Students photographing evidence in SUNY Canton’s Criminal Investigation program (Photo credit: Wikipedia)

In the age of Freedom of Information, public sector organisations, including the police, have to be prepared to respond to FOI requests for how they conduct investigations.  For some organisations and some situations, the investigation report is made public such as in a public inquiry.[1] In many cases, the request will relate to an issue of public interest, but in other cases, such as internal disciplinary issues, the case will not attract the public interest. In those cases, the FOIA will be less likely to apply because personal data (s.40 (2) in the UK, will limit the personal data that can be disclosed. However, in cases where the public interest is high, the organisation may have to disclose some if not most its investigation report either under FOIA or as part of another regulatory requirement such as an Ombudsman investigation.[2] With that requirement in mind, it is a good idea to develop an investigation procedure and guidance that will reflect the need for transparency after the investigation is completed. The benefits are twofold. First, you are likely to have a more robust investigation. Second you are likely to be ready to be more transparent with your own organisation and, most importantly should the demand arise, to the public or regulator.

If the organisation is not prepared for FOIA, the way it conducts an investigation can appear to be a cover-up because they fail to follow these 8 steps. In all cases, a balance must be struck between confidentiality, privacy, and the public interest. However, even if the investigation is not to be made public, the steps are important for the organisation to be transparent to itself within the legal confines of confidentiality.

First, draw up clear terms of reference for the investigation. You want the people doing the investigation and those being investigated, or those involved in the investigation, to understand what you are doing, why you are doing it, and how you are doing it. The same would be for a criminal investigation where the subject has to know the crime they are being charged with and what they are under investigation for having done. If you are investigating something by the organisation because of a public complaint, you will need to let the complainant know the terms of reference in principle, even if you cannot provide them all the details in case that may prejudice the investigation. If you don’t provide the terms of reference or the nature of the investigation, especially on a public complaint, you may create an expectation gap between what they think you are investigating and what you are investigating.

After the investigation is completed, or as part of the final report, the terms of reference should be shared with all people involved, with the FOIA caveats regarding confidentiality and prejudice to subsequent or ongoing investigations. In complaints about a service, rather than an individual, you are likely to have the terms of reference implicit in the complaint. If they are not, then it is important to let the complainant know what you are investigating. This is the first step to avoid the appearance of a cover-up. If the organisation does not keep a copy of the terms of reference or never has terms of reference, it can give the appearance of a less than robust approach to investigations. If the investigation is a simple complaint, then the complaint itself will be the terms of reference. In smaller organisations or on basic investigations, this will be the case. Anything involving more than two people will likely need a terms of reference to know what is being investigated and why as well as explaining the priority of interviews to the investigator. All of this is bearing in mind the critical point that during any investigation, the disclosure of information relating to the investigation is on a need to know.

Second, set up a list of questions, themes, or issues that will be explored to express the terms of reference.  The questions should be enough to set the question map rather than a definitive list. The themes or issues that need to be covered could be disclosed if the exact questions may reveal sources and methods that would prejudice an ongoing investigation or prejudice future investigations. The caveats here is if the investigation takes a number of iterations so that questions asked at the first round can influence the second round. As a mentor of mine once said “Questions breed questions”. As questions always lead to more questions so that one cannot determine all the possible issues before they emerge. At the same time, one would have to avoid disclosing any personal data, such as names of people to be interviewed or who has been interviewed if it would prejudice the interview. If a copy cannot be shared because interviews are still being conducted, they should be shared as soon as the interviews are completed and it is not prejudicial to an investigation. In some cases, such as a disciplinary or tribunal the questions may be shared as part of the tribunal process. If the questions are not transparent after the event, it can give the appearance that questions are already determined and the outcome is decided. In other words, you are only asking for what you expect to find. .

After the investigation, the questions may need to be disclosed as part of an FOIA request because the nature of the investigation, especially one in the public interest, would need to be shown to be robust. In a small investigation, or ones that relate to investigations that do not attract a high degree of public interest, the questions or issues can be included in the terms of reference.

Even though the questions can be included in the terms of reference, it is best that they are drawn up separately and informed by the terms of references rather than limited to the terms of reference. The caveat here is if the issue is a minor or small investigation.

Third, set up a timetable when the interview is scheduled to be completed. This does not have to be set out in stone, but it should be specific enough so that that the people know the overall timetable for the investigation. No one likes to be involved in an open ended investigation. Smaller investigations can have this set out clearly as the issue may be easy to resolve. If the organisation cannot give a schedule of when the investigation is likely to be completed, it is a sure sign it cannot plan and it would look like a cover up or a pre-determined outcome is in place. The timeline will help to keep the complainant informed and you can then update them at certain points or report that there is nothing to report if that is the case. This is especially important in complaints about a service.

Fourth, keep a list of the people interviewed and when they were interviewed. If the organisation cannot provide this list, after the investigation as required, it shows that it is not organised nor that the investigation is well structured. Again, the issue here is after the report or the investigation is completed as the FOIA request may ask to demonstrate that the appropriate people were interviewed. If an incident or a complaint involved an officer and they were not interviewed or relevant people were not interviewed, this could prejudice the investigation. If the investigation is not to be made public, the organisation still needs to know for its own transparency and accountability how the investigation was conducted and who was interviewed.

Fifth, include something from the interviews within the report. Otherwise it will appear that the report has not covered all the questions or involved the responses from all the people interviewed. If people are interviewed and they are not included in the final investigation report, that will need to be explained in the report. In some cases it may not be practical or wise to include the names of everyone interviewed especially if there are confidential sources. The issue here is the final report would need to tell the organisation what was found and what needs to be done.

