oversight

Freedom of Information Act: Additional Actions Can Strengthen Agency Efforts to Improve Management

Published by the Government Accountability Office on 2012-07-31.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

             United States Government Accountability Office

GAO          Report to the Committee on
             Oversight and Government Reform
             House of Representatives


July 2012
             FREEDOM OF
             INFORMATION ACT
             Additional Actions
             Can Strengthen
             Agency Efforts to
             Improve Management




GAO-12-828
                                                 July 2012

                                                 FREEDOM OF INFORMATION ACT
                                                 Additional Actions Can Strengthen Agency Efforts
                                                 to Improve Management
Highlights of GAO-12-828, a report to the
Committee on Oversight and Government
Reform, House of Representatives




Why GAO Did This Study                           What GAO Found
In March 2009, the Attorney General              The major components of the Departments of Homeland Security, Defense,
issued guidelines that encouraged                Justice, and Health and Human Services have taken a variety of actions to
agencies to release records requested            improve management of their Freedom of Information Act (FOIA) programs. To
under FOIA, improve administration of
their FOIA operations, and ensure                reduce their backlogs of outstanding requests, agencies have taken actions that
timely disclosure of information to the          include regularly reporting to management, mobilizing extra resources, and
public. In light of this guidance, GAO           streamlining procedures for responding to requests. These actions have had
was asked to determine: (1) What                 mixed results. For example, since 2009, 10 of the 16 agency components in
actions have agencies taken to                   GAO’s study succeeded in decreasing their backlogs, 2 had no material change,
manage their FOIA programs,                      and the remaining 4 had larger backlogs. The agencies have also taken actions
including reducing backlogs and use of           to reduce their use of exemptions—provisions of FOIA that allow agencies to
exemptions, pursuant to the Attorney
General’s 2009 FOIA guidelines, and              withhold certain types of information. Agencies’ actions to reduce their use of
what have been the results of these              exemptions included training, reviews, and guidance. While 7 components
actions? (2) What actions have                   reduced the rate at which they applied exemptions, 3 stayed about the same,
agencies taken to make records                   and 6 had an increase.
available to the public by electronic
means, pursuant to the e-FOIA                    The agency components are generally making records available to the public
Amendments of 1996? (3) To what                  online, either in their FOIA libraries (dedicated sections of their websites for
extent have agencies implemented                 FOIA-related records) or elsewhere on their agency websites, as required by
technology to support FOIA                       amendments to the act, referred to as e-FOIA. However, GAO’s review of FOIA
processing?                                      libraries found that records may not be easy for the public to locate when they
To respond to this request, GAO                  are not in a library. Agency components have used a variety of approaches,
analyzed statistics and documents,               including frequent content reviews, to proactively manage their libraries.
reviewed FOIA libraries, and                     However, GAO determined that not all agency components are giving sufficient
conducted interviews with officials at           attention to ensuring that frequently requested records are identified and posted
16 agency components within the
Departments of Homeland Security,                online, which has resulted in sparsely populated FOIA libraries. Without
Defense, Justice, and Health and                 consistent oversight and review of the information posted to FOIA libraries, the
Human Services—the four agencies                 most current agency efforts or decisions may not be reflected and information
that received the most FOIA requests             can be difficult for the public to locate. This can result in increased FOIA
in fiscal year 2010.                             requests, contributing to backlogs and administrative costs.
What GAO Recommends                              The agency components’ implementation of technology capabilities that have
                                                 been identified as best practices for FOIA processing—such as the use of a
GAO is recommending that the four
agencies improve the management of               single tracking system and providing requesters the ability to track the status of
their FOIA programs by ensuring that             requests online—has varied. The agencies that have not yet implemented these
actions are taken to reduce backlogs             capabilities generally intend to do so. In addition, the agencies that GAO studied
and use of exemptions, improve FOIA              use different FOIA processing systems that do not electronically exchange data,
libraries, and implement technology. In          which may necessitate manual exchanges of information among agencies to
written comments on a draft of the               process FOIA requests.
report, the four agencies agreed or
generally agreed with the
recommendations.




View GAO-12-828. For more information,
contact Valerie C. Melvin at (202) 512-6304 or
melvinv@gao.gov.

                                                                                         United States Government Accountability Office
Contents


Letter                                                                                      1
                Background                                                                  3
                Agencies Have Generally Taken Actions to Improve their FOIA
                  Programs, but Results Have Been Mixed                                   13
                Agency Components Generally Make Records Available Online, but
                  Approaches to Posting Frequently Requested Records Vary                 21
                Agency Components Have Implemented Technology to Support
                  FOIA Processing to Varying Degrees                                      29
                Conclusions                                                               34
                Recommendations for Executive Action                                      35
                Agency Comments and Our Evaluation                                        36

Appendix I      Objectives, Scope, and Methodology                                        39



Appendix II     Freedom of Information Act Exemptions                                     43



Appendix III    Comments from the Department of Homeland Security                         44



Appendix IV     Comments from the Department of Defense                                   48



Appendix V      Comments from the Department of Health and Human Services                 51



Appendix VI     Comments from the Department of Justice                                   56



Appendix VII    Comments from the National Archives and Records
                Administration                                                            63



Appendix VIII   GAO Contact and Staff Acknowledgments                                     65




                Page i                   GAO-12-828 Strengthening Agencies’ Management of FOIA
Tables
          Table 1: Agency Information Required to be Posted Online
                   Pursuant to the e-FOIA Amendments                                  22
          Table 2: Detailed View of Agency Components’ Implementation of
                   FOIA Capabilities                                                  29


Figures
          Figure 1: Simplified FOIA Process                                            9
          Figure 2: Disposition of FOIA Requests during Fiscal Year 2011              12
          Figure 3: Number of Backlogged FOIA Requests by Agency
                   Component, 2009-2011 (in thousands)                                16
          Figure 4: Exemption Use by Agency Components from 2009
                   through 2011                                                       20




          Page ii                    GAO-12-828 Strengthening Agencies’ Management of FOIA
Abbreviations

BOP               Federal Bureau of Prisons
CBP               U.S. Customs and Border Protection
CMS               Centers for Medicare and Medicaid Services
DHS               Department of Homeland Security
DHS/Privacy       Department of Homeland Security/Privacy Office
DOD               Department of Defense
e-FOIA            Electronic Freedom of Information Act (amendments)
EOIR              Executive Office for Immigration Review
EPA               Environmental Protection Agency
FBI               Federal Bureau of Investigation
FDA               Food and Drug Administration
FOIA              Freedom of Information Act
HHS               Department of Health and Human Services
HHS/OS            Department of Health and Human Services Office of the
                  Secretary
ICE               Immigration and Customs Enforcement
IT                information technology
Justice           Department of Justice
NARA              National Archives and Records Administration
NIH               National Institutes of Health
OGIS              Office of Government Information Services
OIP               Office of Information Policy
OSD/JS            Office of the Secretary of Defense and Joint Staff
USCIS             U.S. Citizenship and Immigration Services




This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.




Page iii                         GAO-12-828 Strengthening Agencies’ Management of FOIA
United States Government Accountability Office
Washington, DC 20548




                                   July 31, 2012

                                   The Honorable Darrell E. Issa
                                   Chairman
                                   The Honorable Elijah E. Cummings
                                   Ranking Member
                                   Committee on Oversight and Government Reform
                                   House of Representatives

                                   The Freedom of Information Act (FOIA) 1 requires that federal agencies
                                   provide the public with access to government records and information on
                                   the basis of the principles of openness and accountability in government.
                                   In this regard, each year hundreds of thousands of FOIA requests are
                                   made to federal agencies—with the information released in response to
                                   these requests contributing to the disclosure of government waste, fraud,
                                   and abuse, as well as other conditions, such as unsafe consumer
                                   products and harmful drugs. The e-FOIA amendments of 1996 require,
                                   among other things, that agencies make certain categories of records
                                   available to the public in electronic format. Further, guidance issued by
                                   the Attorney General in March 2009 2 and related policies and guidance
                                   encourage agencies to reduce their backlogs of FOIA requests, not
                                   withhold records merely because they fall within the scope of a FOIA
                                   exemption, improve administration of their FOIA operations, and ensure
                                   timely disclosure of information to the public.

                                   Given this guidance, you asked us to determine: (1) What actions have
                                   agencies taken to manage their FOIA programs, including reducing
                                   backlogs and use of exemptions, pursuant to the Attorney General’s 2009
                                   FOIA guidelines, and what have been the results of these actions? (2)
                                   What actions have agencies taken to make records available to the public
                                   by electronic means, pursuant to the e-FOIA amendments of 1996? (3)
                                   To what extent have agencies implemented technology to support FOIA
                                   processing?




                                   1
                                    5 U.S.C. § 552.
                                   2
                                    Memorandum for Heads of Executive Departments and Agencies: The Freedom of
                                   Information Act (FOIA), (Washington, D.C.: March 19, 2009).




                                   Page 1                        GAO-12-828 Strengthening Agencies’ Management of FOIA
To address these objectives, we analyzed published statistics and
documents, such as agency FOIA reports, and conducted interviews with
responsible officials at the four federal agencies that collectively received
more than 50 percent of all FOIA requests during fiscal year 2010: the
Departments of Homeland Security (DHS), Defense (DOD), Health and
Human Services (HHS), and Justice. Because FOIA processing at these
agencies is decentralized to the agency component level, we analyzed
the FOIA policies, oversight, and processing activities of each agency’s
central FOIA office and of the three components of each agency that
received the most FOIA requests. 3

•   The DHS agency components are the Privacy Office (DHS/Privacy),
    which functions as the department’s central FOIA office, in addition to
    the U.S. Citizenship and Immigration Service (USCIS), Immigration
    and Customs Enforcement (ICE), and U.S. Customs and Border
    Protection (CBP).

•   The DOD agency components are the Office of the Secretary of
    Defense and the Joint Staff (OSD/JS), which processes FOIA
    requests within the department’s central FOIA office, in addition to the
    Departments of the Army, Navy, and Air Force.

•   The HHS agency components are the Office of the Secretary
    (HHS/OS), which functions as the department’s central FOIA office, in
    addition to the Centers for Medicare & Medicaid Services (CMS), the
    Food and Drug Administration (FDA), and the National Institutes of
    Health (NIH).

•   The Justice agency components are the Office of Information Policy
    (OIP), which functions as the department’s central FOIA office, in
    addition to the Federal Bureau of Investigation (FBI), the Federal
    Bureau of Prisons (BOP), and the Executive Office for Immigration
    Review (EOIR).

To gauge agencies’ actions and results since the Attorney General’s
March 2009 memorandum, we analyzed data on backlogs and use of
exemptions from FOIA.gov for each of the agency components identified,



3
 For all agencies, the central FOIA office and the three agency components collectively
accounted for at least half of FOIA requests received by its parent agency (at least 90
percent for both DHS and HHS).




Page 2                           GAO-12-828 Strengthening Agencies’ Management of FOIA
             and examined agencies’ annual FOIA reports for the years 2009 to 2011.
             To evaluate agencies’ actions to make records available by electronic
             means, we compared materials posted on each agency component’s
             FOIA library with applicable requirements. To determine the extent to
             which agencies have implemented technology to support FOIA
             processing, we compared the capabilities of each agency component’s
             processing system with capabilities that the National Archives and
             Records Administration’s (NARA) Office of Government Information
             Services (OGIS), OIP, and others have identified as useful.

