NLPES Question of the Month


How do you ensure that sensitive information collected for your evaluations is not exposed to public view?  (Does state law allow you to keep certain work papers confidential?  Do you redact documents that you think should not be available for public review?  How do you determine which work papers will not be public?)

Rick Riggs, Kansas

I had initially posed this question because my office was searching for a way to make survey respondents, interviewees, and others with potentially useful information feel safer and more comfortable with sharing that information with us.  Because Kansas is an open-records state, our open-records law gives us relatively few ways to shield sensitive information.  Under the Kansas Open Records Act (KORA), all workpapers that support our audit findings become public after the audit report is issued, except for information that is confidential or privileged by law or that can be discretionarily closed under one of the exemptions in KORA.  Documents and other materials collected or prepared that do not support our audit findings are discarded in accordance with a records retention schedule we’ve adopted.

The primary problem we face is with information we solicit from employees through surveys or formal interviews—documents that are included as part of our audit workpapers.  Over the years, State employees have told us they often don’t feel they can be candid in surveys and interviews about the problems they perceive in their agencies because those documents become public records and officials from their agencies can review them.  Even when surveys aren’t signed, agency officials often can figure out who the respondent was.

Under KORA, we can discretionarily close some information we receive during audits (e.g., allegations of violations of law, material sent to us by a person acting as a private individual, or material that's a clear violation of somebody’s privacy.  But for one reason or another, in many situations using these exemptions would be a stretch, or simply not appropriate.

The possible solutions we proposed to our committee were:  amend the committee’s rules to give us discretion to permanently redact select information from our workpapers, or amend our law to allow us to discretionarily close (make confidential) such information.

Our committee met in June, and decided to consider our request, but it took no action.

Ken Levine, Texas Sunset Commission

All our workpapers are not subject to disclosure.  While, in our opinion, the papers have always been closed, the law was not clear until last session.  We asked the Legislature to clarify it, and they did.  The papers are closed.

Since then, someone has had the all-too-bright idea of asking an agency under review for copies of data etc that had been provided to us in support of a specific topic.  This raises the question of whether an item is an open record if the agency kept a copy of what they provided to us.  Interesting approach whose answer has not been determined yet.

Greg Fugate, Colorado

Under Colorado law all of our workpapers are strictly confidential, unless specifically approved for disclosure by a majority vote of the Legislative Audit Committee (the same committee that releases our audit reports to the public).  If approved for release, only those workpapers that the Legislative Audit Committee votes to disclose are made available.  In such an event, any information that is otherwise held confidential under State or federal law would be excluded prior to release.  The public release of our work papers is a rare event and it would take extraordinary circumstances for this to occur.

Darin Underwood, Utah

The Utah Office of the Legislative Auditor General has had several recent experiences with redacting and with non-public work papers.  The following experience is just one of these recent experiences.

For the first time in our office’s history, we issued a report with redacted statements.  This was report 2003-08 (“A Performance Audit of the Utah Tax Commission’s Division of Taxpayer Services”).  While the reasons for each individual redaction are complex and varied, the main reason we redacted was to ensure that the Tax Commission’s collections methodologies would not be publically disclosed because this would interfere with collections (Utah Code allows for such documents to be “Protected” as determined by the care taking agency.)

The redactions in this report (and classification of corresponding “protected” work papers) were challenged by one of the local Salt Lake City newspapers, as allowed under the Government Records Access and Management Act (“GRAMA”).  Subsequently, a hearing was held by the Legislative Records Committee to determine if the redactions and work papers would be made public.  In the end, many of the redactions were made public because collections methodology had changed from the time the audit was released.  But, almost all of the work papers remained “protected.”

To see a full copy of the report and the Appeal decision offered by the Legislative Records Committee, see link: .

Comments on specific issues:

Question 1: How do you ensure that sensitive information (as distinct from legally confidential information) isn’t exposed to public view?

Answer: This answer has two major parts (1a & 1b):

   1a. In Utah, the basic presumption is that all government records are public.  The Government Records Access and Management Act (GRAMA), found in Utah Code Section 63-2-301, lists those records that must be publicly disclosed.  Sections 63-2-302, 63-2-303 and 63-2-304 which follow delineate exceptions—records that are Private, Controlled or Protected, which are non-public.  Audit work papers can only be held non-public if they meet the definitions under private, controlled, or protected.

If the document used as a work paper is received from another government entity, that government entity is responsible to classify the document.  It then becomes the auditor’s responsibility to maintain that classification.

If the document was created by the auditor, it is assumed to be public unless it meets criteria under private, controlled or protected.

1b. As for information coming from survey respondents or auditee staff interviews, Utah Code governing the Office of the Legislative Auditor General allows us to “protect” this data.  Utah Code 36-12-15(8) states:

“The following records in the custody or control of the legislative auditor general shall be protected records under Title 63, Chapter 2, Government Records Access and Management Act: ...(b) Records and audit workpapers to the extent they would disclose the identity of a person who during the course of a legislative audit, communicated the existence of any waste of public funds, property, or manpower, or a violation or suspected violation of a law, rule, or regulation adopted under the laws of this state, a political subdivision of the state, or any recognized entity of the United States, if the information was disclosed on the condition that the identity of the person be protected.”

According to our attorneys, the best case scenario for documenting this protection would be for the individual to request, in writing, to have their identity protected.  Also defensible is an auditor’s written note indicating that the individual gave the information to the auditor on the condition that their identity would be protected.  Finally, the auditor’s contemporaneous notes could also give evidence that confidentiality was sought.  For example, in the interview record, the auditor could note that “the person closed the door and whispered, indicating that he did not wan to be overheard” (if such be the case).

