Why and how to redact information in relation to DSARs, FOI and EIR requests
This blog contains a subsection of our whitepaper “Why and How to redact information in relation to DSARs, FOI and EIR requests”. The full paper can be downloaded here.
Why Redact information?
There are several instances when an organisation will need to remove (or “redact”) personal data from information prior to release. These include:
- When responding to Data Subject Access Requests (DSARs) under the Data Protection Act;
- When proactively making information available under the FOI Act (FOIA) or the Environmental Information Regulations (the EIR);
- When responding to information requests under FOIA or the EIR that may include third-party data as disclosing third party personal data would breach one of the data protection principles;
- When releasing information that is outside the scope of an FOIA or EIR request;
- When making personal data available for re-use under the Reuse of Public Sector Information Regulations (RPSI) could breach the data protection principles.
Redacting information in relation to SARs, FOI and EIR requests
The official guidance around the Data Protection Act (DPA) explains that responding to a SAR OR an FOIA request OR an EIR request may involve providing information that relates both to the individual making the request and to another individual.
It further explains that every effort should be made to release the requested information and that if it is not possible to gain the consent of the third-party then it may still be possible to provide some information, having edited or ‘redacted’ information that would identify the third-party.
The guidance further states that an entire document can only ever be withheld from disclosure if all the information is exempt from disclosure under an exemption or the redaction renders the document meaningless.
Redacting personal data from the information requested allows therefore for some information to be released without breaching the data protection principles. Redaction can also be used to remove information which is out of scope because it is not the applicant’s personal data.
Avoiding DSAR disclosure hazards – introducing Smartbox.ai
(Note, a full list of hazards is available in our whitepaper “Why and How to redact information in relation to DSARs, FOI and EIR requests”. The full paper can be downloaded here.)
If you intend to disclose information electronically, or you need to speed up the redaction process, improve its accuracy, improve the collaboration and security associated with the “review to disclose” process, avoid the hazards above and be confident in the defensibility of the disclosure, you should use a specialist redaction software solution that has been specifically designed to redact information permanently. Smartbox.ai is one such specialist redaction software solution.
When the necessary information has been identified and redacted, these systems, including Smartbox.ai, then convert the text in the PDF or file into a rasterized image, meaning it cannot be copied. One consequence of performing such a step is that the information is no longer in a machine-readable format so the text cannot be extracted and further processed.
Smartbox.ai also offers additional benefits to the disclosure process, including the ability to record and track the process of the information as it passes through the workflow.
Checklist
The following checklist highlights several things to consider when disclosing certain data types that may contain personal data. It is good practice to keep a record of all transformations or redactions you make and to retain the original records used.
| File type | Considerations |
|---|---|
| Spreadsheet eg xls(x), ods | • Are you sure you know where all the data is? • Are there hidden columns? • Are there hidden rows? • Are there hidden work sheets? • Do pivot tables contain linked data? • Do charts contain linked data? • Is there formula included which link to external files? • Is there any meta-data that should be removed? • Is the file size larger than you might expect for the volume of data being disclosed? |
| Word processor eg doc(x), odt | • Are there any comments within the document that should be removed? • Does the document contain a version history? • Do pivot tables contain linked data? • Do charts contain linked data? • Is there any meta-data that should be removed? • Does the document title or filename contain any personal data (eg Letter to John Smith)? • Has a header or footer been automatically added to a print-out? |
| Presentation eg ppt(x), odp | • Are there any presenter notes which should be removed? • Do pivot tables contain linked data? • Do charts contain linked data? • Is there any meta-data that should be removed? |
| • Are there any comments which should be removed? • Are all redactions effectively applied? o Is there any meta-data that should be removed? |
|
| Email eg mbox, msg | • Is there data within any attachments that also needs to be redacted? • Is there any meta-data that should be removed? |
| Image and video eg jpg, avi | • Is there attached EXIF data? • Is there personal data that needs to be obscured (eg faces of third-party individuals?) |
To learn more about Smartbox.ai, book a demo today.