Right now, when an institution receives an access to information request, it has an obligation to disclose information. That is the first obligation. Then, it must determine which parts of the information must be protected and which could be protected. Often people think of information that could be protected as information that must be protected. Discretion is rarely used to disclose the information. When we receive a complaint, we are able to negotiate, but the first reaction is often to protect the information.
Access to information software allows you to carefully check information and redact what should not be disclosed. So people will often receive a document in which information has been blacked out. That is a possibility.