Testimony of Mary Ellen Callahan, Chief FOIA Officer and Chief Privacy Officer, Privacy Office, Before the United States House of Representatives Committee on Oversight and Government Reform on "Why Isn't The Department of Homeland Security Meeting The President's Standard on FOIA?"

Rayburn House Office Building

Good morning Chairman Issa, Ranking Member Cummings, and distinguished Members of the Committee. My name is Mary Ellen Callahan. I am the Chief FOIA Officer and Chief Privacy Officer at the Department of Homeland Security. My office administers policies, programs and procedures to ensure that the Department complies with the Freedom of Information Act (FOIA)¹ and the Privacy Act,² respectively. I appreciate the opportunity to appear before you today to discuss the Department of Homeland Security's (DHS) FOIA process and policy both past and present and to clarify misconceptions regarding the Department's significant FOIA review process.

DHS has approximately 420 full time equivalent federal employees devoted to processing FOIA requests, and we take our mission of openness and responsiveness very seriously. As I stated in my written testimony to this committee last year,³ these FOIA professionals have done an extraordinary job in addressing FOIA backlogs as well as engaging in an unprecedented initiative to proactively disclose frequently requested records and items of public interest.

Two years ago, the Department faced a backlog of more than 74,000 FOIA requests. Under this Administration, we have reduced the backlog by 84 percent, or more than 63,000 requests. In fiscal year (FY) 2010 alone, DHS reduced its backlog by 40 percent, eclipsing both the government-wide Open Government Directive's instruction to reduce the FOIA backlog by 10 percent each year, as well as DHS's own Open Government Plan's goal of a 15 percent reduction for the fiscal year. In those past two years, we also reduced the average time it takes to process FOIA requests in our system by 58 percent, from 225 days to 95 days. Remarkably, we have been able to reduce this backlog, and accelerate response times, while processing an incredible number of new FOIA requests. In FY 2010, DHS received 130,098 FOIA requests - more than any other federal department, and 22 percent of all FOIAs received by the federal government - and processed 138,651 requests, also more than any other federal department.

In FY 2010, of those more than 138,000 requests processed, approximately one half of one percent were deemed 'significant' by career FOIA officers according to standards established at the Department in 2006 regarding major FOIA requests that may have a significant public interest. Examples included requests involving significant ongoing litigation, requests relating to sensitive topics, requests made by the media, and requests relating to Presidential or agency priorities. In these relatively few cases, senior Department management was provided an opportunity to become aware of the contents of a release prior to its issuance to the public, primarily to enable them to respond to inquiries from members of Congress and their staffs, the media, and the public and to engage the public on the merits of the underlying policy issues. I am not aware of a single case in which anyone other than a career FOIA professional or an attorney in the Office of the General Counsel made a substantive change to a proposed FOIA release. Further, to my knowledge, no information deemed releasable by the FOIA Office or the Office of the General Counsel has at any point been withheld and responsive documents have neither been abridged nor edited.

The roots of this significant FOIA policy lie not with this Administration, but with its predecessor. Beginning in 2005, the DHS FOIA office began identifying significant FOIA requests pursuant to objective standards⁴ and providing notice of them to senior Department management in a weekly report. In 2006, submission guidelines for what constituted a ‘significant FOIA' request were officially established by the DHS Privacy Office, and the current Administration has basically followed suit.⁵

Discussion between the Privacy Office and senior Department management about how to increase awareness of significant documents began after several significant FOIAs were released at the beginning of the new Administration without notice to senior management. These significant FOIA responses related to ongoing litigation, records from the previous Administration, and records from other Departments, among other issues. This basic lack of awareness of significant FOIA responses presented challenges to the Department's ability to effectively respond to inquiries from the media, Congress and the public, inhibiting senior leadership's ability to fulfill its responsibility to manage the Department and to engage the public on merit-based discussions related to the associated policy issues.

As a result, the Department developed a process during the fall of 2009 by which senior Department management were made aware of significant FOIA requests and planned releases. As explained above, the determination of which FOIA releases were deemed significant and thus subject to this awareness process were made by career FOIA officials. While the review period was set at three days, that goal unfortunately was not always met due to the urgency of other priorities and some FOIA releases were delayed. This was particularly true in early 2010, in the wake of the attempted terrorist attack on Christmas Day and other incidents that necessarily drew the attention of senior management away from regular day-to-day activities and deadlines.

In the spring of 2010, recognizing that enhancements to this review process were needed to ensure that the appropriate awareness was provided to senior management in a manner that allowed prompt processing of FOIA requests, Departmental leadership and the Privacy Office collaborated to develop an improved system. Under this improved system, significant FOIA releases are uploaded to an online intranet-hosted, role-based SharePoint site to which senior Department management have read-only access, originally three days in advance of release. This was done in order to allow officials from the Department's offices of Legislative Affairs, Public Affairs, Intergovernmental Affairs, and the Office of the Secretary to review the documents simultaneously, and when inquiries are made. FOIA responses are automatically sent out after the review period has expired, unless one of the reviewers or a FOIA officer identified a problem with the FOIA response. To my knowledge, the identification of inconsistencies or inappropriate redactions or disclosures has occurred only a handful of times in the nine months since the SharePoint notification system was implemented.