             We conducted this performance audit from September 2011 through July
             2012 in accordance with generally accepted government auditing
             standards. Those standards require that we plan and perform the audit to
             obtain sufficient, appropriate evidence to provide a reasonable basis for
             our findings and conclusions based on our audit objectives. We believe
             that the evidence obtained provides a reasonable basis for our findings
             and conclusions based on our audit objectives. See appendix I for a more
             detailed description of our scope and methodology.


             FOIA establishes a legal right of access to government records and
Background   information on the basis of the principles of openness and accountability
             in government. Before the act was passed in 1966, the government
             required individuals to demonstrate “a need to know” before being
             granted the right to examine a federal record. FOIA established a “right to
             know” standard, under which an organization or person could receive
             access to information held by a federal agency without demonstrating a
             need or reason. The “right to know” standard shifted the burden of proof
             from the individual to government agencies and required agencies to
             provide proper justification when denying a request for access to a
             record.

             Any “person,” with a few narrow exceptions, or entity can file a FOIA
             request, including foreign nationals, corporations, and organizations. For
             example, a foreign national can request his or her alien files and a
             commercial requester, which includes data brokers that file requests on
             behalf of others, may request a copy of a government contract or grant
             proposal. In response, an agency is required to provide the relevant
             record(s) in any readily producible form or format specified by the
             requester (unless the record falls within a permitted exemption). FOIA
             generally allows agencies to collect fees for searching and duplicating
             records in connection with responding to a request. Government agencies
             can also disclose information through “affirmative agency disclosure” by


             Page 3                     GAO-12-828 Strengthening Agencies’ Management of FOIA
                            publishing information in the Federal Register, on the Internet, or by
                            making it available in a reading room. 4


Justice and the National    Since it was established 30 years ago, Justice’s OIP has been
Archives and Records        responsible for encouraging compliance, overseeing agencies’
Administration Have FOIA-   implementation of FOIA, and issuing policy guidance. For example, OIP
                            issues FOIA policy guidance, prepares a comprehensive guide
Related Responsibilities    addressing various aspects of the act, conducts a variety of FOIA-related
                            training programs for personnel across the government, and offers FOIA
                            counseling services to government staff and the public.

                            In addition, the OPEN Government Act of 2007 5 established OGIS within
                            NARA to oversee and assist agencies in implementing FOIA. OGIS’s
                            responsibilities include reviewing agency policies and procedures,
                            reviewing agency compliance, recommending policy changes, and
                            offering mediation services.


FOIA Amendments and         The 1996 e-FOIA amendments, among other things, sought to strengthen
Guidance Are Intended to    the requirement that agencies respond to a request in a timely manner
Improve Agencies’ FOIA      and reduce their backlogs of pending requests. To that end, the
                            amendments made a number of procedural changes, including providing
Processing                  requesters with an opportunity to limit the scope of their requests so that
                            they could be processed more quickly, and requiring agencies to
                            determine within 20 working days (an increase from the previously
                            established time frame of 10 days) whether a request would be fulfilled. 6
                            The amendments also authorized agencies to multitrack requests, that is,
                            to process simple and complex requests concurrently on separate tracks
                            to facilitate responding to a relatively simple request more quickly.



                            4
                             FOIA requires agencies to make certain categories of records available to the public for
                            “inspection and copying.” Traditionally, most agencies had established physical reading
                            rooms, where the public could have access to these records. However, the e-FOIA
                            amendments of 1996 required agencies to post this information online, and as a result,
                            some agencies have begun to phase out their physical reading rooms.
                            5
                            P.L. 110-175 (Dec. 31, 2007).
                            6
                             The typical 20-day time period may be extended in “unusual circumstances,” such as
                            when requests involve a voluminous amount of records or require consultation with
                            another agency.




                            Page 4                           GAO-12-828 Strengthening Agencies’ Management of FOIA
In addition, the e-FOIA amendments encouraged online, public access to
government information by requiring agencies to make specific types of
records available in electronic form, including:

•   agency final opinions, including concurring and dissenting opinions,
    as well as orders made in the adjudication of cases;

•   statements of policy and interpretations that have been adopted by
    the agency and are not published in the Federal Register;

•   administrative staff manuals and instructions to staff that affect a
    member of the public; and

•   copies of records that have been released to any person through
    FOIA and which, because of the nature of the subject matter, the
    agency determines have become or are likely to become the subject
    of subsequent requests for substantially the same records. 7

In 1998, OIP issued e-FOIA implementation guidance that, among other
things, called for agencies to organize an electronic reading room so that
the public could find records that are required to be posted and to review
electronic reading room content regularly—at least quarterly—to ensure
that it is accurate and current. 8 In addition, OIP’s guidance on e-FOIA
implementation specifies that once an agency receives—or expects to
receive—at least three FOIA requests for a record, the agency is
generally obligated to disclose the record as a frequently requested
document.


7
 Justice’s implementing guidance instructs agencies that when a record is disclosed in
response to a FOIA request, the agency is required to determine whether the record has
been the subject of multiple FOIA requests (i.e., two or more additional requests) or, in the
agency’s best judgment based on the nature of the records and the types of requests
regularly received, is likely to be the subject of multiple requests in the future.
8
  OIP's 1998 Guidance is found in: "Electronic FOIA Amendments Implementation
Guidance Outline," FOIA Update, Vol. XIX, No. 1 (Winter 1998)
(http://www.justice.gov/oip/foia_updates/Vol_XIX_1/xixpage3.htm, and
"Recommendations for FOIA Web Sites," FOIA Update, Vol. XIX, No. 3 (Summer 1998)
(http://www.justice.gov/oip/foia_updates/Vol_XIX_3/xix3page3.htm).Because the
disclosure of these required categories of records had historically been made through a
physical reading room, the expanded online access provisions, including frequently
requested records and other required elements, have commonly come to be called
“electronic reading rooms.” Recently, OIP has encouraged agencies to use the term "FOIA
library" in lieu of “electronic reading room.”




Page 5                            GAO-12-828 Strengthening Agencies’ Management of FOIA
In a later effort to reduce agencies’ backlogs of FOIA requests, in
December 2005, the President issued Executive Order 13392, 9 which set
forth a directive for citizen-centered and results-oriented FOIA. In
particular, the order directed agencies to provide a requester with
courteous and appropriate service and ways to learn about the FOIA
process, the status of the request, and the public availability of other
agency records. The order also instructed agencies to process requests
efficiently, achieve measurable process improvements (including a
reduction in the backlog of overdue requests), and reform programs that
were not producing the appropriate results.

To this end, the order—and the FOIA itself—directed each agency to
designate a senior official as the agency’s Chief FOIA Officer. The Chief
FOIA Officer is responsible for ensuring agency-wide compliance with the
act by monitoring implementation throughout the agency; recommending
changes in policies, practices, staffing, and funding; and reviewing and
reporting on the agency’s performance in implementing FOIA to agency
heads and to Justice. (These reports are referred to as Chief FOIA Officer
reports and are in addition to agencies’ annual FOIA reports that largely
include statistics on FOIA processing that agencies also submit to
Justice.) In April 2006, Justice’s OIP issued guidance to assist federal
agencies in implementing the Executive Order’s requirements for reviews
and improvement plans. 10 The guidance suggested several potential
areas for agencies to consider when conducting their reviews, such as
automation of request tracking; automated processing and receiving
requests; responding to requests electronically; forms of communication
with requesters; and systems for handling referrals to other agencies.

As previously mentioned, each agency is required to prepare and submit
to Justice an annual FOIA report that includes statistics on, among other
things, the number of FOIA denials, appeals, and requests pending at the
end of the fiscal year. The OPEN Government Act of 2007 amended
FOIA in several ways, including requiring additional statistics on
timeliness in agencies’ annual reports. The act also called for agencies to
establish a system to track the status of their requests. OIP’s subsequent



9
 Executive Order 13392, Improving Agency Disclosure of Information (Washington, D.C.:
Dec. 14, 2005).
10
  Department of Justice, Executive Order 13392 Implementation Guidance (posted Apr.
27, 2006). See http://www.justice.gov/archive/oip/foiapost/2006foiapost6.htm.




Page 6                          GAO-12-828 Strengthening Agencies’ Management of FOIA
guidance (issued May 2008) provided information on responding to the
requirements of the OPEN Government Act, and directed agencies to
omit certain Privacy Act requests, which had previously been included,
from their FOIA statistics. 11

More recently, in January 2009, the President issued two memorandums,
Transparency and Open Government 12 and FOIA. 13 Both documents
focused on increasing the amount of information made public by the
government. In particular, the FOIA memorandum directed agencies to
adopt a presumption in favor of disclosure in all FOIA decisions, take
affirmative steps to make information public, and use modern technology
to do so. This echoed Congress’s finding, in passing the OPEN
Government Act, that FOIA establishes a “strong presumption in favor of
disclosure.”

In March 2009, the Attorney General issued a FOIA policy memorandum,
echoing the President’s call for increased disclosure of government
information by directing agencies to make information available online
without waiting for a specific FOIA request. In addition, OIP guidance on
these memos stated that agencies should implement systems and
establish procedures to routinely identify and systematically post records
appropriate for release. As noted by both the President and the Attorney
General, such proactive disclosures can not only improve public access
to government information, but potentially can reduce the growing number
of new FOIA requests. In addition, the memorandum called for agencies
to make discretionary disclosures and, as called for in OIP’s implementing
guidance, analyze whether releasing information would result in
foreseeable harm before applying exemptions. The agency is expected to
release the information if no harm would occur, unless disclosure is
prohibited by law.

The Attorney General’s memorandum reminded agencies of the OPEN
Government Act of 2007 requirement to establish a system to provide
individualized tracking numbers for requests that will take longer than ten
days to process and to establish a telephone line or internet service to


11
  In a Privacy Act request, a requester can ask for information on himself or herself held
by a federal agency.
12
 Presidential Memorandum of Jan. 21, 2009, Transparency and Open Government.
13
 Presidential Memorandum of Jan. 21, 2009, Freedom of Information Act.




Page 7                            GAO-12-828 Strengthening Agencies’ Management of FOIA
allow requesters to track the status of their request. To help agencies
meet this expectation, OIP and OGIS identified capabilities that they
consider to be best practices for FOIA processing. Specifically, in
September 2010, OIP issued guidance that calls for, among other things,
agencies and their components to use technology to process requests
electronically. Subsequently, in March 2011, OGIS issued FOIA best
practices for agencies and their components to use technology to, for
example, receive requests electronically, either by e-mail or online, and
allow requesters to easily check the status of their request. Further, in
conjunction with the Department of Commerce and the Environmental
Protection Agency (EPA), OGIS identified the following 13 system
capabilities that enhance FOIA processing:

•   using a single, componentwide system for tracking requests;

•   accepting the request online, either through e-mail or online request
    forms;

•   assigning the request tracking number and tracking the status of the
    request electronically;

•   multitracking requests electronically;

•   routing requests to the responsible office electronically;

•   storing and routing responsive records to the appropriate office
    electronically;

•   redacting responsive records with appropriate exemptions applied
    electronically;

•   calculating and recording processing fees electronically;

•   allowing supervisors to review the case file to approve redactions and
    fee calculations for processing electronically;

•   generating system correspondence, such as e-mails or letters, with
    requesters;

•   allowing requesters the ability to track the status of their request
    online;




Page 8                       GAO-12-828 Strengthening Agencies’ Management of FOIA
                                    •    tracking appeals electronically; and

                                    •    generating periodic reporting statistics, such as monthly backlog and
                                         annual report data, used to develop reports.

