What can the UODO verify in the context of the BIP?
The scope of the audit includes:
This poses a very specific challenge for LGU, and it’s not just about anonymizing before publication.
It must also be shown that the process is properly designed, and must be repeatable and controllable.
Two responsibilities to be reconciled
In practice, this means reconciling two orders:
- obligation to provide public information,
- obligation to ensure the protection of personal data.
The GDPR explicitly provides a mechanism for “weighing” these values.
It indicates that disclosure of personal data in public documents should be done in accordance with EU or Member State law.
This is to be done in a way that reconciles public access to documents with the right to data protection. (GDPR, Recital 154)
Why is anonymization “by eye” a risk?
In many units, anonymization is still done manually, which increases the time it takes to publish documents.
This is most often done by editing the PDF, so without a fixed and repeatable pattern.
Blurring portions of the image is also often used, as it seems to be a quick solution.
Applying masks or alterations to scans is also common, especially with archival documents.
This approach is sometimes effective on an ad hoc basis, but it does not ensure security in every case.
From the perspective of an audit by the UODO, there are two problems that are worth clearly identifying.
The first is the risk of publishing redundant data, i.e., data that is unnecessary for the purpose of publication.
As a result, information that should not have made it to the BIP may be disclosed.
The second problem is the lack of accountability of the process, which makes it difficult to demonstrate compliance with the GDPR.
It is then difficult to prove who prepared the document before publication, and under what procedure.
What does GDPR explicitly require?
Meanwhile, GDPR requires:
- Data minimization (GDPR, Article 5(1)(c))
- processing in a manner that ensures integrity and confidentiality (GDPR, Article 5(1)(f))
- demonstration of compliance by the controller (GDPR, Article 5(2))
The practice of BIP inspection rarely ends with the question: “did you blur the ID number in the document”.
The question of process is much more common, as the way the office operates also matters.
The auditors check whether the office has a procedure and evidence of the actions performed in documents.
There is also the question of whether the anonymization is performed continuously, and in a measurable way.
Equally important is whether the entire process can be reproduced when doubts arise.
How to prepare your office for a BIP audit: a process approach
1) Standardize publication and anonymization rules
The key is to write down and implement a unified approach.
In practice, it is worth establishing:
- What types of documents we publish,
- Which elements are always subject to anonymization,
- Who is responsible for verification before publication.
This approach directly supports the principle of “privacy by default” and organizes the activities of the office.
This means processing by default only data necessary for the purpose. (GDPR, Article 25(2))
2) Keep data to a minimum
In the context of the BIP, the most common mistake is not the lack of anonymization in public documents.
Much more often, the problem is publishing too much data in the materials made available.
This applies to both main documents and attachments, which often contain sensitive information.
The GDPR explicitly indicates that the data should be adequate and relevant to the purpose of the publication.
They should also be limited to what is necessary. (GDPR, Article 5(1)(c))
In practice, this means you need to build a publication check-list for each type of document.
You also need rules for assessing whether information really needs to go to the BIP.
3) Ensure accountability (evidence of performance of activities)
What matters in an audit is the ability to demonstrate action, not just the mere declaration of compliance by the office.
The office must show that it is acting in accordance with the rules, as this reduces the risk of violations.
It must also be able to document this, so that if questions arise, it can show concrete evidence of action.
The GDPR explicitly requires compliance to be demonstrated. (GDPR, Article 5(2))
The administrator is also required to implement appropriate technical and organizational measures throughout the process.
These are to ensure compliance of the processing and enable it to be demonstrated. (GDPR, Article 24(1))
In practice, “accountability” in the BIP area means, among other things:
- trace who prepared the document,
- A trace of who approved the anonymization,
- information about when and in what project the document was processed,
- The possibility of reproducing the course of preparation for publication.
4) Ensure process security (not just publication)
ontrol at the BIP also includes the security of working with documents and the way they are prepared for publication.
It is about both organizational and technical security, which reduces the risk of disclosure.
The GDPR requires the implementation of measures to ensure an adequate level of security, consistent with the level of risk. (GDPR, Article 32(1))
Among other things, it is required to ensure the confidentiality and integrity of data at each stage of the process.
It is also required to regularly test the effectiveness of security measures. (GDPR, Article 32(1)(b-d))
For LGU , this means, among other things:
- Access control to work documents,
- limiting authority to those implementing the publication process,
- The elimination of uncontrolled file circulation.