After the investigation, a FOIA request may still require the organisation to withhold some of the report as it relates to personal data or confidential information. If the organisation is interviewing people but does not have a need to include them in the final report, there may be an appearance of a cover up or at a minimum poor organisation. This can be overcome by having a list that is used for the organisation and then redacted for the purpose of disclosure in the public domain.

Sixth, the investigation report should guide the reader from the terms of reference to the recommendations. The reader should be able to follow from the report’s terms of reference through the questions to the conclusions and on to the recommendations. A well written report, leads the reader step by step through this process. If the report does not follow the terms of reference or the recommendation does not fit the questions, then the report will raise more questions than it answers. Thus, a well structured report that is clear will demonstrate better transparency to the organisation and to the public.

Seventh, if the report has recommendations, there should be a follow up action plan that shows how those recommendations are to be addressed. For any investigation report there should be a second report outlining the action plan for the recommendations from the investigation. If this does not exist, the complainant will not be certain you are going to solve the problems that were identified. At the same time, they and others have no way to check that you have done what you have recommended or explained why you could not do what was recommended.

In a smaller investigation, this will not be needed because the investigations recommendations are likely to be the solution to the problem. In a larger organisation or on an issue involving many people, there should be a clear action plan that the organisation can monitor to make sure that it has completed what it promised to do.

Eighth, if at all possible share all of the above or most of the above with the person who made the complaint or raised the issue. At a bare minimum, this will help to avoid the appearance of a cover-up and it will demonstrate you have done what the complainant asked. In a basic customer complaint, you need to tell them what went wrong, why it went wrong, and what you have done to fix it. The complainant may not need to see all the interviews and the investigation, even though the organisation may need that for its own learning.

In more complex cases, if someone is a victim of a crime it would be strange not to tell the victim what the organisation found out and what it will do to make it right. This does not mean they receive the whole report or special access, but that it is best to let the victims know about the outcomes.  For example, once the disciplinary hearings are finished and the investigation report is no longer as confidential as the public interest has changed, then the organisation should consider disclosing the full report or as much as can be disclosed under the appropriate legislation. Again, this is driven by the public interest in the issue or the investigation. At a minimum, the organisation should be prepared to be transparent to the public and to itself.

Internally, the organisation needs to have a process to learn from each investigation with a learning outcomes circulated to all staff, if required, and more sensitive or more detailed information to those with a need to know. For example, if an organisation investigates a fraud case it will publicise that success without great detail for the public or general staff. However, it will likely circulate specific control improvements to those employees that have a need to know about the fraud and its consequences. The purpose of the investigation is to find the problem, fix it or assign blame if required for further criminal action; it should not be to avoid scrutiny or transparency. When the organisation shares information to learn from the investigation, it must still follow the duty of confidence to protect personal data from inappropriate or unauthorized disclosure.

Even if you do not end up sharing the information for legal reasons, you should share it internally so that the organisation can learn from the issue. In all cases a balance must be struck so that you do not disclose so much that you kill the patient but enough that the public, if a public interest issue, and the organisation learn from the incident.

The eight steps might sound like common sense, but many public sector organisations do not prepare their investigations for transparency. As a result, they store up problems because they are neither transparent to themselves or to the public. If they are unprepared for transparency, because they are opaque to themselves, their investigations can appear, even though it is unintended, to be a cover-up because they have not done these steps or have not prepared themselves with the possibility that they would have to disclose information relating to the investigation and its outcome. If an organisation does not follow these steps it will be a good indication that they are not a learning organisation. Most, if not all, of the points will be followed by organisations that want to learn from the complaint or the issue. If it is a small issue or complaint, most of the eight items will be covered by good customer service. In more complex cases, such as police or criminal investigations, the balance needs to be struck because the public interest is strong to maintain the integrity of the investigative process while demonstrating, if only to the regulator, that a robust investigation process works to satisfy the public interest in the process. At a minimum, the eight steps will at least ensure the organisation is transparent to itself even if it is not transparent to anyone else.

I would like to thank Donna Boehme of the Compliance Strategists for comments on an earlier version of this post published as 8 Steps to ensure your investigation does not appear to be a coverup. I wish to thank her for her time and her comments. They improved the post by pointing out some errors and omissions. Any remaining mistakes are my own. 

Compliance Strategists are a leading consulting firm based in the metropolitan New York area, specializing exclusively in compliance, ethics, risk and governance practice.   http://www.compliancestrategists.com/

[1] See for example Serious Case Reviews, when a child dies or a serious outcome occurs in a safeguarding situation, have to be published. They are published with some personal data removed and confidentiality protected as required. However, the point is that they are now published whereas they were not available to the public previously. http://www.familylawweek.co.uk/site.aspx?i=ed59995

On the issue of public inquires and royal commissions in the UK see the following http://www.parliament.uk/topics/Public-inquiries.htm as well as historical examples http://www.nationalarchives.gov.uk/webarchive/inquiries-inquests-royal-commissions.htm On the general issues of a public inquiry see http://en.wikipedia.org/wiki/Public_inquiry

[2] See how the UK local government ombudsman approaches investigations. http://www.lgo.org.uk/guidance-inv/

Related articles

• VA Hides Names of Hospitals Where Vets Died From Delays (iowntheworld.com)
• Tom Udall named in ethics complaint over IRS letter (watchdog.org)
• Why Was the FBI Investigating Michael Hastings’ Reporting on Bowe Bergdahl? (fromthetrenchesworldreport.com)
• Ombudsman action ‘very significant’ (bbc.co.uk)
• VA Scandal Took Off Due To FOIA Request. Is Government Oversight Relevant Any Longer? (mikesright.wordpress.com)