Exemptions and redactions
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: Processes to properly consider whether to withhold or redact information relating to the person or a third party are in place.
Risk: Failure to properly consider exemptions or redactions, or prevent disclosure of information relating to other people or third parties, could result in a personal data breach or reputational damage.
Ways to meet our expectations:
- Document how to apply exemptions, including redacting third party information, clearly in the relevant policies.
- Ensure staff apply exemptions and redactions appropriately and correctly.
- Ensure a senior staff members reviews and authorises exemptions and redactions (or a sample of them).
- Provide specialised training for staff who apply, review or authorise exemptions.
Options to consider:
- Produce anonymised examples of exemptions and redactions as training aids for staff.
- Produce quick reference guides for staff.
- Review training content regularly to keep it up-to-date.
- Check that staff feel knowledgeable about exemptions and redactions and feel supported to apply them.
Control measure: A consistent approach is taken to removing confidential or third-party information from information provided in response to requests.
Risk: If exemptions and redactions are applied inconsistently or to different standards, confidential information may be inappropriately disclosed, resulting in personal data breaches or complaints.
Ways to meet our expectations:
- Implement an appropriate redaction method.
- Review or sample exemptions and redactions to check staff are taking a consistent approach.
- Keep records of all redactions to capture who did the redaction, the date, and the justification.
- Retain these records for reference, in line with the retention schedule.
Options to consider:
- Procure electronic redaction software.
- Add a general explanation of why information might be redacted to your template text for letters and emails.
- Produce specific template text for exemptions that you frequently apply, so you communicate exemptions consistently.
- Add a peer review stage within your redactions and exemptions process to promote consistency.