News about Hillary Clinton’s exclusive use of private emails and a “homebrew” server raised both political and legal issues. I’ll leave the political issues to the pundits, and I’m not an expert in federal records retention requirements. But I thought our readers might be interested in how these issues would play out under North Carolina’s public records law.
Is an email related to public business that is created on a privately-owned device or a private email account considered to be a public record under North Carolina’s public records law?
Yes. The public records law applies to records made or received in connection with the transaction of public business by a public agency. The statutory definition is based on the content of the record, not who owns or paid for the medium or device on which the record exists. And while we may think of the issue primarily as it relates to electronic records, it applies equally to other media. Working at home, I write a legal letter opinion using my own typewriter and paper that I bought with my own money, send it out to a public official in an envelope that I bought using a stamp that I bought. That letter is a public record. The same principle applies to electronic records. There is no North Carolina case on this issue, but if such a case arose, it’s hard to imagine that a court would allow public officials such an incredibly easy way to avoid the strong policy of public access to government records.
The statute talks about records of a “public agency.” When an individual employee or public official creates an email on a private email system, is that a record created by a public agency?
Yes. The statute defines public agency to include “every public office, public officer or official (State or local, elected or appointed), institution, board, commission, bureau, council, department, authority or other unit of government of the State or of any county, unit, special district or other political subdivision of government.” G.S. 132-1 (emphasis added).
Who is responsible for providing access to records created on private email accounts?
A person who has physical custody of a public record has two types of obligations under the public records law: 1) to retain records according to the applicable records retention schedule; and 2) to provide access to the record in the event of a public records request.
Isn’t it only the official “custodian” who is responsible for providing access to public records? Didn’t the North Carolina Court of Appeals recently hold that the person who created an email was not the official custodian of that record?
Yes and no. It’s true that the Court of Appeals has held that in a lawsuit to gain access to records, the official in charge of the office where the record is held is the person who must be sued. The case was Cline v. Hoke. But as I note in my blog post here, I think that case should be read as establishing a requirement for maintaining a lawsuit. It does not address the issue here, which is the obligation of the person who actually has custody of the record. As I describe in the blog post on Cline, other provisions in the law make clear that individuals have responsibilities to retain records and to provide access to them in the case of a public records request.
So does that mean that if I use a private email account or a private device to conduct public business, I have to make my entire account or everything on my device available for inspection by my unit of government for public access?
No. I don’t think there is anything in the law that requires that. Records that don’t relate to public business are not subject to public access.
So it’s up to me to monitor which records must be retained and provide them to my unit of government, or keep them available for the retention period in case of a request.
That’s correct. Maybe your unit of government has a system for forwarding or capturing these records, and maybe it doesn’t. Either way, the unit must have a way to make sure that the retention and public access requirements are met. If you don’t physically transfer the records to the unit, then the obligation must rest with you to retain the records and provide access on request.
Well, how does my agency or the public at large know whether or not I’ve saved all I’m supposed to.
They don’t. And this is precisely the issue that Hillary Clinton’s email practice has raised. The point is not so much the use of private email accounts, as it is the failure to turn public records over as they were being created on those private accounts. And in this respect, there is a difference between my example involving paper and the reality of using email. With paper records, there is typically only one copy. When the letter is sent, there isn’t necessarily a copy held by the sender. And there isn’t any universal requirement to keep a copy of a paper record that is sent to someone else.
When an email is created, by contrast, it automatically exists in more than one place. Even after it is sent, a copy of it exists on the device on which it was made, and another copy exists on a server that runs the system and that may provide a back up in the case of system failure. When a public agency maintains the system, the server provides that agency with the ability to identify, retain, and provide access to the records. Indeed, when agencies have policies to retain all records sent and received using the system, it actually overrides the ability of the individual user to delete records, including those that the user has legal authority to delete.
When a public official or employee uses a private email account for public business, emails sent to the public agency may be available on the agency’s server or in the email boxes of the public recipients. Emails sent to private email accounts of citizens or public officials will not be accessible by the official custodian or the public agency unless the sender or the receiver provides copies to the agency.
What if the public official or employee who uses a private email account for public business refuses to provide access, or actually has deleted records that were required by law to be preserved.
Before we look at the legal issue, it’s important to point out one more time the practical and potentially political problem: there is no way to know whether a person has destroyed a public record unless someone else has a copy or otherwise knows of its existence. Of course this is true of paper records as well as emails and other electronic records.
Can’t the public agency demand access from the private email service that was used to create the email? Isn’t that where we would find the back up copy?
The public agency may not be able to gain access to the private account without the permission of the account holder. A federal law designed to protect the privacy of private information held by private email service providers (like Google or AOL), limits third party access to emails. As described in Kara Millozni’s blog post here, this is particularly challenging when public agencies actually outsource all of their official email to private service providers.
Are there any sanctions that can be imposed on a public official or employee who destroys records?
Yes. G.S. 132-3 makes it a misdemeanor to destroy records without legal authority to do so.
How do I know what records I have authority to destroy?
State law gives the Department of Cultural Resources the responsibility to archive public records and to determine what records must be retained. Under this authority, the State Archives Division promulgates records retention schedules for state and local governments. Public officials and employees may destroy 1) records of short-term value, 2) records for which the required retention period has passed, and 3) records that are not covered by a retention requirement. It’s very likely that most of the emails public employees send and receive do not need to be retained because they are either records of short- term value, or they are not covered by a specific retention requirement. The Archives Division provides written guidelines and training about the proper management and retention of email and other electronic records.
Are there any sanctions that can be imposed on a public official or employee who refuses to provide access to public records that exist on their private accounts or devices?
G.S. 132-6 says, “Every custodian of public records shall permit any record in the custodian’s custody to be inspected and examined at reasonable times and under reasonable supervision by any person, and shall, as promptly as possible, furnish copies thereof upon payment of any fees as may be prescribed by law.” The Cline case might be read to suggest that the duty in the statute only applies to the official custodian. As I argue in my blog post about that case, I think it’s clear that individual public officials and employees have an independent obligation not only to preserve public records that are in their legal or physical possession, but also to make them available. Certainly an employee could be disciplined for failure to provide access to records. In addition, G.S. 132-9 provides that “any public employee or public official found by the court to have knowingly or intentionally committed, caused, permitted, suborned, or participated in a violation of the public records law” may be personally liable for attorneys fees. The obligation to provide access to records also applies to former officials. Under G.S. 132-4, they can be criminally liable for failure to provide access to public records after the expiration of their term of office.