                                    Commerce, EPA, and OGIS also identified the need to support FOIA
                                    processing functions that cross organizational boundaries. Such functions
                                    include managing interagency referrals and consultations. 14


FOIA Request Processing             Agencies are generally required to make a determination on a FOIA
                                    request within 20 working days. A request may be received in writing, by
                                    telephone, or by electronic means. Once received, the request goes
                                    through multiple phases, which include processing requests, searching
                                    records, processing records, and releasing records. Figure 1 provides an
                                    overview of the process, from the submission of a request to the release
                                    of records.

Figure 1: Simplified FOIA Process




                                    14
                                      Referrals involve referring the responsive record to the originating agency for its
                                    disclosure determination and direct response to the FOIA requester. Consultations involve
                                    consulting with the originating agency before making a direct FOIA response to the
                                    requester.




                                    Page 9                           GAO-12-828 Strengthening Agencies’ Management of FOIA
During the intake phase, a request is to be logged into the agency
component’s FOIA system, and a tracking number is assigned if the
request is estimated to require more than 10 days to address. The
request is then reviewed by the FOIA staff to determine its scope and
level of complexity. 15 The agency then typically sends a letter or e-mail to
the requester acknowledging receipt of the request; this typically includes
a unique tracking number that the requester can use to check on the
status of the request.

The FOIA staff is then to begin its search to retrieve responsive records
by routing the request to the appropriate program office(s). This step may
include searching and reviewing paper and electronic records from
multiple locations and program offices.

The agency then processes the responsive records, which involves
consulting with other agencies as appropriate before releasing records
that originated there or referring records to another agency for its
disclosure determination and response to the requester. This includes
determining whether portions of any record should be withheld based on
statutory exemptions. 16 Nine specific exemptions can be applied to
withhold, for example, classified, confidential commercial, pre-decisional,
privacy, and several types of law enforcement information. (Appendix II
provides a full listing of the FOIA exemptions.) A request may be denied
in full based on one or more exemptions, or it may be partially granted, in
which case information may be blacked out (redacted). For example, a
Social Security number or other personally identifiable information may be
redacted under the exemption for protecting personal information. If no
exemption is applied, the request should be granted in full. Before
applying certain exemptions, agencies are to conduct a foreseeable harm
analysis to determine whether harm will occur if the information is
released.




15
  Factors that increase the complexity of a request include the volume of information
involved, the number of offices that might have responsive documents, the extent to which
the information is technical or difficult to understand, and the need to communicate with
third parties, such as other agencies or owners of possible proprietary information.
16
  Some FOIA requests are closed before reaching this stage, for example, if no
responsive documents can be found, if all responsive documents originated with another
agency and were referred to that agency for processing, or if after being notified of fees,
the requester is unwilling to pay the estimated fees.




Page 10                           GAO-12-828 Strengthening Agencies’ Management of FOIA
Before approving the release of any records, they are to be reviewed by a
FOIA supervisor, general counsel, or other appropriate personnel to
ensure that the release is proper. Then a response letter is generated for
the requester, summarizing the agency’s actions regarding the request.
Finally, the responsive record(s) are sent to the requester via computer
disk, e-mail, or paper. Throughout the FOIA process, the agency is
responsible for making information about the status of the request
available to the requester.

For fiscal year 2011, the 99 agencies that were required to submit annual
FOIA reports to Justice reported that 644,165 requests were received and
about 4,400 staff were devoted to FOIA processing. According to the
agencies’ annual reports as aggregated on FOIA.gov, the total reported
cost of FOIA activities among the 99 agencies for fiscal year 2011 was
$436 million, of which about $6 million was recovered through fees
collected from requesters. The agencies collectively reported responding
to 631,424 requests. Of these, 236,474 (37 percent) were granted in full;
171,795 (27 percent) were partially granted (i.e., some information was
redacted based on one or more exemptions); and 30,369 (5 percent)
were denied in full based on exemptions. The remaining 192,786 (31
percent) were denied for reasons not based on exemptions, such as no
responsive records were found or the request was withdrawn. Figure 2
shows the disposition of requests that agencies responded to in fiscal
year 2011.




Page 11                    GAO-12-828 Strengthening Agencies’ Management of FOIA
                          Figure 2: Disposition of FOIA Requests during Fiscal Year 2011




Previous GAO Reviews of   We reported in 2007 17 that agency plans for improving FOIA processing
FOIA Implementation       had mostly included goals and timetables addressing the areas of
Efforts                   improvement emphasized by Executive Order 13392, which set forth a
                          directive for citizen-centered and results-oriented FOIA. Most of the plans
                          provided goals and timetables; some agencies omitted goals in areas
                          where they considered they were already strong. We noted that all the
                          plans focused on making measurable improvements and formed a
                          reasonable basis for carrying out the goals of the Executive Order,
                          although details of a few plans could be improved. Accordingly, we made
                          recommendations to strengthen selected improvement plans, among
                          other things. The agencies generally agreed with our recommendations
                          and took actions to address them.

                          Further, we reported in 2008 that, following the emphasis on backlog
                          reduction in the Executive Order and agency improvement plans, many
                          agencies had shown progress in decreasing their backlog of overdue


                          17
                            GAO, Freedom of Information Act: Processing Trends Show Importance of Improvement
                          Plans, GAO-07-441 (Washington, D.C.: Mar. 30, 2007).




                          Page 12                       GAO-12-828 Strengthening Agencies’ Management of FOIA
                       requests. 18 However, we identified several factors that contributed to the
                       requests remaining open and recommended that Justice provide
                       additional guidance to agencies on tracking and reporting overdue
                       requests and planning to meet future backlog goals. As we
                       recommended, Justice’s OIP developed guidance on tracking and
                       reporting backlogged requests.

                       In addition, in 2009 we reported that DHS had taken steps to enhance its
                       FOIA program, but that opportunities existed for the department to
                       improve the efficiency and cost-effectiveness of FOIA processing. 19
                       Specifically, we noted that implementation of key practices, such as
                       internal monitoring and oversight, component-specific training, online
                       status-checking, and electronic dissemination of records, could facilitate
                       the processing of information requests at a number of its major
                       components. Accordingly, we recommended that key practices used by
                       certain DHS components and other agencies be implemented more
                       consistently across the department. DHS agreed with our
                       recommendations and has taken steps to address them.


                       Agencies have taken steps pursuant to the Attorney General’s 2009
Agencies Have          memorandum aimed at reducing the number of backlogged requests and
Generally Taken        the use of exemptions. Steps taken to reduce backlogs include regular
                       reporting, mobilizing extra resources, and modifying procedures. Steps
Actions to Improve     taken to reduce use of exemptions include training, foreseeable harm
their FOIA Programs,   analyses, and reviews. While the majority of the agency components we
but Results Have       reviewed have reduced their backlogs, a few agencies have seen
                       substantial backlog growth, and success in reducing the use of
Been Mixed             exemptions has also been mixed.




                       18
                         GAO, Freedom of Information Act: Agencies Are Making Progress in Reducing Backlog,
                       but Additional Guidance Is Needed, GAO-08-344 (Washington, D.C.: Mar. 14, 2008).
                       19
                         GAO, Freedom of Information Act: DHS Has Taken Steps to Enhance Its Program, but
                       Opportunities Exist to Improve Efficiency and Cost-Effectiveness, GAO-09-260
                       (Washington, D.C.: Mar. 20, 2009).




                       Page 13                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Agencies Have Taken         The agency components we studied took the following actions aimed at
Steps to Reduce Backlogs,   reducing their backlogs of FOIA requests.
but Some Backlogs Have
                            •   Reporting backlog status. A majority of the agency components we
Increased                       studied produced quantitative reports on backlogs for higher-level
                                management at least monthly. For example, Army FOIA staff briefed
                                the Deputy Administrative Assistant to the Secretary of the Army
                                every month on the status of FOIA requests, including a monthly
                                report of backlogs for every unit. This high-level reporting was
                                intended to convey to staff the importance the Army places on the
                                issue.

                            •   Mobilizing resources. Agency components redirected or acquired
                                resources to clear backlogs by detailing staff from other work, using
                                overtime and compensatory time, hiring new staff or contractors, and
                                providing assistance to local offices. For example, the Army FOIA
                                office analyzed which field offices had the largest backlogs, then sent
                                teams to those offices to help them. Similarly, OIP used support
                                personnel including law clerks and administrative personnel to
                                address its backlogs.

                            •   Changing procedures. Agency components changed procedures so
                                requests could be processed faster. Components changed
                                procedures to, among other things, streamline processes, improve
                                oversight, or change work assignments. For example, the Air Force
                                issued a new FOIA directive in 2010 to implement several changes in
                                handling backlogs, including a requirement for FOIA managers with
                                backlogs to submit backlog reduction plans. OSD/JS worked with its
                                information technology (IT) support staff to develop a scanning tool to
                                improve the search capability of documents throughout the OSD/JS
                                enterprise. This tool improved results when searching for documents
                                responsive to a FOIA request.

                            •   Negotiating to simplify requests. Agency components negotiated
                                with the requesters of large, complex requests to reduce the size and
                                shorten the time required to fulfill the request. A negotiation with the
                                requester can result in a reduction in the amount of work that
                                otherwise would have delayed processing the request and likely
                                resulted in increased backlogs. For example, the FBI negotiated with
                                one requester to reduce the size of the request where it had located
                                more than 37,000 pages responsive to the request. Since each page
                                would have to be checked before being released, the request would
                                have required considerable time to process. Instead, the requester




                            Page 14                     GAO-12-828 Strengthening Agencies’ Management of FOIA
     agreed to the FBI’s offer to provide faster delivery of 1,150 pages
     already processed under a similar, earlier request.

Two examples of components that used several of these actions to
successfully reduce their backlogs are described below.

•    CMS reduced its backlog from 10,312 requests in 2009 to 3,486
     requests in 2010, and then to 2,008 requests in 2011. Actions that
     contributed to its success included mobilizing resources and changing
     procedures. First, CMS increased the resources devoted to FOIA,
     enabling it to increase staff in its regions and hire former staff as
     contractors. Second, CMS changed several procedures related to
     processing requests. For example, the FOIA office has given regions
     increased authority to provide information to requesters without a
     central review. Additionally, CMS implemented an electronic FOIA
     processing system in 2009 and continued to refine it in 2010.