How can Bluur help you prepare for a BIP audit?
It is worth looking at Bluur more broadly than just as a “tool for blurring” parts of documents.
It can be part of the implementation of an iterative anonymization process, as required by the office.
It can also support the preparation of documents for publication, especially with a large volume of material.
Including in the control, verification, and accountability of activities, which are key during an audit.
1) Process work in projects and teams
Bluur allows you to organize work in projects, which organizes activities and makes supervision easier.
It also allows you to manage your team, so you can clearly distribute responsibilities in the process.
It allows you to separate documents into your own and shared documents in a project, without mixing file versions.
For the office, this means reduced workflow, so less risk of errors.
Work is done in a controlled environment and roles, so it’s easier to stay organized.
This is better than transferring files “between boxes,” where consistency and control are difficult.
2) Automatic detection of data requiring anonymization + configuration of schemes
The system provides a preview of the document, so the user can see the content before publishing.
It also shows automatically detected elements to be anonymized, which speeds up work on documents.
It also lets you define custom fields, so the office can tailor the process to its needs.
In the context of BIP, it is important that Bluur classifies the detected information in a structured manner.
This includes, among others, identifying data such as name, surname, PESEL and document number.
The system also recognizes contact and address data, which often appear in attachments.
It also detects signatures and seals, which reduces the risk of publishing sensitive data,(In addition to those mentioned, the system detects a total of, up to 32 categories of data).
This facilitates a consistent approach to anonymization, regardless of the type of material published.
This applies to typical documents that regularly go to the BIP as part of the office’s work.
3) Verification before approval and recording the result in the project
Bluur supports a mode of operation in which anonymization is approved before the document is published.
The result can be saved in the project, so it is easier to keep order and history of changes.
This strengthens the quality of the process, as each document undergoes inspection before release.
The office has the ability to verify before the final step, which increases the security of publication in the BIP.
This reduces the risk of publication without inspection, and also reduces errors due to haste.
4) History of operations: The foundation of accountability in control
In control, it is crucial to be able to demonstrate the process, and therefore its full transparency.
The process must be performed in an orderly manner so that the office can easily reproduce it.
Among other things, Bluur keeps a history of anonymization, which makes it easier to analyze activities in the project.
The system also saves the history of editing a document, so you can see the steps of preparation.
This includes information about who created the document and who anonymized it and when.
The system also saves information about deletion of the source document, which organizes the workflow of files.
It also saves information about complete deletion, if such a step was performed in the project.
Such a history of activities supports the principle of accountability. (GDPR, Article 5(2))
It also facilitates the preparation of answers to control questions on the preparation of documents for publication.
5) Document retention and storage limitation
In administration, a significant risk is the accumulation of working files that remain in circulation for too long.
Copies and “transient” materials are also a problem, as they often do not have clear maintenance rules.
In practice, there is also a lack of specific retention time, which makes it difficult to control the office’s resources.
In Bluur, users have optional automatic retention within the project.
It is possible to delete original documents after a certain period of time, according to established rules.
It is also possible to delete all documents after a period of time, so as not to accumulate unnecessary data.
This supports the principle of retention limitation. (GDPR, Article 5(1)(e))
6) Supporting the safety of working with documents
Among other things, the system provides data encryption in transmission, complying with the TLS 1.3 standard.
It also employs logical isolation of client environments in a multi-tenant architecture to reduce access risk.
These are essential elements for data processing security. (GDPR, Article 32)
What realistically makes a difference in BIP control?
If the audit concerns “the way data is processed in the BIP,” the office must demonstrate process action.
This is especially true for anonymization, as it directly affects the scope of published data.
This also applies to the release of municipal council sessions, where personal data of participants appear.
The safest approach in LGU is usually based on three pillars that organize the entire process.
Data minimization means that we only publish what is necessary. (GDPR, Article 5(1)(c)
Process security includes adequate organizational and technical measures, consistent with the level of risk. (GDPR, Article 32)
Accountability and evidence means being able to demonstrate compliance in case of audit questions. (GDPR, Articles 5(2) and 24(1))
In this view, a tool like Bluur can act as a real process support in the office.
It organizes the work of the team, since documents are assigned to projects and user roles.
It helps detect data for anonymization, so work is faster and less prone to errors.
It provides a verification step, which reduces the risk of publishing a document without quality control.
It builds a history of activities and retention logic, so it is easier to demonstrate the course of publication preparation.
