The Supreme Court of the State of Washington recently found that the metadata embedded in a document maintained by a public office is, itself, a public record required to be disclosed under the Washington State Public Records Act (PRA).1 Further, the court concluded that the city (the producing party) was required to search the personal computer of an employee for responsive documents that may be public records under the PRA. If followed by other states, federal courts or regulators, this opinion may expand the scope of information required to be retained and produced as part of a litigation or investigation.
Expanding the definition of a record under any statute or regulation can have a dramatic impact on the compliance burdens of organizations, particularly as management of electronic information grows increasingly complex. As a result, broad generalizations about metadata may be problematic. Moreover, including metadata (i.e., information about a document) as part of the definition of a record may undermine the use of archives for compliance purposes because many systems do not retain certain properties. For example, email archives generally do not store metadata about user actions on individual emails.
The fact that documents on an employee’s personal computer or device may be responsive to a request issued to an employer (as opposed to a subpoena directed at the employee) also raises concerns. These concerns include how to achieve effective enforcement of policies on such records while protecting any employee privacy rights. Careful consideration of this emerging area of law is important when devising or reviewing relevant record retention polices and procedures, or when responding to document requests.
Facts of O’Neill
In O’Neill v. City of Shoreline,2 the court was asked to review whether, upon request, an agency is required to release the metadata associated with a public record that it was required to disclose. The facts of O’Neill concern an email exchange between two private citizens, containing criticism of the Shoreline City Council (Council), which was eventually forwarded to Shoreline Deputy Mayor Maggie Fimia and others. The email address of only one of the private citizens appeared as a recipient—the other private citizens were blind copied. At a meeting of the Council, the Deputy Mayor accused the Council of improper conduct, and asserted that Beth O’Neill and another Council employee had sent the original email.
O’Neill denied authoring the email and made an oral request for it. The Deputy Mayor forwarded the email to her own personal email account, removing information regarding the original emails. That email was eventually produced to O’Neill. O’Neill then requested a copy of the unaltered email, which was eventually produced in hard copy format. Still unsatisfied, O’Neill requested the metadata associated with the original email that was received by the Deputy Mayor. However, the city of Shoreline (City) was unable to provide O’Neill with the metadata associated with that specific email because the Deputy Mayor inadvertently deleted the email from her employer-issued computer and email account.
O’Neill and her husband brought suit under the PRA. The trial court dismissed the suit, and the court of appeals reversed, finding that metadata must be disclosed under the PRA. It further found that the City did not supply O’Neill with the specific public record that she had requested.
In upholding the ruling of the court of appeals, the supreme court started its analysis with the definition of a public record, which “includes any writing containing information relating to the conduct of government or the performance of any governmental or proprietary function prepared, owned, used or retained by any state or local agency regardless of physical form or characteristics” and concluded that the definition was very broad.
The court next looked at Lake v. City of Phoenix, the only other case that has addressed a similar issue.3 In that case, the Arizona Supreme Court concluded that metadata is part of a document, so when an agency maintains a document in electronic format, the embedded metadata is also subject to disclosure and must be made available upon request. The Arizona court noted that an agency can minimize the burden associated with the production of metadata by making a document maintained in electronic format available in its native format.
Finally, the Washington Supreme Court looked to the purpose of the PRA, which is “to ensure that the public maintains control over their government,” and concluded that the public is entitled to the embedded metadata that was part of the public record. Notably, the court clarified that a government agency will not always be required to produce metadata. Rather, it is required to maintain the metadata, and to make it available upon request.
The court also found that where the relevant metadata was not available from an agency computer, but may be available on the home computer of an agency employee, that agency was required to search the employee’s personal hard drive. In reaching its conclusion, the court focused on the fact that the City was aware that the Deputy Mayor used her home computer for City business.
The US Securities and Exchange Commission (SEC) has recently reached a similar conclusion regarding the obligation to search an employee’s personal hard drive and email accounts in In the Matter of vFinance Investments, Inc.4 There, the SEC concluded that vFinance violated its recordkeeping obligations in part because it knew that one of its employees (an independent contractor) used a personal computer and personal email addresses for work related purposes, but failed to implement steps to ensure that all work related communications were preserved in violation of Exchange Act Section 17(a) and Rule 17a-4(b)(4) promulgated thereunder, and produced in response to a request from the SEC.5
Although the Lake and O’Neill cases address the concept of a “public record,” the reasoning of the two courts and the status of metadata may be relevant to any organization that is subject to statutory or regulatory requirements for records retention. These holdings may be particularly relevant when responding to civil investigatory requests from government and regulatory bodies.
These cases also demonstrate a willingness by courts to find that “personal” devices are not shielded from discovery or from regulatory and statutory record retention requirements if used in connection with business activity. This may have a significant impact for entities under an obligation to implement procedures to retain electronically stored information on devices that are not in the custody and control of the organization. Organizations must remain aware of the ways in which their employees are using technology, regardless of company policy, and must be prepared to preserve, collect and produce relevant information from all potential sources in response to a request.