How do we avoid an accidental breach when redacting information?

In detail

• What is redaction?
• Why is redaction a risk?
• How do we avoid an accidental breach when redacting information?
• How do we redact information from hardcopy documents?
• How do we redact information from electronic documents?
• What is redaction software?
• How does converting documents remove information?
• What is roundtrip redaction?
• How do we redact pdfs?
• How do we redact from other documents?
• How do we redact spreadsheets?
• How do we redact images?

What is redaction?

Redaction is permanently removing information from a copy of a document because you cannot disclose it (eg redacting information that is exempt under the DPA 2018 or FOIA). There are different ways to redact information, depending on the circumstances. Redactions may be small (eg removing words or sentences) or more extensive (eg removing entire pages or sections of a document).

Why is redaction a risk?

There is a risk of an accidental breach when redaction is ineffective. For example, you may redact hardcopy documents ineffectively if you use a black marker or correction fluid and recipients can view the redacted information simply by holding the document up to the light.

You may redact electronic documents ineffectively if information revealing the redacted content remains in the document but is not immediately visible. For example, you might use ineffective techniques that allow recipients to reveal the information easily (eg changing its colour of the text or background) (see Why is it a risk to hide personal information using ineffective techniques?). Alternatively, you may not realise you have not redacted information effectively if you have not had appropriate training.

A recipient may be able to reveal the information you intended to redact simply by copying and pasting a document to a different format (eg pasting a pdf with text covered by simple black rectangles into Notepad). This is because the information remains in the electronic file if it is only covered by a shape (eg a black rectangle).

How do we avoid an accidental breach when redacting information?

You must:

• have appropriate data protection policies and procedures to help staff redact information securely and respond to breaches effectively;
• keep personal information secure, including maintaining the integrity of your records and using appropriate methods (eg passwords and secure redaction techniques); and
• comply with relevant obligations under information access and data protection legislation if you need to remove personal information from a document or consider an appropriate format in which to disclose it.

You should:

• give staff appropriate data protection training about redacting documents securely and how to report breaches, including induction and regular refresher training;
• make sure that all redaction is undertaken or overseen by staff trained to redact information securely and consistently in line with appropriate policies and procedures;
• make sure that if staff give instructions about redacting information, including what information to redact, these are clear and precise;
• avoid indicating what information to redact by completely covering the text (eg with black marker) so staff do not mistakenly believe it is the version to disclose;
• only redact from a copy of the document, not the original;
• check documents appropriately before disclosing them, considering the risk of harm if personal information was accidentally disclosed;
• know how to remove personal information that cannot be disclosed and redact it effectively;
• avoid using ineffective techniques to redact information. For example, don’t:
  • use black marker on hardcopy documents without photocopying or scanning a copy for disclosure;
  • cover information in electronic documents with black rectangles and leave the text underneath; or
  • use simple image editing tools.
• keep a record of your decision to redact information from a document so that it is clear who redacted the information, when and why; and
• keep a clearly labelled copy of the redacted and unredacted version of the document for as long as it is needed.

Other practical steps you could take include the following:

• Raise awareness within your organisation about the risks of redacting documents ineffectively.
• Review redactions (or a sample, if appropriate) to check they are effective (eg peer review or senior review).
• Disclose a photocopy or scanned copy of a redacted hardcopy document.
• Use redaction software to redact information  securely from electronic documents, if available.
• Use roundtrip redaction techniques to redact information securely if you do not have specialist software or want to use an alternative method (see What is roundtrip redaction?). For example:
  • Convert a redacted Microsoft Word or Powerpoint saved in pdf format to a simple image format (eg Windows BMP), and back to pdf.
  • Convert a Microsoft Excel spreadsheet to csv format and back to a new Microsoft Excel spreadsheet.
  • Redact a pdf using Adobe tools (eg Text touch up tool or Square tool), converting it to a simple image format and back to pdf.
• Use appropriate tools and secure techniques to redact information from still images effectively, such as photographs. For example, masking information by obscuring part of an image with a solid block of colour and then exporting the redacted image to a simple image file format (eg png or jpeg).

How do we redact information from hardcopy documents?

There are a variety of ways to redact information from hardcopy documents. For example, you could use tape, marker pen or correction fluid to redact a document and then photocopy it to produce a copy to disclose. If you need to disclose the information by email, you could scan it into an appropriate format before disclosing it (eg pdf). 