•    The Army reduced its FOIA backlog from 3,542 requests in 2009 to
     1,141 requests in 2010 and then to 1,000 requests in 2011 due to
     reporting to management, mobilizing resources, and streamlining
     processes. Specifically, FOIA staff briefed the Deputy Administrative
     Assistant to the Secretary of the Army every month on the status of
     FOIA requests, including a monthly report of backlogs for every unit.
     This was intended to convey to staff the importance the Army places
     on the issue and that OSD/JS FOIA officials consider it a best
     practice. The Army’s central FOIA office staff mobilized resources by
     analyzing which field offices had the largest backlogs, then sending
     teams to those offices to help them. OSD/JS FOIA staff said they also
     suggested how field offices could streamline processes. For example,
     they suggested that the office that handles military service records no
     longer needed to redact records of World War I veterans and could
     release them directly since there are no living veterans of that war.

As a result of the actions cited, among others, the majority of the agency
components we studied succeeded in reducing their FOIA backlogs
between 2009 and 2011. Specifically, 10 of the 16 agency components
had reduced their backlogs of FOIA requests, 2 had no material change, 20



20
  Two components with small backlogs had a small increase in the number of their FOIA
requests; ICE’s backlog increased from 10 requests to 18 and EOIR’s increased from 183
to 205.




Page 15                         GAO-12-828 Strengthening Agencies’ Management of FOIA
                                      and 4 had increases. Figure 3 shows component backlog levels for 2009
                                      through 2011 arranged in order of the size of their 2011 backlogs.

Figure 3: Number of Backlogged FOIA Requests by Agency Component, 2009-2011 (in thousands)




                                      Of the four components whose backlogs increased, three had increases
                                      in requests received. USCIS had the largest increase, a 62 percent rise in
                                      requests received, from 71,429 in 2009 to 115,545 in 2011. Officials of
                                      half of the components in our review identified an increase in requests
                                      that are identified as complex as a challenge. Two of the four components
                                      with increases—Navy and OIP—cited higher numbers of complex


                                      Page 16                      GAO-12-828 Strengthening Agencies’ Management of FOIA
                             requests as contributing to the increase in their backlogs. Without
                             sustaining the actions they have taken, the agency components risk
                             endangering the progress they have made in reducing their backlogs and
                             limit the potential for future progress in this area.


Agencies Have Taken          Recent policy and decisions direct agencies to release more information.
Steps to Reduce their Use    The Attorney General’s March 2009 memorandum instructs agencies to
of Exemptions, but Results   make discretionary disclosures of information that might be withheld
                             under an exemption or exemptions if it would cause no harm to disclose
Are Mixed                    it. The mechanism by which this is carried out is called a “foreseeable
                             harm” analysis. The administration has highlighted two exemptions that
                             offer opportunities for discretionary release. Specifically, OIP guidance
                             stated that exemption 5 (which includes pre-decisional documents and
                             attorney work products), provides the best opportunity for increasing the
                             release of information. In addition, the President’s 2011 open government
                             report 21 described the potential for reduced use of exemption 2. Further,
                             in March 2011, the Supreme Court, in Milner vs. Navy, substantially
                             narrowed the information to which exemption 2 could be applied. 22 Prior
                             to the Milner decision, agencies used a “high two” interpretation that
                             allowed them to withhold predominately internal information if disclosing it
                             could lead to circumvention of the law. The Supreme Court held that this
                             interpretation was invalid and that exemption 2 applies only to personnel
                             practices.

                             Components in our review took a number of actions aimed at reducing
                             the use of exemptions through discretionary disclosures:

                             •     Training. All 16 of the agency components we studied provided
                                   training to their FOIA staff on the Attorney General’s memorandum
                                   and the presumption of openness. In addition, OIP regularly conducts
                                   training dealing with openness and makes training materials available
                                   on its website. The FBI has a structured training process, which
                                   includes modules dedicated to specific exemptions and mandatory
                                   exams and leads to certification as an FBI “FOIA Professional.”




                             21
                               The Obama Administration’s Commitment to Open Government: A Status Report,
                             (Washington, D.C., 2011).
                             22
                                 Milner v. Department of the Navy, 131 S. Ct. 1259 (2011).




                             Page 17                            GAO-12-828 Strengthening Agencies’ Management of FOIA
•   Foreseeable harm analyses. Agency components took steps to
    facilitate foreseeable harm analyses as called for by the Attorney
    General. For example, EOIR applied the foreseeable harm test to
    maximize the amount of deliberative process information posted
    online as part of an online tool for judges. Further, DHS/Privacy
    modified the form used to transmit documents responsive to a
    request, so that each office must now certify that a foreseeable harm
    review and analysis has been completed for all withheld and partially
    withheld records. The Army Corps of Engineers and EOIR provided
    training specifically focused on foreseeable harm analysis.

•   Reviews. Multiple components subjected exemptions to reviews by
    senior staff or attorneys before releasing them to verify that there was
    foreseeable harm. For example, the FBI’s FOIA process included a
    quality control review process, where higher-ranking analysts (GS-13
    and 14) review the responsible analysts’ use of exemptions as well as
    the potential release of sensitive information. At OSD/JS, the Chief of
    the OSD/JS FOIA Requester Service Center reviewed all denials
    under exemption 5 and sent back those that were not adequately
    justified.

•   Compliance with the Milner decision. All but one agency
    component we reviewed either reduced its use of exemption 2 as a
    result of the Milner decision, or used it in a small number of cases.
    CBP and USCIS both reduced the number of times exemption 2 was
    used in 2011 to fewer than half of their 2009 levels. Examples of
    actions components took to facilitate compliance included OIP’s
    issuance of guidance on Milner and training developed by ICE.

•   Distributing guidance. To encourage compliance with the new FOIA
    policies, OIP issued government-wide guidance on the presumption of
    openness and on exemptions 2 and 5. Other agencies and
    components distributed the Attorney General’s memorandum and
    other guidance. DOD and DHS both issued guidance applicable to all
    of their agency components.

About half of the agency components we studied reduced the rate at
which they applied exemptions to FOIA requests. Specifically, during the
2009-2011 time period:

•   Seven of the agency components in our review—USCIS, CBP, OIP,
    FBI, ICE, Army, and OSD/JS—reduced the average number of
    exemptions they applied per request. The 3 largest users of



Page 18                     GAO-12-828 Strengthening Agencies’ Management of FOIA
      exemptions—USCIS, CBP, and ICE—which accounted for 83 percent
      of all exemptions in our review in 2011, all had reductions.

•     Three components—EOIR, FDA, and NIH—stayed at about the same
      level of exemption use. 23

•     Six components—Navy, BOP, CMS, Air Force, HHS/OS, and
      DHS/Privacy—increased their average number of exemptions per
      request. 24

•     Most components made progress in reducing the use of exemptions 2
      and 5. The use of exemption 5, cited by OIP as providing the best
      opportunity for discretionary releases, decreased for 11 of the 16 of
      components, while 12 of 16 agency components reduced the use of
      exemption 2 following the Milner decision.

Figure 4 shows the changes in the average number of exemptions
applied per request 25 from 2009, when the Attorney General’s
memorandum was issued, to 2011.




23
    These three changed by 1 percent or less.
24
  Because numbers of responses vary from year to year, we examined the ratio of
exemptions to requests (that is, what proportion of requests a given exemption was
applied to) for the years 2009-2011.
25
  This figure is calculated based on requests that were granted in full, partially granted, or
denied and does not include requests denied for reasons other than exemptions.




Page 19                            GAO-12-828 Strengthening Agencies’ Management of FOIA
Figure 4: Exemption Use by Agency Components from 2009 through 2011




                                      This figure is calculated based on requests that were granted in full, partially granted, or denied and
                                      does not include requests denied for reasons other than exemptions.


                                      Although components have acted to reduce the use of exemptions, a
                                      component’s ability to do so can be limited because not all of the
                                      exemptions are equally discretionary. While agencies may, under the law,
                                      make discretionary disclosures of exempt information where they are not
                                      otherwise prohibited from doing so, some of the exemptions apply to
                                      categories of information that are more strictly controlled than others. For
                                      example, exemption 1 protects from disclosure properly classified
                                      national security information, exemption 3 applies to information that has
                                      been exempted from disclosure by another law, exemption 6 protects
                                      privacy interests in personal information, and exemption 7 applies to
                                      certain information compiled for law enforcement purposes. Exemptions 6
                                      and 7 are the exemptions most frequently used by the components we
                                      studied and accounted for more than half of all exemptions reported in
                                      2011 by those components. For all but one component, exemption 6


                                      Page 20                                GAO-12-828 Strengthening Agencies’ Management of FOIA
                     (privacy) was the most frequently used and it amounted to about 90
                     percent of CMS’s exemptions. Exemption 7 was also frequently used by
                     agency components with law enforcement responsibilities. Accordingly,
                     given the role played by such information in the work of the components
                     in our study, it is unlikely that they will significantly reduce the use of
                     those more strict exemptions. For example, the Air Force cited an
                     increase in interest in congressional travel, which required redactions for
                     privacy and an increased use of exemption 6, and the FBI cited more
                     requests for terrorism-related information, leading to an increase in use of
                     exemption 7 to protect sensitive law enforcement information.
                     Notwithstanding the impact of such exemptions, overall reductions in
                     exemption use generally reflect an increase in discretionary disclosures
                     across the components in our study.


                     As previously discussed, the e-FOIA amendments encourage online,
Agency Components    public access to government information and require agencies to make
Generally Make       specific types of records available to the public in electronic form: agency
                     final opinions and orders, statements of policy, administrative staff
Records Available    manuals, and frequently requested records. In addition, memorandums
Online, but          from both the President and the Attorney General in 2009 highlight the
Approaches to        importance of online disclosure and further direct agencies to make
                     information available without a specific FOIA request.
Posting Frequently
Requested Records    As a result of deficiencies in agencies’ FOIA libraries noted by the
                     Attorney General in 2008, 26 OIP issued guidance to all Chief FOIA
Vary                 Officers to certify that they were in compliance with FOIA’s requirements
                     for posting certain categories of records online. In this guidance, OIP
                     reiterated that “agencies should organize the records in a way that allows
                     for efficient and easy location of specific documents,” and that “agencies
                     are obligated to not only maintain, but to continuously update, each of the
                     four categories of reading room records.”

                     Most of the agency components we reviewed have made records
                     available online in the four categories of required records, either in their



                     26
                       See Attorney General’s Report to the President Pursuant to Executive Order 13392,
                     Entitled “Improving Agency Disclosure of Information” (Washington, D.C.: May 30, 2008).
                     In this report, the Attorney General recommended that all agency Chief FOIA Officers
                     review and certify to Justice and OMB that their agency FOIA libraries are in compliance
                     with FOIA.




                     Page 21                          GAO-12-828 Strengthening Agencies’ Management of FOIA
                                            FOIA library or elsewhere on the agency component’s website.
                                            Specifically, 12 of the 16 agency components we reviewed had posted
                                            records in all four of the required categories to their FOIA libraries. In
                                            addition, 3 of the 16 agency components we reviewed had posted records
                                            in all four of the required categories in either their FOIA library or
                                            elsewhere on the agency component’s website. 27 The remaining agency
                                            component had posted records to its FOIA library in only two of the
                                            required categories; we could not locate records in the other two
                                            categories either in its FOIA library or on the agency component’s
                                            website. Table 1 summarizes the extent to which the agency components
                                            we reviewed made records available online in the four categories of
                                            required records.

Table 1: Agency Information Required to be Posted Online Pursuant to the e-FOIA Amendments

                                      DOD                                  DHS                         HHS                    Justice
Categories of required
records                     OSD   AF   Army Navy            Priv CBP ICE USCIS               OS CMS FDA NIH          OIP    BOP      EOIR FBI
Agency final opinions       ●     ●     ●          ◑          ◔        ●      n/a   ◑         ●    ●     ●   n/a      ●      n/a       ●   n/a
Policy                      ●     ●     ●          ●          ●        ●       ●    ●         ●    ●     ●    ●       ●       ●        ●    ●
statements/interpretation
Administrative staff        ●     ●     ●          ◑          ◔        ●       ●    ◑         ●    ●     ●    ◑       ●       ●        ●    ●
manuals
Frequently requested        ●     ●     ●          ●          ●        ●       ●    ●         ●    ●     ●    ●       ●       ●        ●    ●
records
                                            Source: GAO analysis of agency data.


                                            Notes:
                                            ● Required information is available in FOIA library.
                                            ◑ Required information is not available in FOIA library but was found on agency component’s website
                                            (located through independent search).
                                            ◔ Category exists in FOIA library, but required information was not posted and was not found
                                            elsewhere.
                                            n/a Not applicable—agency component stated that it does not adjudicate cases.


                                            Specifically, DHS/Privacy’s FOIA library listed all of the categories of
                                            required records, but at the time of our review, no records were posted in
                                            two of the categories: final opinions and manuals. According to an agency


                                            27
                                              For example, Navy’s final opinions can be found on a website maintained by the Navy
                                            Judge Advocate General and USCIS’s final opinions can be found on a website
                                            maintained by its Administrative Appeals Office.




                                            Page 22                                     GAO-12-828 Strengthening Agencies’ Management of FOIA
official, DHS/Privacy is in the process of redesigning its FOIA library and
plans to address the issue in the next few months.

Although we were able to locate required records in most of the agency
components’ FOIA libraries, we could not always easily locate records
when they were posted elsewhere on the agency components’ websites.
For example, the components often did not provide links to required
documents if they were maintained by an external office, such as the
General Counsel’s office for agency final opinions. 28 In addition, not all
components generate records in each required category, and they did not
explain the absence of this information from their FOIA libraries.
Specifically, we found that:

•    The USCIS FOIA library listed the four categories of records required
     under e-FOIA, but only provided a link to policy statements and
     memorandums in a “related links” sidebar. Although we were able to
     locate final opinions and staff manuals elsewhere on the USCIS
     website through an independent search, the FOIA library did not
     indicate that these records were available elsewhere. A USCIS FOIA
     official stated that the agency intends to launch a redesigned FOIA
     library by the end of June 2012.

•    Navy’s FOIA library included, among other things, a number of policy
     memorandums; however, it did not include documents or external
     links to final opinions or staff manuals. An independent search of the
     Navy’s website showed that Navy’s final opinions were managed on a
     separate website maintained by the Navy Judge Advocate General
     and that staff manuals, directives, and other Navy publications could
     be found on a website maintained by the Secretary of the Navy.

•    The NIH FOIA library contained, among other things, frequently
     requested records, but we could not locate documents or external
     links related to NIH final opinions or staff manuals. An NIH official
     stated that the agency component does not issue final opinions.
     Through an independent search, we identified NIH manuals in a
     central database maintained by NIH’s Office of Management
     Assessment. However, the existence of this required information was
     not made clear in the FOIA library; there is only a statement that



28
  For example, USCIS and Navy do not provide direct links to the websites that contain
agency final opinions or administrative staff manuals.




Page 23                          GAO-12-828 Strengthening Agencies’ Management of FOIA
                                 encourages potential FOIA requesters to use the NIH search engine
                                 to locate information.

                             •   ICE’s FOIA library included policy statements, staff manuals, and
                                 frequently requested records. However, we could not locate records
                                 related to agency final opinions, either in the FOIA library or
                                 elsewhere on ICE’s website. ICE’s FOIA Officer stated that the
                                 agency does not issue final opinions and therefore has no records to
                                 post. In response to our assessment, ICE has posted information to
                                 its FOIA library stating that final opinions related to immigration cases
                                 are handled by EOIR.

                             •   The FBI’s main FOIA web page acknowledged that the agency is
                                 required to make certain categories of records available in its FOIA
                                 library; it also stated that there were no records available in two
                                 categories: agency policy statements and final opinions. However,
                                 during our review, we were able to locate one policy statement posted
                                 in the FOIA library. FBI’s Section Chief, Records Management, stated
                                 that the FBI does not issue agency final opinions. In response to our
                                 assessment, FBI has updated its main FOIA webpage to provide a
                                 link to relevant policies that are available online.

Agency Components Have       As noted in table 1, all of the agency components in our review have met
Taken Varied Approaches to   the requirement for posting frequently requested records to their FOIA
Identifying Frequently       libraries: that is, records that have become or are likely to become of
Requested Records            significant interest to the public. In addition, we found that agency
                             components have taken a variety of approaches to identify and manage
                             frequently requested records. This has resulted in differences among
                             agency components in the type and volume of frequently requested
                             records that have been made available to the public.

                             During our review, we identified several agency components whose
                             proactive efforts to release records—through the use of formal policies
                             and procedures, technology improvements, and management initiatives
                             to release more information—have resulted in comprehensive FOIA
                             libraries. For example,

                             •   Air Force has established a formal policy to post all records released
                                 under FOIA to its FOIA library, with the exception of records that
                                 include personally identifiable information. An Air Force official stated
                                 that as a result of this policy, the Air Force continuously reviews and
                                 updates the contents of its FOIA library, which contained 5,211
                                 records in 41 subject categories, as of June 2012. These categories



                             Page 24                      GAO-12-828 Strengthening Agencies’ Management of FOIA
     range from Air Force contracts to radar data to information on
     congressional travel. Records are managed in an online searchable
     database, and the public can locate records by name, category, or
     date posted.

•    OSD/JS has implemented a procedure to post all records released
     under FOIA to its FOIA library. 29 An OSD/JS official stated that the
     office has a team dedicated to managing postings to the FOIA library,
     and, in addition to releasing all FOIA-processed records, it also
     proactively releases FOIA logs 30 and inventories of OSD/JS records
     stored at the Washington National Records Center. OSD/JS officials
     reported in June 2012 that the library contained about 3,700 records
     in eight subject categories and includes, for example, documents
     related to homeland defense, U.S. foreign policy, and defense
     research projects. In addition, OSD/JS maintains a directory of
     frequently requested documents in 10 categories, including, for
     example, historical and current contracts for eight DOD
     components. 31 OSD/JS also offers a service of providing e-mail
     notifications to subscribers when new records are posted to the FOIA
     library.

•    As of June 2012, FBI’s FOIA library, the Vault, contained 6,656
     records in 20 subject categories, such as current events, organized
     crime, and civil rights. The Vault contains historical FBI investigation
     files and internal memorandums on a variety of topics and individuals,
     as well as media coverage files, images, and video. FBI’s Section
     Chief, Records Management stated that after establishing the Vault,
     FBI worked with Google to optimize the site’s search capabilities. In
     addition, the agency recently implemented technology improvements
     to the Vault that will help them continue to expand the number of
     records available and allow the public to more easily view and search




29
  As also noted by Air Force, records subject to privacy-related exemptions are not
posted.
30
  A FOIA log is a listing of FOIA requests that have been made to the agency or agency
component.
31
  These are: Business Transformation Agency; Defense Advanced Research Projects
Agency; Defense Human Resources Division; Defense Media Activity; Defense
Microelectronics Agency; Defense Security Cooperation Agency; Missile Defense Agency;
and Washington Headquarters Services, Acquisition and Procurement Office.




Page 25                          GAO-12-828 Strengthening Agencies’ Management of FOIA
     within files online. FBI also provides e-mail updates to subscribers
     when new information is posted to its website.

•    In 2011, CMS redesigned its FOIA library to make it easier for the
     public to locate information that was already available online through
     the efforts of various CMS components. Specifically, CMS has
     created an A to Z subject index of frequently requested information
     that currently contains 88 subject area categories. These include tools
     to compare data on hospitals, nursing homes, and Medicare plans;
     data sets and statistics on Medicaid; and various fee schedules.
     CMS’s FOIA library also provides access to an online tool for
     downloading personal Medicare claims, their most common FOIA
     request. 32 In addition, since 2011, CMS has required the directors of
     its centers and program offices to identify semi-annually at least three
     categories of frequently requested information to add to the A to Z
     subject index.

•    FOIA processing at FDA is decentralized across seven major centers,
     and each of these centers is responsible for identifying and posting
     frequently requested records to its FOIA library. FDA has broad
     initiatives to release information proactively online, and FDA’s FOIA
     director estimated that the agency has posted about 360,000
     documents and 66 searchable databases to its website. 33 In addition,
     FDA’s FOIA director noted that FDA has seen a steady reduction in
     the number of FOIA requests it has received over the last eleven
     years: in 2000 FDA received about 25,000 requests, and in 2011 it
     received 9,301 requests. He stated that this reduction is a direct result
     of their extensive online library and commitment to proactively
     releasing information.

By contrast, our review of FOIA libraries also identified several agency
components that have not taken sufficient action to identify and manage
frequently requested records. As a result, these agency components may
not be posting all records of significant public interest online. Specifically,




32
  CMS FOIA officials noted that this database is currently limited to data from the last
three years, so it does not yet meet the needs of individuals looking for more
comprehensive data.
33
  In addition to FOIA, FDA is statutorily required to post certain information online under
the Food and Drug Administration Amendments Act of 2007.




Page 26                           GAO-12-828 Strengthening Agencies’ Management of FOIA
•    Army’s FOIA library has been clearly organized by the four required
     categories of records established by e-FOIA and includes 23 topic
     headings in the frequently requested records section. However, at the
     time of our review, several of these categories did not contain records,
     and several categories contained only one record. 34 In addition, the
     frequently requested topic headings posted online were different from
     those generated by the Army’s FOIA IT system that were provided to
     us and which we were told were used to manage online releases.
     Further, according to results from the FOIA library’s search engine,
     the most current document posted dates to June 2, 2011—over a year
     ago. 35 An Army official stated that Army defers to its 300 components
     to identify and provide copies of records appropriate for release in the
     library. In addition, Army typically reviews the content of its FOIA
     library only once a year.

•    During our review, we found that the Navy’s FOIA library contained
     few frequently requested records. It consisted primarily of the Navy’s
     purchase card holder list, five documents related to the department’s
     use of depleted uranium, and a fact sheet on UFOs. The Navy has
     also posted a document with a list of “Top 10 Topics” that provides
     general instructions on how to request certain types of information
     such as military or investigation records. An official from Navy’s FOIA
     office stated that the staff reviews the FOIA library quarterly, but they
     have not developed policies or procedures to actively identify and
     manage frequently requested records. She further noted that
     restrictions on server space also limit the office’s ability to post
     documents to its FOIA library.

•    During our review, the USCIS FOIA library consisted of six frequently
     requested records: the USCIS FOIA logs, which are updated monthly;
     two internal memorandums; John Lennon’s alien file, which is broken
     into 84 separate documents; a collection of eight documents related to



34
  The categories that did not contain any records were “Sexual Harassment in the Army,”
“Discrimination and Racial Conflict,” and “WWII Chemical Warfare Services Records;” the
categories that contained one record included “Intelligence Documents,” “Intelligence
Services,” “Flights to Cambodia,” “Congressional Correspondence/Matters,” and
“Miscellaneous.”
35
  Although Army’s most recent document dates to June 2, 2011, an Army official stated
that it has posted documents to the FOIA library since June 2, 2011. The official stated
that Army’s search engine indexes the creation date of the document, not the date it was
posted.




Page 27                          GAO-12-828 Strengthening Agencies’ Management of FOIA
     USCIS’s Immigrant Investor Program; and a reference guide for an IT
     system. In a separate area of its website, USCIS also listed its
     contracts, as was required by DHS’s Chief FOIA Officer in 2009. 36
     However, we identified only five contracts that were awarded between
     July 2003 and October 2009. During a March 2012 interview, agency
     officials acknowledged these deficiencies and stated that they were
     working to redesign their FOIA library. In June 2012, a USCIS FOIA
     official stated that the agency plans to launch a new FOIA library by
     August 2012.

A number of factors have contributed to the differences in agency
components’ ability to post frequently requested records to their FOIA
libraries. Some agencies do not disclose as many records to the public
due to the types of FOIA requests they receive. Specifically, officials at 7
of the 16 agency components we reviewed stated that the majority of their
FOIA requests are for records about the requesters themselves, such as
prison records, immigration files, or personal medical information. These
types of records are rarely requested multiple times, and as a result, the
agency components may find they have fewer frequently requested
records appropriate for release in their FOIA library. However, the
strongest indicator among the agency components with comprehensive
FOIA libraries is that they have taken a proactive approach to ensuring
that records of significant public interest are posted online. These agency
components, for example, have established policies and procedures to
identify records, continuously review their FOIA library to ensure that
content is current, or have aligned their FOIA-related efforts with the
agency’s broader initiatives to release information online. As a result,
these agency components have established comprehensive FOIA
libraries. Furthermore, as described by one agency component, this
commitment to consistently releasing information online has contributed
to a decrease in the number of new requests over time. Those agency
components with sparsely populated FOIA libraries may not be posting all
records of significant public interest online, or available information may
be difficult to locate. This can result in increased FOIA requests, which in
turn can contribute to increased backlogs and administrative costs.




36
  In August 2009, DHS’s Chief FOIA Officer issued a memorandum requiring all DHS
components to post several additional categories of records to their FOIA libraries,
including historical and daily schedules of the most senior agency officials, executed
contracts and grants, and FOIA logs, since they are often the subject of FOIA requests.




Page 28                          GAO-12-828 Strengthening Agencies’ Management of FOIA
                                        Agency components have implemented technology capabilities to support
Agency Components                       FOIA processing. However, the extent to which they have implemented
Have Implemented                        capabilities that are considered to be best practices varies. Also, most
                                        agency components use FOIA processing systems that do not
Technology to                           electronically exchange data.
Support FOIA
Processing to Varying
Degrees
Agency Components Have                  Almost all agency components that we reviewed (15 of the 16) are
Systems to Process and                  implementing most of the 13 technology capabilities considered to be
Track FOIA Requests, but                best practices for FOIA processing. 37 Table 2 summarizes the agency
                                        components’ implementation of best practices capabilities.
Implementation of
Additional Capabilities
Varies
Table 2: Detailed View of Agency Components’ Implementation of FOIA Capabilities

                                 DOD                        DHS                           HHS                     Justice
Technology
capabilities            OSD AF Army Navy          Priv CBP ICE      USCIS      OS   CMS     FDA     NIH   OIP BOP EOIR       FBI
Single tracking
system
                        ●    ●     ●     ◑        ●     ●     ●       ●        ●      ◑         ●   ●     ●      ●     ●      ●
Accept request
online
                        ●    ●     ●     ●        ●     ●     ●       ●        ●      ●         ●   ●     ●      ●     ●      ●
Assign request
tracking number and     ●    ●     ●     ●        ●     ●     ●       ●        ●      ●         ●   ●     ●      ●     ●      ●
track status
Route request to
responsible office
                        ●    ●     ●     ◑        ●     ●     ●       ●        ●      ●         ●   ●     ●      ●     ●      ●
Ability to multitrack
requests (simple,       ●    ●     ●     ◑        ●     ●     ●       ●        ●      ●         ●   ●     ●      ●     ●      ●
complex, expedited)
Store and route
electronic records
                        ●    ●     ◑     ○        ○     ○     ○       ●        ●      ●         ●   ○     ●      ●     ●      ●
Electronic redaction
capabilities
                        ●    ●     ●     ●        ●     ●     ●       ●        ●      ●         ●   ●     ●      ●     ●      ●




                                        37
                                          The capability to assign a request tracking number and track the status of requests is a
                                        requirement under the OPEN Government Act.




                                        Page 29                           GAO-12-828 Strengthening Agencies’ Management of FOIA
                                 DOD                              DHS                             HHS                  Justice
Technology
capabilities             OSD AF Army Navy          Priv CBP ICE               USCIS    OS   CMS     FDA     NIH   OIP BOP EOIR    FBI
Calculate and record
processing fees
                         ●   ●     ●       ●         ○        ●       ●        ●        ●     ●         ●   ●     ●   ●      ●     ●
Review the case file
to approve
redactions and fee
                         ●   ●     ◑       ○         ○        ○       ●        ●        ●     ●         ●   ○     ●   ●      ●     ●
calculations
System-generated
correspondence with      ●   ●     ●       ◑         ○        ○       ●        ●        ●     ●         ●   ●     ●   ●      ●     ●
requesters
Requester’s ability to
track status online
                         ○   ●     ○       ○         ○        ○       ●        ●        ○     ●         ○   ○     ●   ○      ○     ●
Track appeals
electronically
                         ●   ●     ●       ●         ●        ●       ●        ●        ●     ●         ●   ●     ●   ●      ●     ●
Generate periodic
report statistics
                         ●   ●     ●       ◑         ●        ●       ●        ●        ●     ◑         ●   ●     ●   ●      ●     ●
                                       Source: GAO analysis of agency data.

                                       Notes:
                                       ● Capability is currently implemented
                                       ◑ Capability is partially implemented
                                       ○ Capability is not implemented
                                       As the table reflects, 4 of the 16 agency components have implemented
                                       all of the technology capabilities for processing and tracking FOIA
                                       requests. Specifically, the Air Force, USCIS, OIP, and FBI use a single
                                       tracking system that enables agency officials to track the status of the
                                       request; store, route, and redact responsive records; and review the case
                                       file to approve redactions and fee calculations electronically. These
                                       agency components are also able to generate annual reports and monthly
                                       backlog statistics. Further, these components have implemented
                                       capabilities that enable requesters to submit a request through an online
                                       form or e-mail and track the status of their request online.

                                       Five agency components have implemented all of these capabilities
                                       except the one that allows requesters to track the status of their FOIA
                                       request online. The reasons why they have not implemented this
                                       capability include the following:

                                       •       OSD/JS officials stated that they have not implemented this capability
                                               because their tracking system is located on a classified network.
                                               Although OSD/JS has developed an application that will link to its
                                               tracking system and will allow a requester to track his or her request
                                               online, it is in the process of ensuring that the appropriate security



                                       Page 30                                     GAO-12-828 Strengthening Agencies’ Management of FOIA
    measures have been put in place before the application is available.
    OSD/JS intends to have this capability implemented by October 2012.

•   HHS reported that two of its components—OS and FDA—have not
    yet implemented the capability that allows a requester to track the
    status of a request online. HHS/OS officials could not provide a time
    frame for when this activity would be completed and stated that their
    FOIA website encourages requesters to contact FOIA personnel,
    through phone or e-mail, regarding the status of their request, which
    allows them to clarify any misunderstanding regarding it. FDA officials
    stated that because of the component’s decentralization, and the
    complexity and volume of records, it is more productive to discuss
    requests directly with the requester via telephone.

•   At Justice, BOP officials indicated that they intend to have this
    capability implemented by October 2012.

Additionally, ICE has implemented all of the capabilities but the one
associated with enabling agency officials to store and route electronic
records. According to ICE officials, their tracking system would not be
suitable for storing and routing electronic records and reviewing and
approving the electronic case file because the system was not designed
to handle these capabilities and would run extremely slowly when tracking
a FOIA request. ICE officials stated that they are currently in the process
of researching systems that will provide these capabilities.

CMS has implemented all but two capabilities. Specifically, it has not fully
implemented a single tracking system or the capability to generate
periodic report statistics, such as monthly backlog and annual report data.
According to CMS officials, while they can track most FOIA cases through
their tracking system, contractors do not have access to the system and,
instead, track their cases using Microsoft Access, Excel, or other tools.
CMS cited challenges in compiling the annual report because it has to
use these multiple contractor systems to compile data for the report.
Officials stated that they intend to deploy a single tracking system to 21
contractors that handle Medicare administration by the end of fiscal year
2012.

Army and NIH have implemented all but three capabilities. Specifically,
they have not fully implemented the capabilities that enable agency
officials to store and route electronic records and to review the case file to
approve redactions and fee calculations, or that allow requesters to track
the status of their request online. Army officials stated that they are


Page 31                      GAO-12-828 Strengthening Agencies’ Management of FOIA
currently in the process of researching systems that will provide these
capabilities. In addition, NIH officials stated that their tracking system
does not perform FOIA workflow processing, such as storing and routing
electronic records. The officials also stated that they are currently in the
process of researching systems that will provide these capabilities.

CBP has implemented all but four capabilities, and DHS/Privacy has
implemented all but five capabilities. CBP and DHS/Privacy have not
implemented the capabilities that enable agency officials to store and
route electronic records, review the case file to approve redactions and
fee calculations, generate system correspondence with requesters, or
allow a requester to track the status of his or her request online. Further,
DHS/Privacy has not implemented a technology capability to calculate
and record processing fees. According to CBP officials, they are in the
process of researching various FOIA systems that have these capabilities
and expect to obligate funds for a tracking system that includes them by
October 2012. DHS/Privacy officials attribute challenges in implementing
the missing technology capabilities to the fact that, at the time the tracking
system was implemented, it fulfilled the general tracking needs of the
office based on a relatively limited number of requests. However, as the
number of requests has increased and the requests have become more
complex, DHS/Privacy has realized the need for a system that can
conduct processing capabilities, such as storing and routing electronic
records. DHS/Privacy officials stated that the office intends to implement
a system that fulfills the missing technology capabilities by October 2012.

Navy has fully implemented only five capabilities. Specifically, it has not
fully implemented a single tracking system or the capability to, among
other things, multi-track and route requests to the responsible office and
generate periodic report statistics. Navy officials attributed challenges to
implementing the missing technology capabilities to their reengineering of
FOIA processes to identify areas of inefficiencies and stated that they
expect to implement a departmentwide system that includes the missing
technology capabilities by October 2012.

