Wednesday, September 26, 2018

Avoiding FOIA Fiascos
By: Jeffrey W. Bennett, SFPC, SAPPC, ISOC, ISP
When writing, reviewing or approviding classified or unclassified technical documents, keep in mind that even unclassified technical information should be scrutinized for protection under the Freedom of Inforamtion Act (FOIA). What this means is that if someone needs Government information that is not readily available, one option is for them to submit a FOIA request. Even unclassified documents may have technical information that should be identifified and as necessary, protected from public release. This information includes technical date, controlled unclassified information, personal identifiable information, and should be portioned marked as such. UNCLASSIFIED//FOR OFFICIAL USE ONLY or FOUO is a reasonable way to protect information from release under a FOIA request.
Here's why:
There are many reasons for submitting a FOIA request to include conducting research, writing a book, curiosity, advancing a theory, developing a project, and etc. Regardless of the reason, anyone can submit a request. Once a request has been submitted, the government is required provide the information unless it falls into the exemptions designed to ensure the protection privacy, national security, and law enforcement. The government program office is primarily charged with the reviews, but unless the contractor marks information properly, they may not understand what might be sensitive and should not be released.
Again, anyone can request that the U.S. Government release information. A non U.S. citizen has the right to request and receive the information as much as a U.S. citizen does. It is up to the Federal agency to identify and protect any information that meet the exemption criteria. For national security concerns, this is usually accomplished by the federal agency using a security classification (CONFIDENTIAL, SECRET, TOP SECRET), For Official Use Only, or other designation to protect information falling under one or more exemptions.
We'll explain how this works so that you can be better prepared to identify and exempt sensitive unclassified information from public release.
Here's how it works:
The first step to take when requesting information is to determine if the information is already available. This can be easily accomplished by visiting and conducting a search for available information. If the information requested is already available, it can be use by the potential requester. If the information is not there or incomplete, the requester should begin the request process.
The next step should be to determine which federal agency owns the information being sought. Even if the requestor cannot determine which agency owns the information, they may still be able to provide enough information for someone to refer the request to the appropriate agency.
Next, they submit the FOIA request in writing and with a description of the information desired. The requestor can submit the request via a web from, email or fax and the submission information is available at the listed FOIA website. There are even “how to” and descriptive FOIA request videos that informs of the request process. The requestor should specify how they would prefer to receive the information such as printed or electronic. If available the agency will provide the information in the format that it already exists. 
Once the request is received and processed the agency should send an acknowledgement of receipt and a tracking number. They may contact the requester to seek additional information or if they have enough information, go ahead and provide requested information. Any information that falls under any exemption will not be provided. Those performing the function of reviewing information may mark out or remove protected information from the final product.
What you can do:
1.  Develop a program to identify sensitive information that is either protected under Controll Unclassified Information, Personal Identifyable Information (PII), International Traffic in Arms Regulation (ITAR),  Export Administration Regulations (EAR), or other guidance.
2.  Document and publish (protect the publication) the identified information so that those performing on contracts understand what is protected can refer to the publication.
3. Consult the security classification guide specific to the program for additional guidance.
4. Mark all work products correctly to prevent public release where appropriate.
4. Develop a document review team to validate markings and approve the marking.
Each agency is responsible for reviewing the request for the information under its cognizance and each agency has its own internal review process. However, they do not have the leisure of reading minds or intent to understand what should be protected. All they have is the request and the document and their own internal process and guidelines. It's up to the document source to indicate what should be protected. Those producing sensitive unclassified information can further protect it by identifying it up front and marking it correctly so that the agency can understand what should be exempt from release. If the receiving agency has little context or ability to contact the document's source, they may err on the side of releasing the information. 

No comments: