A Balancing Act
Legislation guiding freedom of information rights is increasingly being introduced all over the world. Aimed at making public bodies more accountable, it generally serves to establish a right of access to publicly held documents to individuals.
Common principles of freedom of information typically include:
• The provision of access to records held by public bodies;
• The specification of limits to the disclosure of information in certain circumstances;
• Provisions for the review of decisions made that affect access and privacy rights.
Freedom of Information and Privacy Acts together represent a balancing act in the promotion of openness in Government via disclosure of publicly held documents.
While adhering to the Privacy Act, Privacy professionals have the added responsibility of accurately and efficiently disclosing data, both as requested and proactively. This additional layer tasks these professionals to ensure their agency is able to provide relevant data to other government agencies, the media and individuals without sacrificing individual privacy.
Protection of Privacy
Privacy legislation typically regulates the collection, use, disclosure and retention of personal information. Personal information may be collected by a government body or organization if it is collected for legitimate purposes, such as when it is necessary for the operation of a certain program or when it is collected for the purpose of law enforcement or crime prevention.
Under privacy legislation, individuals have the right to access their own personal information (also known as Personally Identifiable Information (PII)). PII is generally understood to include (but is not limited to) such details as name, address, race, personal history, social security number and other assigned identifiers.
The right for citizens to access their personal information is an important privacy protection issue, allowing individuals to determine exactly what personal information is held by an organization, as well as the accuracy of the information. When errors are discovered in this data, a correction or amendment can be filed to provide accuracy for the record.
Access to PII is subject to be withheld from documents meant for release to anyone but the citizen the PII relates to.
Information included in PII is protected for good reason. An individual’s PII can easily be used to steal their identity, damage their credit, and can cause financial ruin or years of paperwork and potential lawsuits. It is for this reason that Privacy professionals must not take the weight of their responsibility lightly, serving citizens by protecting their privacy.
Throughout the process of managing and disseminating data, an agency must adhere to the highest of standards to ensure that data remains safe. When due diligence is executed, and organized systems are in place, data security can be achieved.
While the right of an individual to access his information is a measure of transparency, this right can be limited by certain exemptions. These exemptions can include:
• Personal information of a secondary individual, e.g. other than the requester (mandatory)
• Attorney-client privileged information (discretionary)
• Proprietary information (discretionary)
• Law enforcement information (discretionary)
• Information that could potentially harm another individual (discretionary)
When an exemption applies to specific information an individual has requested, that information is withheld from the report. A large number of exemptions are discretionary, therefore, it is up to the request processor to determine which, if any, exemption(s) will be used.
Keeping up with Demands
The demand for access to information has increased dramatically with the advent of the Internet. As the number of requests for information continues to raise, the risk of a privacy breach proportionately increases. As a result of the limited time restraints placed demanded of Access and Privacy professionals to meet mandated timelines, the opposing forces of access and privacy demand constant attention to maintain the proper balance.
With a constant stream of requests coming in from many sources, and the corresponding risk of data breaches, Access and Privacy professionals must take unprecedented precautions to ensure sensitive and exempted information is withheld and no information is disclosed unknowingly.
In the public sector, information requests are heavily regulated, and generally must be addressed within a legislated time frame. Fines and litigation are becoming more pervasive in an attempt to enforce responsiveness.
Private sector organizations are subject to public scrutiny when they are seen as uncooperative or irresponsible with information. This translates to lost trust and disfavor in the eyes of clients and prospective customers.
With increased demands comes the increased need for proper processes and systems to ensure compliance to legislation and public expectation. Proper safeguards are required to ensure sensitive information is withheld in a secure manner when required. Traceability and auditability become paramount in an environment where an increasing number of organizations must defend themselves for missed deadlines, mounting request backlogs and data slips.
Real World Need for Reliable Solutions
In a recent case, a Transportation Security Administration (TSA) manual was improperly redacted and posted online. When it was hacked to reveal the redacted contents, the security breach made national headlines, and the risks of non-secure electronic redaction were made evident. Without the proper review process, and a standardized, fail-safe method of redaction, the “redacted” information was easily revealed by even the most novice computer user. While this case falls into the realm of national security, the same responsibilities related to the secure removal of data is necessary to maintain privacy.
TSA is a high profile agency, due to its role with the Department of Homeland Security. As such, it has high security demands, and a high volume of requests. Their process failed them, but solutions to their challenges do exist.
Automating Access and Privacy
More and more access and privacy professionals are embracing process automation to manage freedom of information and privacy request handling.
The right electronic redaction software will add security and efficiency to the data removal process by enforcing a standardized electronic process and offering built-in safeguards to prevent the unintentional release of information. It will produce tamper-proof documents to ensure the utmost confidence in the security of information. It will alert users to ensure that documents have undergone proper review prior to release and no content has been missed. Further, electronic redaction management systems allow time savings in reducing repetitive work by identifying then processing similar or duplicate requests.
An automated request tracking system, used effectively, can mitigate the risk of data breaches and ensure information requests are processed as efficiently as possible. Storing all case handling activity in a central repository can help to ensure that no details are missed, and consistency is applied in the treatment of one request to the next. This also helps to ensure actions can be defended in the event of appeals. Dashboards and reports can ensure that high priority and high profile cases receive the attention they need. Having a snapshot of the current overall status of operation is key in identifying pitfalls before they occur and maintaining operational efficiency.
For nearly 20 years, Privasoft has been delivering software and services to automate case management and electronic redaction in the public sector and regulated industries. Privasoft customers must comply with legislative, regulatory and internal requirements and are represented in health care, law enforcement and all levels of government. They rely on Privasoft to capture, analyze, track, process and report on case work related to information disclosure processes. Privasoft is a Microsoft Certified Partner with offices in Ottawa, ON, Arlington, VA and Brentford, Middlesex.
For more information about how Privasoft helps to ensure successful and secure privacy and freedom of information operations, visit www.privasoft.com.