NLPES Question of the Month

April-June 2005:

How have you addressed situations where your access to evaluation data has been challenged? (What are examples of cases in which your access to data has been questioned?   Has this ever delayed your evaluation work or caused changes in the research scope?  How have you overcome these problems?)

Tim Osterstock, Utah

Over the last three years the Utah Office of the Legislative Auditor General has faced a number of information access and reporting challenges.  The most notable challenges have been our review of the state's Judicial Conduct Commission (access) and our review of the Utah Tax Commission's operations (reporting).

For the Conduct Commission, a separation of powers question was raised as to whether or not we could access closed case files.  Without a file review it was not possible to determine the effectiveness of the commission's actions.  The question came from both members of the judiciary and our own legislative counsel.  Audit work continued and resulted in the release of a report, based on the limited information available to us, while the attorneys involved decided what to do.  Ultimately, both sides took the suggestion made months before by our auditors and the commission's staff to request a decision from the Utah Supreme Court.  Four members of the court meet with us and decided that the creation and duties set for the auditor general in the state's constitution far outweighed any statute.  Full access was given and a second report was conducted and released.

Our work with the Tax Commission was somewhat different.  Access to sensitive data was given by the tax commission without any caveats.  However, during the draft review phase of the audit it was determined that information in the report could not be publicly released.  Hence, a very redacted report.  As a result of these trials the Legislature has revamped our controlling statute to clarify that our constitutional authority to access information supercedes the statuary rights of agencies to refuse access.

Priscilla Anderson, South Carolina

State law provides that the South Carolina Legislative Audit Council has access to the records of the agencies that we review. Also, the records of the Audit Council are confidential and we are subject to any statutory confidentiality requirements.

In our review of Inmate Medical Services at the South Carolina Department of Corrections in 2000, we encountered a problem with access to personnel records.  At that time, the department contracted medical services out.  One of our audit objectives involved reviewing the qualifications of contracted staff who provided counseling services to inmates.

When we attempted to review the personnel records of these employees, the contractor would only allow us to review limited documents perceived as what we needed.  We then wrote several letters to Department of Corrections officials informing them that we did not have access to necessary personnel records.  We eventually entered into an agreement with the contractor which allowed us complete access to records.

We included a finding in the report detailing that we did not have access to records for a period.  We recommended that the  South Carolina Budget and Control Board, the state's central administrative agency, include a provision in all requests for proposals to allow access to contractor records for state auditing purposes.

Not having access to the records impacted our time lines.  Correspondence and negotiations between us, the agency, and the contractor took weeks.  We then had to make additional trips outside of our headquarter city to review the records.

Sylvia Hensley, California

Although it sometimes takes a while, we have been successful in obtaining the data we need to satisfy the scope of our audits.  This is largely due to the fact that our right of access is clearly laid out in statute.  However, some strategies we have developed also help.

We use a number of strategies to deal with challenges to access.  To the extent possible we take a proactive approach to avoid protracted challenges.  For example, if we anticipate that access may be a problem on an audit, we generally have an attorney attend the entrance conference to explain our statutory authority.  Our legal office has also prepared a handout regarding access that we can share with the auditee at the entrance conference when our attorney cannot be there in person.  Additionally, to deal with questions regarding access while in the field, each of our auditors carries a card that cites our statutory authority to access records of the auditee.   The statute states in part, “The State Auditor ...shall have access to and authority to examine and reproduce, any and all books, accounts, reports, vouchers, correspondence files, and other records, bank accounts and money or other property, of an agency of the state,, any local governmental entity, ..., and any publicly created entity, for any audit or investigation... Any officer or person who fails or refuses to permit access and examination and reproduction, ..., is guilty of a misdemeanor.”

Although the above measures are generally adequate to avoid protracted challenges to access, sometimes gaining access requires our legal staff to become much more involved, especially when we are attempting to gain access to confidential information and/or we are dealing with nongovernmental entities.  For example, a recent audit required us to obtain confidential information from a health plan and some private hospitals.  To secure access to this data, our legal staff negotiated a Memorandum of Understanding with each of the entities involved.  Although time-consuming for our attorney, this allowed us to obtain the information we sought while not significantly delaying the audit.

Additionally, the State Auditor has statutory authority to subpoena information, a method we have rarely, if ever, used for audits.  When all the above measures fail, we can seek access through the courts; however, we have not had to use this avenue to date.

We cannot recall an instance when we have had to modify our scope because we were unable to obtain the necessary data.

Joel Alter, Minnesota

Our office has long had statutory authority that, in our opinion, provides access to whatever information we need to do our job.  Still, it is not uncommon for agencies to question or challenge our authority to certain information.

In recent years, we have frequently heard challenges from agencies that think that sharing data might violate federal law.  For a study of our state’s tuition reciprocity program with neighboring states, we wanted to obtain student identifiers so that we could determine whether reciprocity students from other states remained in Minnesota to work after graduation.  Our Attorney General’s office questioned whether the federal Families Educational Rights and Privacy Act prohibited disclosure of such information to our office.  For other studies, some agencies have questioned whether the federal Health Insurance Portability and Accountability Act or other federal laws limit our access to certain data.

Also, some of our state data practices statutes contain very specific provisions about who should have access to certain data, and agencies have questioned whether these specific provisions “trump” our general statutory access.

Our strategy for obtaining data has been threefold.  First and foremost, we assert that our general statutory language is sufficient to provide us with access to whatever information we need.  The Legislature recently clarified the statute, at our request, to specify that we have access to whatever “data” we need, thus supplementing the statute’s references to “books, accounts, documents, and property.”  The Legislature also clarified that we have authority to review data “of any classification.”

Second, in some recent instances, we have entered into “agreements” or memos of understanding with agencies to clarify data access.  In our view, agencies are obligated to provide us with data, even without such agreements.  Thus, we have entered into these agreements with some reluctance, sometimes to provide the agency with a comfort level, or to provide the agency with a document that it can give to persons (such as federal officials) who may raise questions about how the agency has handled sensitive data.  In no case have these agreements constrained our access to data.

Third, as a last resort, we have sometimes worked with legislators to obtain specific statutory language that clarifies our access to certain sensitive data in a specific topic area.  Again, we think this is unnecessary, given the general authority of our office to access data.  But we have occasionally found that such specific authorizations are useful, especially in cases where we will have to deal with a variety of local subdivisions (such as counties or school districts) that may not be familiar with our office.

We often remind agencies of our own obligation to protect nonpublic data from disclosure, and we have adopted policies and practices to prevent unintended disclosures.

At times, challenges to our office’s authority have delayed the early stages of studies.  In no case, however, have data challenges entirely prevented us from completing an evaluation report.