Although OGIS, in conjunction with the EPA and Department of
Commerce, identified capabilities to enhance FOIA processing, there is
not a requirement for agencies and their components to ensure that their
FOIA systems implement these capabilities. Nevertheless, without
determining which of the capabilities have the potential to improve their
FOIA processing and establishing plans to implement the capabilities, the
agency components are likely missing opportunities to improve the
efficiency with which they process FOIA requests.


Page 32                     GAO-12-828 Strengthening Agencies’ Management of FOIA
Most Agency Components    Effective IT management practices encourage agencies to share common
Use FOIA Processing       systems to promote interoperability (generally, the ability of systems to
Systems that Do Not       exchange data). 38 However, the agency components we studied within
                          DHS, DOD, HHS, and Justice use FOIA processing systems that do not
Electronically Exchange
                          electronically exchange data. The use of different systems can increase
Data                      the time for an agency component to refer a FOIA request to another
                          agency or to consult with other components in addressing a request
                          because they either have to e-mail, mail, or send paper-based referrals
                          and consultations via courier to other agency components for
                          processing. 39 For example, referrals and consultations within HHS have
                          to be mailed or e-mailed between its agency components, including NIH,
                          FDA, and CMS.

                          Further, OSD/JS officials noted that routing referrals and consultations
                          among and within its components is not automated among their existing
                          systems. Consequently, referrals and consultations within DOD must be
                          mailed or e-mailed between components, including Air Force, Army, and
                          Navy. According to OSD/JS officials, the department currently has an
                          initiative under way to address transferring the documents associated
                          with interagency referrals and consultations electronically: the Enterprise
                          Referral Process Tool. DOD developed the tool to support transmitting
                          documents between its components when there is a need to refer or
                          consult with other FOIA offices on the disposition of a document
                          requested under FOIA. Instead of needing to attach voluminous
                          documents within an e-mail, the documents can be uploaded to an online
                          system and a link to the location of the documents is provided to the
                          recipient. Department officials stated that this system is currently being
                          used throughout DOD. The department has also partnered with OIP and
                          NARA to encourage other federal agencies to use this system.
                          Nevertheless, while this system facilitates the exchange of documents
                          associated with a referral or consultation, it does not address the lack of
                          interoperability among its components’ tracking systems and the fact that



                          38
                            As identified in Chief Information Officers Council, A Practical Guide to Federal
                          Enterprise Architecture, version 1.0 (February 2001) and GAO, Organizational
                          Transformation: A Framework for Assessing and Improving Enterprise Architecture
                          Management (version 2.0), GAO-10-846G (Washington, D.C.: August 2010).
                          39
                            Referrals involve referring the record to the originating agency for its disclosure
                          determination and direct response to the FOIA requester. Consultations involve consulting
                          with that originating agency before responding directly to a FOIA request.




                          Page 33                          GAO-12-828 Strengthening Agencies’ Management of FOIA
              routing referrals and consultations across DOD is not automated through
              existing systems.

              The inability of agency FOIA processing systems to electronically
              exchange data also complicates the compiling of agency annual FOIA
              reports. For example, DOD, DHS, and HHS officials reported that they
              conduct data calls to their various components to retrieve annual report
              data from their various FOIA tracking systems. To address this situation,
              DOD is in the process of developing a unified annual report system that is
              expected to be used by all DOD components to submit and compile their
              annual report data by November 2012. In addition, according to DHS
              officials, they are planning to implement a departmentwide system by
              October 2013. HHS officials stated that they could not provide plans or a
              potential time frame for when this need will be addressed. Further,
              according to Navy and CMS officials, these agency components have
              encountered similar challenges in compiling data for the annual report
              because they have not implemented a single tracking system and must
              compile data from their various subcomponent or contractor systems.

              Officials from DHS, DOD, HHS, and Justice attributed the inability of
              FOIA processing systems to electronically exchange data to the fact that
              there is neither a requirement nor a centralized authority responsible for
              ensuring that FOIA tracking systems are interoperable across and within
              agency components. They also pointed to the fact that implementation of
              FOIA is decentralized and occurs at the agency component level, instead
              of the department level, which contributes to the current environment of
              different, non-interoperable agency component tracking systems.
              Specifically, DOD officials noted that the classified records in the
              component FOIA processing systems preclude them from being
              interoperable with non-classified systems. Therefore, classified systems
              can only be interoperable with other classified systems. This
              notwithstanding, without identifying potential approaches to electronically
              exchanging data among their systems, agencies and their components
              will likely continue to face difficulties in conducting key FOIA activities,
              including processing interagency referrals and electronically compiling
              their annual reports.


              The agency components we studied have taken a variety of actions,
Conclusions   subsequent to the Attorney General’s March 2009 memorandum, to
              improve their FOIA programs. Despite these actions, they have achieved
              mixed results with respect to reducing their backlogs and use of
              exemptions. Agencies’ mixed results with respect to reducing FOIA


              Page 34                     GAO-12-828 Strengthening Agencies’ Management of FOIA
                      backlogs and use of exemptions illustrate the importance of their
                      continuing to take the actions we identified to sustain progress and realize
                      additional improvements in these areas.

                      Agency components are generally making records available to the public
                      online, either in their FOIA libraries or elsewhere on their agency
                      websites, although the records may not be easy for the public to locate.
                      Agency components have employed a variety of approaches, including
                      frequent content reviews, to proactively manage their libraries. However,
                      not all agency components are ensuring that frequently requested records
                      are identified and posted online, which has resulted in a handful of FOIA
                      libraries with little content and may lead to recurring FOIA requests for the
                      same information and the administrative costs of processing them.

                      While the agency components in our review have implemented FOIA
                      processing systems that include best practice capabilities to varying
                      degrees, their systems do not electronically share data. Implementation of
                      the remaining capabilities and enabling the electronic exchange of data
                      among FOIA processing systems present potential opportunities for
                      agencies to improve the efficiency of their FOIA processing.


                      To improve the management of FOIA processing, we recommend that the
Recommendations for   Secretaries of DHS, DOD, and HHS and the Attorney General direct their
Executive Action      respective Chief FOIA Officers take the following five actions:

                      •   Ensure that the agency components within their departments, as
                          needed, take actions—report backlog status, redirect resources,
                          change procedures, and negotiate to simplify requests—to reduce
                          their backlogs of FOIA requests.

                      •   Ensure that the agency components within their departments, as
                          appropriate, conduct training, perform foreseeable harm analyses,
                          complete reviews, comply with the Milner decision, and distribute
                          guidance to reduce their use of exemptions.

                      •   Ensure that the agency components within their departments address
                          the deficiencies in their FOIA libraries by making required categories
                          of records easier to locate, clearly indicating when records in required
                          categories do not exist, and expanding the content of FOIA libraries.




                      Page 35                     GAO-12-828 Strengthening Agencies’ Management of FOIA
                     •   Evaluate whether the agency components within their departments
                         could improve the efficiency of their FOIA processing by implementing
                         each of the technology capabilities that they do not already have.

                     •   Identify and evaluate potential approaches (e.g., enhancements to or
                         replacement of existing systems) for enabling the electronic exchange
                         of data between the FOIA processing systems of the agency
                         components within their departments.



                     We received written comments on a draft of this report from the four
Agency Comments      agencies to which we made recommendations— DHS, DOD, HHS, and
and Our Evaluation   Justice— and from NARA. In these comments, the four agencies agreed
                     or generally agreed with our recommendations. In addition, NARA
                     characterized our report as helpful and said it will greatly assist OGIS in
                     its review activities. The comments of the agencies are summarized
                     below:

                     •   The Director of DHS’s Departmental GAO-OIG Liaison Office stated
                         that the department concurred with our recommendations and
                         described actions DHS has taken or plans to take to address them.
                         For example, the Director stated that the department is committed to
                         reducing the backlog of FOIA requests by implementing actions, such
                         as coordinating and reviewing its components’ FOIA processes and
                         detailing FOIA specialists to components experiencing difficulty in
                         reducing their backlogs. DHS’s comments are reprinted in appendix
                         III.

                     •   The Chief of DOD’s Freedom of Information Division stated that the
                         department concurred with our recommendations and described
                         efforts underway or planned to address them. Among these actions,
                         the Chief stated that the department will evaluate the technology gaps
                         identified by GAO no later than June 30, 2013. The department is also
                         in the process of forming a technology working group to address
                         various technology options. DOD’s comments are reprinted in
                         appendix IV.

                     •   HHS’s Assistant Secretary for Legislation stated that the department
                         concurred with our recommendations and described steps taken,
                         underway, or planned to address them. For example, according to the
                         Assistant Secretary, HHS FOIA officials attended training sessions
                         sponsored by Justice and, in turn, provided in-house training to FOIA
                         analysts on changes in case law and disclosure analysis. Further,



                     Page 36                     GAO-12-828 Strengthening Agencies’ Management of FOIA
    department FOIA officials elicited the support of program staff to
    clarify complex program related issues, which enabled the FOIA staff
    to complete cases involving complex requests quicker. HHS’s
    comments are reprinted in appendix V.

•   The Director of Justice’s Office of Information Policy stated that the
    department generally agreed with our recommendations and
    described actions that OIP has taken or is taking. Among these
    actions, the Director stated that OIP recently designed its FOIA library
    to make the information and guidance it provides to the public more
    user-friendly and easier to locate. The new FOIA library separates
    documents into two functional categories: Operational Documents and
    FOIA-processed Documents. In addition, the Director stated that
    OIP’s website explains to the public that operational documents
    include policy statements, staff manuals, final opinions, and orders.
    The website also explains that the FOIA-processed documents are
    those that have been disclosed in response to a FOIA request and
    have either been frequently requested or have been determined to
    likely be of interest to the public. The Director added that OIP is
    working with all of the department’s components to similarly organize
    their FOIA libraries in a format that will be useful to the public. Further,
    OIP plans to issue additional guidance in the upcoming months on
    proactive disclosures and maintenance of FOIA libraries. Justice’s
    comments are reprinted in appendix VI.

•   The Archivist of the United States said that the draft report highlighted
    factors that can make a critical difference in the success of agencies
    in making records available to the public and pointed out opportunities
    for agencies to take advantage of technology to improve their
    efficiencies in processing requests. According to the Archivist, NARA
    hopes that the FOIA Module, the multi-agency FOIA processing and
    tracking system sponsored by NARA, EPA, and Commerce that will
    launch on October 1, 2012, will lead the way in providing a shared
    service that has the technology capabilities identified by the draft
    report. NARA’s comments are reprinted in appendix VII.

The agencies also provided technical comments, which we have
incorporated as appropriate.


As agreed with your offices, unless you publicly announce the contents of
this report earlier, we plan no further distribution of this report until 30
days from the date of this report. At that time, we will send copies of this
report to the Secretaries of Defense, Homeland Security, and Health and


Page 37                      GAO-12-828 Strengthening Agencies’ Management of FOIA
Human Services, the Attorney General, appropriate congressional
committees, and other interested parties. In addition, the report is
available at no charge on the GAO website at http://www.gao.gov.

