1. Purpose
1.1 The purpose of this document is to provide advice and guidance on how to remove (redact) information from a document prior to its release, sharing with others (including partner organisations and stakeholders) or publication, to ensure the risk of a data breach is minimised and the NHS Counter Fraud Authority (NHS CFA) is compliant with its regulatory and legal obligations.
1.2 This Guidance is aimed at those who handle, publish, release, share or manage information in accordance with the following legislative and legal provisions:
- Data Protection Act (DPA) 2018
- Freedom of Information Act 2000
- Environmental Information Regulations 2004
- Common Law Duty of Confidentiality
This is not an exhaustive list and other legislation may apply.
1.3 It is not within the scope of this document to provide advice and guidance in respect of the management of the above provisions. Reference should therefore be made to the organisation’s specific policy documents where applicable.
2. Privacy by Design and Default
2.1 Privacy by design and default is an approach that ensures privacy and data protection issues are considered at the design phase of any system, service or process and continues throughout its lifecycle by:
- putting in place appropriate technical and organisational measures designed to implement the data protection principles; and
- integrating safeguards into the ‘processing’ to meet data protection requirements and protect the rights of individuals.
2.2 Following an approach of privacy by design and default and having an expectation that the information you collect will at some point in time, be asked for by a third party, will enable you anticipate, avoid and reduce the need for the redaction of information prior to disclosure.
2.3 Examples of privacy by design and default which can reduce the need for redaction include:
- Data minimisation: only collecting the minimum amount of information relevant and necessary for your purpose
- De-identifying information: considering if information needs to be used at an identifiable level, or could the same result be achieved with aggregated, anonymised or pseudonymised information. Even if identifiable information is needed initially, information should be de-identified as soon and wherever possible
- Retention: only keeping the information for as long as is necessary
- Transparency: clearly informing individuals how their information will be used, including when, how and who their information may be disclosed to through Privacy Notices
- In process, template and form design, looking to avoid duplication / repetition of information e.g. in a template consider detailing the personal data of the individual in a separate section, which is then referenced within the content rather than routinely repeated throughout the document; and
- Data Protection Impact Assessments, which help to reduce potential risks.
Further specific guidance can be found in the organisation’s Data Protection by Design and Default policy.
3. Introduction
3.1 NHSCFA regularly receives and may share information with external organisations, stakeholder partners and respond to requests for information from members of the public. Employees must ensure that only information which can be legitimately released or shared is done so. Where information cannot be released or shared then a decision must be taken on whether to withhold the release of the information in its entirety or apply a redaction.
4. What is Redaction?
4.1 Redaction is a term used to describe the editing process whereby information is removed or obscured from a document. It is a process which is undertaken to render the redacted or obscured information unreadable. This is done by blocking out individual words, sentences or paragraphs and in some instances by removing whole pages or sections prior to the release of the documented information.
5. Identifying Information for Redaction
5.1 The personal data of living individuals, including employees, service users and members of the public is protected under data protection legislation and should be withheld or redacted, subject to certain exceptions. Wherever there is a duty or expectation of confidentiality, that information should be withheld or redacted, again, subject to certain exceptions.
5.2 It is possible such information will be withheld rather than redacted, in which case a public interest test may be necessary or a requirement to determine if a legislative exemption applies.
6. Hidden Information
6.1 Most data or information within a document or dataset will be clearly visible or identifiable however, the following examples illustrate when this may not be the case:
- Hidden by formatting styles: The author when creating a template may have chosen to ‘hide’ certain data by setting the font colour to be the same as the background (e.g. white on white or black on black). Whilst this would prevent disclosure if printed, it would remain visible within a digital copy
- Layered content: where pictures or objects have been overlaid or placed over other content
- Placed outside the area of display: The author may have placed data at the end or edge of the document which is outside the normal visible area (e.g. EXCEL has supports for over 16 thousand columns and 1 million rows of data)
- Hidden rows and columns: EXCEL includes a function to ‘hide’ rows or columns from view, which can then be ‘unhidden’. This can usually be easily identified as rows or columns will not run consecutively
- Hidden worksheets: EXCEL also allows an entire worksheet to be hidden from view
- Embedded documents or files: Files and document can be inserted or pasted into documents
- Pivot tables: The source data summarised within a Pivot table can be retrieved by double-clicking on the table, even if the original worksheet has been deleted or the Pivot table has been copied into a new workbook
- Charts: Charts like Pivot tables can contain an embedded copy of the source data within them
- Command Functions: Functions such as LOOKUP and VLOOKUP also create and store a cache of the source data which can potentially be retrieved even if copied into a new workbook or document; and
- The ‘Track Changes’ feature in WORD: This can be turned on through the Review tab, and marks up and shows any changes that anyone makes to the document (i.e. deleted text is retained within the document but displayed as struck through until approved or rejected).
This feature also allows you to see the document in its original version or the intended final version. It is therefore possible for you to receive a document without realising that ‘Track Changes’ has been turned on, which contains hidden comments or changes that have not been approved or rejected.
For further detailed information on this area see the Information Commissioner’s Office guidance[1].