How do we redact information from electronic documents?

You should redact electronic information using secure methods that make sure all the information is permanently removed from a copy of the document. 

You could print an electronic document as a hardcopy and use the hardcopy redaction methods described above or redact from an electronic document and print a copy to disclose. If you need to disclose the information by email, you could scan the redacted copy into an appropriate format (eg pdf). 

When you are redacting information directly from an electronic document, you should remove the information from a copy of the document. You could replace it with a redaction marker (eg [redacted]) so that it is clear where you have redacted information.

You should make sure that no evidence of the redacted information remains in the electronic copy you disclose, and it is not possible to reverse the redactions. There are different ways you could do this, including:

• using redaction software;
• converting your document to a simpler format; or  
• using a technique called roundtrip redaction to convert a document to a simpler format before converting it back to its original format. However, please note that this may be complex, so you should have a thorough understanding of formats and conversion processes.

What is redaction software?

Redaction software is software that is designed to redact information from copies of documents securely. If you are not using redaction software, you could alternatively consider the conversion techniques below.

How does converting documents remove information?

You could redact electronic information by removing the information you want to redact from a copy. Then convert it to another format that shows information you can display in the document only (eg plain text files). Converting to these formats removes any non-displayable information from the document.

What is roundtrip redaction?

Roundtrip redaction involves removing information from a copy of a document (either before conversion or in its initial converted format) and then converting it back to its original format.

Roundtrip redaction makes sure that the redacted information is irreversibly removed from the document. It also allows you to disclose documents in their original format where appropriate (eg to preserve complex formatting).

However, roundtrip redaction may be complex. If you want to use this method, you need a thorough understanding of the electronic formats you are using and what happens to information in the conversion process. The National Archives publishes detailed guidance explaining how to redact documents using roundtrip techniques (see further reading box below).

How do we redact pdfs?

If your document is in pdf format, you could use the redaction tool in Adobe acrobat, if available. If it’s not available, you should make sure you have permanently removed all the redacted information. To do this, you could use:

• the Text touch up tool to replace the text with a redaction marker (if the information in the pdf is stored as text); or
• the Square tool to redact the pdf by drawing black rectangles over the information you want to redact (if the text in the pdf is stored as an image).

If using either method, you should roundtrip the resulting pdf file via the BMP image format to make sure you have permanently removed the redacted information. 

How do we redact from other documents?

If your document is not already in pdf format (eg a Microsoft Word document), you should remove the relevant information from a copy of the document. You could replace it with a redaction marker as above. 

If available, you could use redaction software. If it’s not available, you could prepare a pdf copy of your document to disclose. Once you have converted a copy of your document to pdf, you should make sure all the redacted information is permanently removed. 

While converting a document, such as a Microsoft Word document, to pdf can remove some metadata and hidden information, it is not a completely secure redaction method to use on its own. To redact the information securely and make sure all the redacted information is permanently removed, you could convert your pdf document to a simple image format, such as Windows Bitmap (BMP) and then convert it back to a pdf. 

How do we redact spreadsheets?

If available, you could use redaction software. If it’s not available, you should make sure you have removed all the redacted information from your document. To do this, once you have removed the information from a copy of your document, you could roundtrip it by converting it to csv format before converting it back to a new spreadsheet. 

If your spreadsheet has multiple worksheets, you need to export each worksheet as a separate csv file and then redact it. You could then recombine the worksheets to produce a single spreadsheet. 

However, if you want to use roundtrip redaction, you should have a thorough understanding of formats and conversion processes. You should note that some information may be lost if it is not supported in csv format (see How does converting documents to simpler formats help us identify hidden personal information?). 

How do we redact images?

As with electronic documents, you must redact images (eg photographs) using secure methods that make sure all the information is irreversibly removed. It might be possible for someone to reverse redactions made using simple image editing tools to blur or pixelate information. 

You could use different techniques to redact information from an image, depending on how it was created and its quality. For example, you could mask personal information. This involves completely obscuring part of an image with a solid colour block. However, you should also export the redacted image to a simple image file format that does not support layers or edit history (eg png and jpeg) to make sure that the redactions are permanent.

It may be more complex to redact information from videos (eg CCTV) so you may need to consider using specialist software or, where necessary, employing a specialist organisation.