To my knowledge, at no point during this awareness review process did anyone other than a career FOIA professional or an attorney in the Office of the General Counsel make a substantive change to a proposed FOIA release or a substantive determination regarding what should be released or redacted. While there is no doubt that this awareness review at times took longer than anticipated, the issue of delay in responding to some FOIA requests must be evaluated in its larger context. Since the implementation of this awareness policy, the average number of days it takes the Department to process a FOIA request has decreased significantly – from 240 to 95 days, a record of which the Department is rightfully proud.

Despite some management challenges in developing this new system, we believe significant progress has been made by establishing the SharePoint site. We have continually tried to improve this process to ensure the Department is as responsible and responsive as possible. We have been and remain mindful of the Attorney General's March 2009 guidance that "open government requires agencies to work proactively and respond to requests promptly" and that "responsibility for effective FOIA administration belongs to all of us—it is not merely a task assigned to an agency's FOIA staff." (emphasis mine)

In fact, we continue to improve the system; DHS has now moved to a one-day awareness review for significant FOIA responses. Substantive determinations regarding application of FOIA law and exemptions will continue to be made by FOIA professionals or attorneys in the Office of the General Counsel.

We are proud of the strides we have made in this effort, but we also acknowledge that there is always room for improvement; we welcome the Committee's suggestions to improve our process. To best facilitate any recommendations from the Committee, let me set forth our current procedure for responding to all FOIA requests:

1. DHS receives a request for information under the FOIA.
2. The request is logged by the relevant component FOIA office, and reviewed for compliance with DHS regulations and to ensure it reasonably describes the records sought (i.e., that it is perfected). If the request is not perfected, the FOIA professional corresponds with the requester to seek clarification of the scope of the request; once the request is perfected, the FOIA professional sends an acknowledgement letter to the requester.
3. Career FOIA professionals then determine whether or not the request is significant using criteria and factors that have not changed materially since 2006.
4. Information about significant requests, including the actual request letter and a summary, is submitted to my office – the DHS Privacy Office – which consolidates significant requests and reports them to DHS senior management on a weekly basis for awareness.
5. The relevant FOIA Office tasks out the request to a component, group or subject matter expert(s) within the Department who may have responsive federal records according to the information requested and the scope covered.
6. Federal records from the subject matter experts or identified parties that are responsive to the request are returned to the FOIA Office from which it was tasked.
7. Career FOIA professionals review the response and identify appropriate legal exemptions (for law enforcement, national security, privacy and pre-decisional considerations, among other things as defined in the law).
8. After the DHS subject matter expert (custodian of the federal records) confirms the final response is appropriate, the FOIA professional then prepares the information for release – including a letter and explanation of various exemptions.
9. In many DHS components and offices, attorneys from the Office of the General Counsel review the proposed response prior to release to confirm that all redactions and disclosures are being made appropriately.
10. FOIA releases are reviewed and approved by a FOIA manager.
11. Non-significant FOIA releases (99.5 percent of releases) are released to the requester. Significant FOIA releases are uploaded into a SharePoint system for a limited awareness review period – now one business day – and then automatically released by the relevant component FOIA office back to the requester.

In conclusion, it is my sincere hope that through the Department's actions to date – including implementing a FOIA process that leads the federal government in disclosure – and by appearing here today we will clear up any lingering misconceptions on this topic. As is the case at any agency, establishing new procedures is not always seamless and sometimes minor delays are unavoidable as you seek to fine-tune processes. These refinements have helped us establish the current system, which is more effective in confirming that FOIAs are processed in a timely manner while ensuring that senior management is made aware of significant FOIAs. The Department understands that a strong, collaborative relationship with Congress is crucial to the overall success of the Department and we look forward to working with the Committee to further refine and develop our FOIA processes. I welcome your recommendations and would be happy to answer your questions.

^1. 5 U.S.C. § 552.

^2. 5 U.S.C. § 552a.

^3. This testimony is available at www.dhs.gov/news/2011/03/29/written-testimony-priv-house-oversight-and-government-reform-subcommittee.

^4. All DHS Privacy Office memoranda on significant FOIA requests are available in the DHS FOIA Library at www.dhs.gov/foia.

^5. The 2006 Submission Guidelines are available at: www.dhs.gov/xlibrary/assets/foia/priv_foia_cabinet_report_submission_guidelines_20060804.pdf. The 2009 guidelines are available at: www.dhs.gov/xlibrary/assets/foia/priv_cfoiao_memo_cabinet_report_foia_guidelines_20090707.pdf.