Control measure: Processes to properly consider whether to withhold or redact information relating to the person or a third party are in place.
Risk: Failure to properly consider exemptions or redactions, or prevent disclosure of information relating to other people or third parties, could result in a personal data breach or reputational damage.
Ways to meet our expectations:
- Document how to apply exemptions, including redacting third party information, clearly in the relevant policies.
- Ensure staff apply exemptions and redactions appropriately and correctly.
- Ensure a senior staff members reviews and authorises exemptions and redactions (or a sample of them).
- Provide specialised training for staff who apply, review or authorise exemptions.
Options to consider:
- Produce anonymised examples of exemptions and redactions as training aids for staff.
- Produce quick reference guides for staff.
- Review training content regularly to keep it up-to-date.
- Check that staff feel knowledgeable about exemptions and redactions and feel supported to apply them.
Control measure: A consistent approach is taken to removing confidential or third-party information from information provided in response to requests.
Risk: If exemptions and redactions are applied inconsistently or to different standards, confidential information may be inappropriately disclosed, resulting in personal data breaches or complaints.
Ways to meet our expectations:
- Implement an appropriate redaction method.
- Review or sample exemptions and redactions to check staff are taking a consistent approach.
- Keep records of all redactions to capture who did the redaction, the date, and the justification.
- Retain these records for reference, in line with the retention schedule.
Options to consider:
- Procure electronic redaction software.
- Add a general explanation of why information might be redacted to your template text for letters and emails.
- Produce specific template text for exemptions that you frequently apply, so you communicate exemptions consistently.
- Add a peer review stage within your redactions and exemptions process to promote consistency.