Compliance - Digital tools and personal support

When a public authority receives a request to disclose documents, the same question often arises: how much may – or must – we redact in a whistleblowing case? Many case officers find this difficult, as whistleblowing cases involve sensitive information while the principle of public access imposes strict requirements to release documents. We interviewed Andreas Wahlström (in Swedish), who works with assessments and redaction of whistleblowing cases at Lantero. He explains both the legal requirements and the practical challenges faced by municipalities and government agencies. Andreas reminds us that public documents are, as a rule, public. This means that “anyone has the right to request a whistleblowing report.” But the obligation to disclose also comes with a significant responsibility to redact. This applies to both directly identifying information and indirect details that could reveal the whistleblower. Redaction is therefore a central part of managing whistleblowing cases. The legal basis primarily comes from two chapters in the Swedish Public Access to Information and Secrecy Act: OSL Chapter 32, Section 3 b and OSL Chapter 17, Section 3 b. These regulate the protection of reporting individuals – as well as other persons mentioned in the report. In practice, the guidance is clear: redact rather more than less. If there is any uncertainty, the case officer should act cautiously to protect everyone involved. For many case officers in municipalities and government agencies, redaction is still a manual process. Andreas notes that in the past six months, new tools have emerged that make the work both faster and safer. These tools propose what should be redacted, simplify the workflow, and help the case officer produce a document that can be safely disclosed. One such example is Lantero Redact, a tool developed to help public-sector organisations manage redaction in accordance with legal requirements. It provides concrete suggestions on what to redact, is easy to use, and ensures that the material is properly anonymised before disclosure. For those who want to dive deeper or need support in a specific case, Andreas and the team at Lantero are available to help. Redaction is not only a legal requirement – it is also a crucial part of maintaining trust in the whistleblowing function and protecting reporting individuals.

Lantero interviewed Therese Forsberg, an investigator at the Department of Administration in Uddevalla Municipality. Therese works with redaction of documents in response to requests for public records, and she has been using Lantero Redact over the past months — receiving AI-based support for assessment and redaction. Below is a slightly shortened version of the interview. (Video version is in Swedish) Interviewer: Uddevalla is a municipality with around 60,000 residents. When it comes to requests for public records, what kind of volumes are you dealing with? Interviewee: It varies. It depends on what’s happening in the organisation. When incidents occur that lead to deviations or Lex Sarah cases, the volume increases. We also have some media outlets that submit weekly requests for all incoming records from the past week. That’s the case for municipalities across Sweden — some outlets do this continuously. So the amount can fluctuate a lot, especially if serious cases have come in. Interviewer: To what extent is this possible to plan for? Interviewee: Some parts are always manageable, but it becomes difficult when large volumes come in — sometimes thousands of documents. We don’t have a dedicated person working on this full-time, so our department has to share the workload. How the process used to work Interviewer: What did the routines look like before? Interviewee: We did everything the old-fashioned way. We printed out the documents and redacted them manually using Tipp-Ex. Then we copied and scanned them before sending them off. Adobe has some tools, but they haven’t been reliable. You could sometimes lift off the redaction digitally, so we always had to print and scan everything anyway. It was time-consuming and difficult to manage when working remotely. How the work is done now Interviewer: What does the routine look like now? Interviewee: It’s much faster. With the redaction service, we can mark what we want to redact digitally and save it directly. We avoid all the printing and scanning, which saves a lot of time. I also feel that we have better oversight of the documents and the process. Interviewer: One idea with the AI support is that more people could participate in the work by accepting or rejecting suggested redactions. Have you started expanding that responsibility? Interviewee: Not yet. We’ve involved some colleagues, but they have the same level of knowledge as we do. So for now, the responsibility remains within our department. Model training and new updates Interviewer: You recently received an updated version of the service. Have you had a chance to test the new capabilities? Interviewee: Very briefly, but what I saw looked good. I need to test it more before I can say anything definite. Interviewer: Do you think the assessments look similar across different municipalities? Interviewee: Yes, I think so. We all work with the same types of documents and the same regulations. The goal is always to protect the individual and avoid revealing personal data. That should lead to similar approaches to what needs to be redacted. User experience of the service Interviewer: Any final reflections? Interviewee: The service has been easy to use. We’ve found it user-friendly and free from issues. It has worked throughout the entire test period, which has been very valuable since we’ve had unusually large volumes of cases recently.

We interview Joakim Karlén about how to involve all employees in the work with information security and cyber hygiene. (Video version is in Swedish) Interviewer: Let’s start from the beginning – what does cyber hygiene actually mean? Joakim Karlén: – When you hear the word hygiene, you think about the things you should always do, like washing your hands. It’s actually the same in cybersecurity. Cyber hygiene is about ensuring that everyone knows and follows the basic routines needed to protect both themselves and the organisation. Small and large organisations – different conditions Interviewer: When working with smaller organisations, how does their work differ from that of larger ones? Joakim Karlén: – Larger organisations often have more structure and support, such as an IT department that drives the security work. In smaller organisations, individual responsibility becomes greater. Everyone needs to understand how their own actions affect security – because you can’t rely on the same support functions. Interviewer: What are the most common mistakes? Joakim Karlén: – The most common mistake is not having control over your digital assets. Many lack routines for how computers and mobile devices should be handled, or training in basic security practices. This means they miss simple but crucial safeguards. Creating engagement Interviewer: So how do you get employees to think actively about these issues? Joakim Karlén: – It starts with education. You need to explain why the rules exist and connect them to everyday work: What do you do in your daily routine, and what risks exist in those specific moments? Many don’t see cybersecurity as part of their job – but it is. Just as you wouldn’t run around the office with scissors, you shouldn’t handle your digital tools in a risky way. Cyber hygiene is about understanding the tools you use and how to handle them safely. Behaviour rather than technology Interviewer: So ultimately it’s about culture and behaviour? Joakim Karlén: – Exactly. Cyber hygiene is not just technology – it is above all behaviour and awareness. To support that culture, you need clear routines and checklists – for example, for how new employees are introduced to security practices. You can also practice incidents, such as through simulated attacks, so that everyone learns their role if something goes wrong. When you train for failure scenarios, people become more aware of their responsibilities – and more confident in how to act. Interviewer: Which threats should organisations focus on right now? Joakim Karlén: – We’re seeing that attacks are becoming more frequent and more automated. Many small organisations think “we’re not interesting” – but the attackers don’t know that. They attack anything that can be attacked. And with today’s AI tools, it’s possible to pretend to be someone else and carry out advanced social engineering attacks with far greater precision and volume than before. This means the risk of being deceived increases dramatically – especially if employees aren’t vigilant. Cyber hygiene is about doing the simple things right – every day. It requires structure, training, and engagement from everyone.