What is redaction?
In this article we look at how the definition of redaction has changed and expanded over time, the regulations that demand data redaction, and the pitfalls associated with redaction and redaction reversal.
Dictionary definition of redaction
The Cambridge Dictionary defines redaction as:
Noun. The process of removing words or information from a text before it is printed or made available to the public, or the text itself after this has been done.
Most dictionaries describe redaction as a process that is applied to documents.
What does redaction mean?
A classic application of redaction involves a form of editing of a physical document by means of censoring, but not necessarily omitting, specific words, sentences or paragraphs. Editing takes the form of blacking out portions of a document so that they cannot be read.
Legal and government documents are often redacted when copies are shared with people who do not have the appropriate clearance levels or permission to know about the information that is blacked out.
Today, regulations such as GDPR mean that when information is shared with third parties, the personal data of all but the subject of interest has to be redacted in order to prevent privacy breaches.
Redaction in a digital age
The Gartner glossary describes the process of redaction as a process that was widely used to hide confidential information in legal documents, and suggests that in the case of electronic documents redaction takes the form of information removal, as opposed to information masking or ‘blacking out’.
The process of “redacting” documents has been used in the legal profession for decades to black out confidential or privileged information during the exchange of documents during litigation. In electronic documents, redaction refers to the permanent removal of information, not the masking or obfuscating of data.
In the case of electronic documents, therefore, redaction generally means the permanent removal of information and not the obscuring of it.
A brief history of redaction and changes in meaning
One of the earliest forms of redaction is that of the King James Version of the Bible.
The King James Bible was created under the guidance of religious scholars in 1611. The original English translation, known as the Wycliffe Bible, was written in the 14th century, but its translations were banned in 1409 owing to their connection with the Lollard movement.
When King James ascended the throne in 1604, he chose 47 scholars to produce a ‘final’ version of the Bible, based on readings of three ‘approved’ versions of the Bible.
In the context of preparing a single approved book, the term redaction means ‘to edit or make something ready for publication.’ Redaction can still be used to describe taking several related documents and streamlining them into a single form. However, the use of the term redaction today is more closely associated with censorship.
The word redaction’s association with organising text has lapsed compared to its more common use to describe a form of censorship.
There were specific historical trends that coincided with the increased use of redaction in American legal proceedings:
The surge in legal prosecutions of organised crime caused a big spike in legal redactions, as prosecution relied on the testimony of witnesses whose identities had to be protected against mob retaliation.
The Freedom of Information Act of 1966, which was intended to help create transparency in government, generated a need for redaction in order to release documents to the public.
In legal and government matters, redaction (censorship) was employed to protect identities and to protect national security interests.
Information in multiple formats is subject to redaction
Historically, recorded information was largely rendered in text on paper or in paintings.
A lot has changed in today's digital and electronic era when it comes to redaction. While printed documents still require redaction, the need for redaction extends to images, photographs, video footage and audio files.
The core redaction objectives, regardless of data format, are to protect people’s identities and to protect sensitive information from unauthorised viewers.
Which compliance regulations demand redaction?
There are several laws and standards around the world that call for redaction to protect people’s personal data when information is shared. The consequences of breaching these laws are fines and public censure that can lead to financial hardship and reputational damage. The better known and strictest compliance laws and regulations include:
The Health Insurance Portability and Accountability Act (HIPAA)
Redaction falls under the "De-Identification Standard" of the HIPAA guidance. HIPAA’s redaction rule must be followed to take care of Patient Health Information (PHI), which must not be shared with anyone who is not concerned with the information.
The Freedom of Information Act (FOIA)
FOIA is a law that enables the public to request the disclosure of information that is held by public authorities. When specific types of information are present in an image, audio, document or video, the organisations must redact it before sharing information with the public.
EU general data protection regulation (GDPR)
GDPR and its UK equivalent, UK GDPR, stipulate that redaction is required when sharing personal information with parties that do not have consent to view it.
For example, when a request is made to a data controller to acquire or view a video containing a subject of interest but also other people, the other data subjects must be redacted in order to protect their identities.
What is personal data and does all data require redaction?
The redaction of personal data is always required to prevent it being viewed by unauthorised people, whether that is within an organisation or when it is being shared externally with third parties.
Data that is obviously personal, whose disclosure could lead to serious issues such as theft, identity theft, intimidation and bribery, include personal files, banking and financial information, passports, health information, social security numbers, and court documents. However, can personal data can take many forms.
Faces and people
The faces of all but the subject of interest should be redacted when sharing video footage. However, care should also be taken to redact distinguishing elements that could reasonably lead to a person’s identity being revealed. Some items of distinctive clothing, jewellery or accessories, as well as tattoos, could potentially lead to a data breach if left unredacted.
Objects are not always identified as personal data, however elements caught in photographs and on video might contain personal or confidential information. White boards and computer screens, for example, are best redacted to protect against data breaches that could lead to economic, social, or physical harm to a person or organisation.
Vehicle license plates can reveal a lot of sensitive information about the vehicle’s owner, such as their name, address, date of birth, vehicle history, photographs, and medical conditions, as well as data associated with any other registered drivers of the vehicle.
When publishing information or images containing license plates, the license number should be redacted to protect the owner’s identity.
Retaining source files and redacting copies
It is generally the case that original files, or source material, whether paper, photographic, video or audio, contain important information. The information contained could be important, for example, to the records keeping of an HR or Accounts department in a business, or to the evidence archives or a legal team or police department. It is therefore necessary to retain a complete copy of the source material and to redact copies of the original prior to circulation among third parties.
Redacting copies of source materials is a common practice within government agencies, in order to protect specific information when it is mandated that other information in the same document has to be revealed.
The redaction of copies of original data and documents also prevents anyone from tampering with the source material.
Copying source material rather than circulating originals is also advised to prevent redaction reversal, which is when someone is able to remove the ‘masking’ to reveal redacted data, or gain access to metadata embedded in the source material, such as in a spreadsheet.
Ensure that redactions stay redacted: metadata risks
Data subject access requests (DSARs) made under GDPR and FOIA are subject to redaction requirements. However, notably for documents, there are hidden risks that make DSAR fulfilment harder to fulfil.
The ICO’s guidance document ‘How to disclose information safely. Removing personal data from information requests and datasets’, provides cautionary insights into the presence of metadata in shared documents that can lead to redaction reversal and privacy breaches.
The ICO says: “Files rarely contain just the information entered by the author or just what is displayed on the screen. So-called metadata or ‘data about data’ is embedded within the file and can include information such as previous authors, changes made to previous versions, comments or annotations. Photographs taken with smartphones and tablets can contain the GPS coordinates of where the image was taken, time and date or information about the type of device used. Emails contain information about the sender and recipient as well as routing information about how the message was delivered.”
Examples of ‘hidden’ information and metadata that pose privacy risks include: reversible PDF redaction, hidden formatting styles, layered content, hidden spreadsheet rows and columns, embedded files, and tracked changes.
Facit: fast, accurate, 100% compliant document and video redaction
It is surprising to us that, despite the widespread need for data redaction, many businesses and public sector organisations are unaware of automated AI-driven redaction tools on the market. We regularly encounter compliance teams that use work-arounds such as Adobe, or spend a fortune on bureau outsourcing to redact documents.
Contact us to learn how you can manage redaction requirements quickly, reliably and cost-effectively in-house.
Related facit articles