For both 1a & 1b, to make sure Public and Non-Public work papers are not commingled, the Office of the Legislative Auditor General physically separates the work papers and maintains separate work paper bundles.  All Public work papers are boxed together in a permanent manila-colored bundle covering.  All Non-public work papers are boxed together in a permanent red-colored bundle covering.

Question 2: Does state law allow you to discretionarily close certain documents?

Answer: As alluded to earlier, GRAMA lists specific types of documents that can be “closed” (such as documents that reveal collections methodologies).  The experience related earlier with the local newspaper shows that the definitions (application of definitions) under these classifications can be appealed.

Question 3: Do you redact anything you think shouldn’t be available for public review? Or do the chips just fall where they may?

Answer 3: Yes, we redact (in addition to making documents wholly non-public).  In addition to the redaction examples above, we would also redact names and other identifying case numbers from such sensitive documents as:  human services case files, prison (corrections) case files, personal tax files, medical files, and so forth (as directed by GRAMA).  We never just “let the chips fall where they may.”

Andrea Derrick Truitt, South Carolina

State law protects all of our records and audit working papers as confidential and not subject to public disclosure.  Only the final audit report is public.


Melanie Chesney, Arizona

Statute makes all of our working papers confidential here at the Arizona Office of the Auditor General.

James Barber, Mississippi

PEER’s workpapers are considered confidential for the following two reasons.  1) PEER Committee rule 5.10 states “all staff draft reports, files, documents, papers, transcripts, and all other material except official committee reports held or maintained by the Committee or its staff are confidential.”  2) Mississippi's open records laws specifically exempt records of the Legislature from public review.  (As an aside, a federal judge in Mississippi some years ago quashed a subpoena for PEER’s workpapers by declaring that the records were not discoverable.)

As you might imagine, our staff protects workpapers at all costs.  The release of workpapers by a staff person could lead to immediate termination.  Having said that, our staff occasionally shares the contents of workpapers with the Attorney General or State Auditor when either of those offices instigates an investigation stemming from a PEER report.  But, the general rule is to keep workpapers under wraps.

Gary VanLandingham, Florida

Our work papers are exempt from public record status by law, which essentially means that they are confidential with some loopholes—they can be subpoenaed, and our auditing committee can direct their release (very, very, very rare).  I think that the confidential status of our work papers arose in part from the investigation tradition—that our work papers would include unsubstantiated information and allegations that we find aren’t supported and thus aren’t put in our reports.  This whole thing is pretty unusual in Florida, which is a big public records state.  In fact, there was a bill to give the same confidential status to agency inspectors general this year and it failed.

Craig Kinton, Texas State Auditor’s Office

In Texas, audit working papers are one of the few exceptions to the Open Records Act.  We are not required to disclose our audit working papers.  However, this exception is often challenged and is vigorously protected.  We believe that public access to our working papers could hinder the degree of cooperation we receive from agency personnel.

Martha Carter, Nebraska

Our working papers are not considered public documents. (Neb. Rev. Stat. Sec. 50-1213.)

We’ve only had one request to review our working papers, and it was from a federal auditing authority. We were planning to ask our Committee to let us show him everything related to our methodologies and data analyses, for two reasons. First, we shouldn’t have anything to hide in terms of how we approached our work, and second we ought to be willing to help other entities doing similar work. However, we asked the requester to provide a short written request that we could present to the committee.  He agreed but never submitted a letter, so we didn't proceed.

Joel Alter, Minnesota

Our work papers become public documents at the time we issue our final reports—except for selected work papers that are classified as “not public.”  For example, when we obtain data from an agency, we are obligated to protect from disclosure any of these data that were classified as nonpublic data in accordance with state law.  In addition, Minnesota law provides the following:

• “Data related to an audit but not published in the audit report and that the legislative auditor reasonably believes will be used in litigation are not public and with respect to data on individuals are confidential until the litigation has been completed or is no longer being actively pursued.”

• “Data on individuals that could reasonably be used to determine the identity of an individual supplying data for an audit are private if the data supplied by the individual were needed for an audit and the individual would not have provided the data to the legislative auditor without an assurance that the individual's identity would remain private, or the legislative auditor reasonably believes that the subject would not have provided the data.”

For most of our reports, we receive no requests to review work papers.  But, for highly-visible or controversial reports, we sometimes have had reporters, attorneys, or others pouring over the work papers—sometimes as soon as the report is released.  For this reason, our office policy is to have work papers completed by the time the report is issued.  If we receive requests to review the work papers, we ensure that confidential files are removed from the work papers prior to the reviews (or that individual items of confidential information have been redacted).

A footnote:  I don’t usually offer comments on the Question of the Month responses that I gather, but I have to say that I was surprised to learn that work papers are not public documents in a number of legislative program evaluation agencies.  Clearly, there should be protections against disclosure of existing data that are classified as confidential, and there are cases where our offices need to be able to offer potential sources of information assurance that their identities will not be disclosed.  But our offices are in the accountability business, and it’s a little hard for me to understand how we can be fully accountable if our supporting evidence and analyses are not publicly available, to the extent possible.  With the exceptions discussed above, I think that our documentation should be able to withstand public scrutiny – not just our internal scrutiny or, for some offices, the occasional peer review.