7. Commonly Redacted Information
7.1 There are details which are commonly redacted. In all cases where redaction is applied, the reasons must be stated and any legislative exemptions/exceptions applied. For example, releasing third party personal identifiers in a response to a request for information under Data Protection or Freedom of Information legislation.
Names and Contact Details:
7.2 In certain cases, it may not be appropriate to release contact names and contact details of employees as a matter of course. However, there may be circumstances where it is appropriate to do so. For example, if an employee’s name and contact details are already within the public domain through attendance at public meetings etc. then there would be no need to redact these from published minutes.
When redacting names ensure redaction is followed through by redacting any pronouns which relate to the redacted names. For example, her/his, he/she.
Signatures:
7.3 In most cases, signatures constitute personal data as they can identify the person signing and should be redacted as a matter of course prior to release or publication.
Data Subject Access Requests (DSARs):
7.4 When dealing with redaction of names in relation to DSARs, considerations are different. It is important that the rights of individuals named on/contained in documentation (author/responder(s)/other recipients) are weighed against the right of access of the individual seeking the information.
Further specific guidance can be found in the organisation’s GDPR - Data Subjects Rights Policy.
8. Managing Redaction
8.1 Irrespective of whether information is held electronically or in paper format there are certain principles which apply to the redaction process. Some of the main principles are listed below:
- Never alter the original document as redaction can be challenged.
- Original text should always be in the original document.
- Use redaction to remove single words, sentences or paragraphs and names and addresses.
- If a vast amount of information is being redacted consider withholding the entire document or provide an extract of the relevant information from the document.
- Redaction should be performed by the business unit that holds the information and by staff that are knowledgeable about the records and can determine what material is exempt.
- Redact only that information that can legitimately be exempt from disclosure.
- Do not remove a whole sentence or paragraph, if only one or two words are non-disclosable. If release of the redacted information would enable the recipients to place the missing words in context and make their meaning clear, then the entire sentence can be redacted.
- Check relevant records for other copies of the same document to ensure redaction is carried out consistently.
- Check relevant indexes to ensure that they do not contain details of the redacted material.
9. Methods of Redaction
9.1 There is a range of redaction methods which can effectively be utilised:
- Blacking out involves photocopying the original document and using a black marker pen to block out the sensitive material.
- Redaction tools such as Adobe Acrobat or similar used to edit content or remove content from documents prior to sharing or releasing.
- Cover-up tape can be placed on original documents over areas to be redacted and then photocopied to produce a version fit for disclosure. You may still be required to go over the redacted portion with a black pen in order to highlight that the information has been redacted.
9.2 Determining which method to be used will depend on issues such as:
- the document structure and content
- degree of confidentiality required; and
- cost and time available
9.3 Irrespective of the method selected, the end result must ensure that the redacted material cannot be seen or guessed due to incomplete redaction. It is important to check that certain words cannot be made out when the document is held up to the light or that the ends, top or bottom of text are not visible.
Note
Never utilise the text highlight function to block out text and electronically issue document in this format. This does not remove the text as it can be recovered simply by removing the highlighter!!
10. Withholding Without Redaction
10.1 Redaction only applies where specific elements of a page or document can be released after certain elements have been withheld.
10.2 If it is decided that the whole document or certain pages are not to be disclosed, then the information contained within them does not need to be redacted. Instead, the relevant information should be withheld in its entirety. Where a decision has been taken to do this, the action taken must be referenced in any response or when published. For example, “this document is 15 pages long; pages 13 to 15 have been withheld” (citing any relevant provision).
11. Checking the Redaction
11.1 Before releasing or publishing a redacted document it is good practice to check the redaction process has worked correctly, via peer review.
11.2 Microsoft documents - open the redacted document, check that all sensitive content has been redacted and that the highlight function has not been used.
11.3 PDF documents - open the redacted version, select a section of text containing a redaction, copy and paste this to another document, if the redaction has not been done correctly the original text will be visible, if done correctly the redaction ‘block’ will be copied across.
12. Summary
12.1 Redaction must never be undertaken on an original document as to do so will impact on the integrity of the original information and may lead to a breach of relevant governing legislation.
12.2 Whilst appropriate methods of redaction may vary to suit needs and resources, it is important to recognise and remember that whatever method is employed, the end result must ensure the redacted information cannot be seen or guessed due to incomplete or inadequate redaction.
Key points to remember:
Document Type | Do | No Not |
---|---|---|
All Redactions | Make a copy of the original document before redacting any content | Alter the original document |
Hard Copy Files | Photocopy the redacted version then send or scan this copy | Alter the original document |
Microsoft Office Documents | Obscure relevant text | Use the highlight function |
PDF Files | Use the relevant tool to make electronic redactions on PDF | Try to redact electronic PDF files if unsure how to do so correctly. Contact Service Desk for assistance |
13. Further Information
13.1 Further information regarding this guidance or advice on redaction can be sought from the Information Governance team.
14. Review
14.1 The Information Governance and Risk Management Lead will ensure this policy document is reviewed no less than biennially, in accordance with the timescale specified at the time of approval.