Information Access Request: Preparing and Delivering Sensitive Information Securely

All organizations in British Columbia are obliged under privacy law statutes to receive and respond to requests for access to information. Responding to these requests can sometimes involve complex decision-making about what can, should, or must be disclosed or withheld under the applicable statute. When processing such requests, it is important to focus, not only on what will be disclosed, but also on certain basic, but equally important, steps to ensure that responsive records are securely prepared for disclosure and delivery.

Information access requests have been the topic of much conversation recently due to the recent events surrounding a well-known public institution. The organization received an access to information request for records in connection with the departure of its former president. As certain records contained sensitive personal information, they were carefully analysed and redacted in order to protect the privacy interests of third parties, and in accordance with other applicable exceptions set out in the Freedom of Information and Protection of Privacy Act. The responsive records were then released and proactively disclosed by the organization online. The privacy breach stemmed from a feature of the software tool used by the institution to redact the documents which created an embedded un-redacted record for certain email attachments that were included in the package posted online. In the ordinary course, the organization would “sanitize” the record using this software tool to remove the embedded files. Unfortunately, in this case, that step was inadvertently missed. As a result, within a few days of the material being posted online, it became known that the redacted information from these embedded files had been accessed by members of the public. The records were removed from the organization’s website but not before the contents of those un-redacted records became the subject of media reports.

In the wake of these events, many organizations may now be reviewing their own practices. If your organization is one of these, you may find the recommended best practices outlined in the attached bulletin to be of some assistance. While not necessary in every case, these precautions should be carefully considered when responsive records contain sensitive personal information.

To download the bulletin, please click here.