data from primary storage to secondary storage, while maintaining transparent access.

Roy France, IT manager at South Yorkshire Police, says the system will help store e-mails and other data for extended periods. "Everything the force does is concentrated on the fast, continual retrieval of information, and we need to be certain that information is always available year after year.

"We are continually tasked to deliver best-value IT, so it makes sense to move older information to different online storage media that still provide the right levels of protection, replication and recovery at the lowest possible cost."

Finally, one other strategy is to use barcodes to tag individual documents for tracking purposes. This strategy is being used by Portsmouth Council, which worked with software developer Metastorm to create a system that allows the council to track freedom of information requests as they progress.

Portsmouth's system monitors any work done on the requests, and the person responsible, and creates tags on electronically held information. It can also check whether fees are payable for the work. Such a system is necessary because of the broad range of requests that councils can expect and the complexity of the work, says Bob France, head of IT at Portsmouth Council, who is in charge of the Portsmouth's Freedom of Information Act programme.

Murphy says there are many ways to ensure your organisation is compliant with the Freedom of Information Act. "Thirty years ago, imaging systems that captured paper documents had a strong base in financial and insurance companies, but were not very good at organising documents by content. Things have changed since then, with companies such as Microsoft putting low-level document management and forms management capability into their products."

Software issues arising from the Act

Electronic document and records management
Many public authorities are using the introduction of the Freedom of Information Act as chance to put in place document management and archiving systems, which are clearly an IT issue. If document management and/or archiving systems are already in place, there may still be a requirement for upgrading and/or fine-tuning to support data requirements.

Internal communications – e-mail and intranets
Public sector bodies are making available electronic means to publish their information policy and to obtain proof that the policy has been communicated.

Record and document cleansing facilities
Under the act, if a document or record (regardless of whether it is electronic or paper) contains exempt information as well as information that can be released, the document or record will have to be provided with the exempt parts removed.
Authorities that are used to dealing with sensitive information are likely to have guarded against accidental release of confidential data already. Nevertheless, this area requires close attention, given the kinds of accidents that continue to happen in connection with official document releases (eg deleted parts of a Word document becoming visible if the “track changes” function is activated, or revision histories reveal sensitive names).

Security and access rights
Most of this is likely to be in place already as part of an organisation’s standard security and access policies. But some additional work may be required to ensure that staff who deal with access requests only provide documents that are approved for release.

Audit trails
In addition to having workflow elements that can deal with individual requests for information , there may be a requirement to ensure that an audit trail is kept of how the request was dealt with, should questions be asked at a
later point.

Source: Martha Bennett, Forrester Research

The Freedom of Information Act in a nutshell

The Freedom of Information Act provides any member of the public with a general right of access to information held by public authorities. Organisations must deal with requests promptly, providing the information within 20 working days.

The organisation needs to prove it has a document, can retrieve it, and can verify when it was sent, and must manage information properly, preserving all important records.

Information defined as anything held in a recorded form, and can include paper files, loose papers, e-mails, electronic documents, photos, plans, maps, CCTV, video tapes, audio tapes and voice mails.

Read more on IT governance