If you or your staff have questions about this report, please contact me at
(202) 512-6304 or melvinv@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this report. Key contributors to this report are listed in appendix VIII.




Valerie C. Melvin
Director, Information Management
  and Technology Resources Issues




Page 38                     GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix I: Objectives, Scope, and
Methodology

              Our objectives were to determine: (1) What actions have agencies taken
              to manage their Freedom of Information Act (FOIA) programs, including
              reducing backlogs and the use of exemptions, pursuant to the Attorney
              General’s 2009 FOIA guidelines, and what have been the results of these
              actions? (2) What actions have agencies taken to make records available
              to the public by electronic means, pursuant to the e-FOIA amendments of
              1996? (3) To what extent have agencies implemented technology to
              support FOIA processing?

              To inform our work, we reviewed our prior reports, FOIA and related
              legislation, policies and guidance issued by the Attorney General and the
              Office of Management and Budget, and best practices compiled by the
              National Archives and Records Administration (NARA) and the
              Department of Justice (Justice).

              To address the objectives, we analyzed published statistics and
              documents, such as agency FOIA reports, and conducted interviews with
              responsible officials at the four federal agencies that received the most
              requests and that collectively received more than 50 percent of all
              requests during fiscal year 2010: the Departments of Homeland Security
              (DHS), Defense (DOD), Health and Human Services (HHS), and Justice.
              Because FOIA processing at these agencies is decentralized to the
              agency component level, we analyzed the policies, oversight, and
              processing activities of each agency’s central FOIA office and of the three
              components of each agency that received the most requests, as
              described below:

              •   The DHS agency components are the Privacy Office (DHS/Privacy),
                  which functions as the department’s central FOIA office, in addition to
                  the U.S. Citizenship and Immigration Service (USCIS), Immigration
                  and Customs Enforcement (ICE), and U.S. Customs and Border
                  Protection (CBP).

              •   The DOD agency components are the Office of the Secretary of
                  Defense and the Joint Staff (OSD/JS), which processes FOIA
                  requests within the department’s central FOIA office, in addition to the
                  Departments of the Army, Navy, and Air Force.

              •   The HHS agency components are the Office of the Secretary
                  (HHS/OS), which functions as the department’s central FOIA office, in
                  addition to the Centers for Medicare & Medicaid Services (CMS), the
                  Food and Drug Administration (FDA), and the National Institutes of
                  Health (NIH).



              Page 39                     GAO-12-828 Strengthening Agencies’ Management of FOIA
•   The Justice agency components are the Office of Information Policy
    (OIP), which functions as the department’s central FOIA office, in
    addition to the Federal Bureau of Investigation (FBI), the Federal
    Bureau of Prisons (BOP), and the Executive Office for Immigration
    Review (EOIR).

For each agency, the four related agency components collectively
accounted for at least half of FOIA requests received by the parent
agency (at least 90 percent for both DHS and HHS).

To determine what actions agencies have taken to manage their FOIA
programs, including reducing backlogs and the use of exemptions, and
what the results of these actions have been, we examined agencies’
annual FOIA reports for the years 2009 to 2011 and Chief FOIA Officer
reports for the years 2010 to 2012. In particular, we analyzed data on
backlogs and exemptions from FOIA.gov. Specifically, we compared
agency component backlogs over time. We also interviewed officials to
determine external factors affecting backlogs, such as changes in
workload, and to identify specific practices that were helpful in managing
backlogs, as well as challenges. For example, we examined periodic
reports, such as monthly backlog reports by FOIA offices to management
to determine what use agencies and components were making of
quantitative data in managing their backlogs. We also analyzed statistics
on agency components’ use of FOIA exemptions from FOIA.gov and
assessed whether agencies were using them less often. We interviewed
agency and component FOIA officials and collected documentation to
determine what specific steps agencies had taken to reduce the use of
exemptions. We reviewed documentation of these steps, including
guidance, training materials, policies, procedures, plans, and objectives
from agencies’ central FOIA offices and agency components. We also
interviewed agency officials to determine what other factors might have
influenced the use of exemptions. Our recent evaluation of FOIA.gov
determined that the data on the website are generally reliable. 1

To determine what agency components are doing to make records
available to the public by electronic means pursuant to the e-FOIA
amendments of 1996, we reviewed the contents of the 16 agency


1
 GAO, Freedom of Information Act: Key Website Is Generally Reliable, but Action Is
Needed to Ensure Completeness of Its Reports, GAO-12-754 (Washington, D.C., June
28, 2012).




Page 40                        GAO-12-828 Strengthening Agencies’ Management of FOIA
components’ websites for the existence of information required to be
posted online. These reviews were conducted between April and June
2012. First, we attempted to locate the four categories of required
information by starting from the agency component’s dedicated FOIA
website; more specifically, the subsection of the FOIA website called
“FOIA library” or “electronic reading room.” If an item could not readily be
found in the FOIA library, we attempted to locate the item elsewhere on
the agency component’s website by using the search engine, or by
browsing through the different sections of the website (e.g., we reviewed
agency components’ Office of General Counsel websites to look for
agency final opinions). During this website review, we attempted to
establish whether or not information corresponding to a required category
was available online; we did not evaluate the merits or adequacy of the
information that was posted. For each agency component, we determined
whether the required information was:

•   available in the agency component FOIA library;

•   not available in the agency component FOIA library, but found
    elsewhere on the agency component’s or agency’s website through
    an independent search;

•   not available in the agency component FOIA library, and not found
    elsewhere on the agency component’s or agency’s website; or

•   not applicable to the particular agency component.

To evaluate the frequently requested records available in agency
components’ FOIA libraries, we reviewed OIP guidance on proper
implementation and management of a FOIA library, reviewed agency
policies and procedures for identifying and managing information in their
library, and viewed the contents of the records that had been posted. We
also interviewed officials at agency components to understand how
records are identified and managed within the library, and how often
library contents are reviewed and updated. In addition, we counted the
number of artifacts posted to the library, or used the library’s search
engine to locate available records.

To determine the extent to which agencies implemented technology to
support FOIA processing, we assessed the capabilities of agencies’
central offices and their components’ tracking systems. We viewed
demonstrations of tracking systems and obtained documentation, such as
user manuals and screen prints. We compared capabilities of these



Page 41                     GAO-12-828 Strengthening Agencies’ Management of FOIA
systems to relevant legislation, policy guidance, and best practices on
improved use of technology (e.g., OPEN Government Act, Attorney
General’s March 2009 memorandum, NARA/OGIS best practices). We
also reviewed agency policies and procedures related to using technology
to manage, track, and fulfill requests. We interviewed agency and OGIS
officials for further information on how they use technology to gather
information on agency plans to implement or enhance FOIA processing.

We conducted our work from September 2011 to July 2012 in accordance
with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on
our audit objectives.




Page 42                     GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix II: Freedom of Information Act
Exemptions

                                      The act prescribes nine specific categories of information that are exempt
                                      from disclosure.


Exemption
number            Matters that are exempt from FOIA
(1)               (A) Specifically authorized under criteria established by an Executive Order to be kept secret in the interest
                  of national defense or foreign policy and (B) are in fact properly classified pursuant to the Executive Order.
(2)               Related solely to the internal personnel rules and practices of an agency.
(3)               Specifically exempted from disclosure by statute (other than section 552b of this title), provided that such
                  statute (A) requires that matters be withheld from the public in such a manner as to leave no discretion on
                  the issue or (B) establishes particular criteria for withholding or refers to particular types of matters to be
                  withheld.
(4)               Trade secrets and commercial or financial information obtained from a person and privileged or
                  confidential.
(5)               Interagency or intra-agency memorandums or letters that would not be available by law to a party other
                  than an agency in litigation with the agency.
(6)               Personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted
                  invasion of personal privacy.
(7)               Records or information compiled for law enforcement purposes, but only to the extent that the production of
                  such law enforcement records or information
            (A)   could reasonably be expected to interfere with enforcement proceedings;
            (B)   would deprive a person of a right to a fair trial or impartial adjudication;
            (C)   could reasonably be expected to constitute an unwarranted invasion of personal privacy;
            (D)   could reasonably be expected to disclose the identity of a confidential source, including a state, local, or
                  foreign agency or authority or any private institution which furnished information on a confidential basis,
                  and, in the case of a record or information compiled by a criminal law enforcement authority in the course
                  of a criminal investigation or by an agency conducting a lawful national security intelligence investigation,
                  information furnished by confidential source;
            (E)   would disclose techniques and procedures for law enforcement investigations or prosecutions, or would
                  disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably
                  be expected to risk circumvention of the law; or
            (F)   could reasonably be expected to endanger the life or physical safety of an individual.
(8)               Contained in or related to examination, operating, or condition of reports prepared by, on behalf of, or for
                  the use of an agency responsible for the regulation of supervision of financial institutions.
(9)               Geological and geophysical information and data, including maps, concerning wells.
                                      Source: 5 U.S.C. § 552(b)(1) through (b)(9).




                                      Page 43                                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix III: Comments from the
             Appendix III: Comments from the Department
             of Homeland Security



Department of Homeland Security




             Page 44                         GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix III: Comments from the Department
of Homeland Security




Page 45                         GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix III: Comments from the Department
of Homeland Security




Page 46                         GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix III: Comments from the Department
of Homeland Security




Page 47                         GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix IV: Comments from the
             Appendix IV: Comments from the Department
             of Defense



Department of Defense




             Page 48                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix IV: Comments from the Department
of Defense




Page 49                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix IV: Comments from the Department
of Defense




Page 50                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix V: Comments from the Department
             Appendix V: Comments from the Department
             of Health and Human Services



of Health and Human Services




             Page 51                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix V: Comments from the Department
of Health and Human Services




Page 52                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix V: Comments from the Department
of Health and Human Services




Page 53                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix V: Comments from the Department
of Health and Human Services




Page 54                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix V: Comments from the Department
of Health and Human Services




Page 55                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VI: Comments from the
             Appendix VI: Comments from the Department
             of Justice



Department of Justice




             Page 56                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VI: Comments from the Department
of Justice




Page 57                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VI: Comments from the Department
of Justice




Page 58                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VI: Comments from the Department
of Justice




Page 59                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VI: Comments from the Department
of Justice




Page 60                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VI: Comments from the Department
of Justice




Page 61                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VI: Comments from the Department
of Justice




Page 62                        GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VII: Comments from the National
              Appendix VII: Comments from the National
              Archives and Records Administration



Archives and Records Administration




              Page 63                         GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VII: Comments from the National
Archives and Records Administration




Page 64                         GAO-12-828 Strengthening Agencies’ Management of FOIA
Appendix VIII: GAO Contact and Staff
                  Appendix VIII: GAO Contact and Staff
                  Acknowledgments



Acknowledgments

                  Valerie C. Melvin, (202) 512-6304 or melvinv@gao.gov
GAO Contact
                  In addition to the contact named above, Mark Bird (assistant director),
Staff             Heather A. Collins, Nancy Glover, Glenn Spiegel, and Freda Paintsil
Acknowledgments   made key contributions to this report.




(310973)
                  Page 65                          GAO-12-828 Strengthening Agencies’ Management of FOIA
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.