Subject Access Requests – Redacting Information
Removing Personal Data
Individuals have a right to information about what personal data is processed by an organisation, how it is processed and on what basis. Access to an individual’s personal data can be made by way of a Subject Access Request (SAR).
As an organisation, if you are dealing with a SAR and need to redact information before disclosing it, here are some general steps you can follow:
Clearly understand the scope of the SAR and the specific information the individual is requesting. An individual can be asked to clarify what they need.
Identify personal data within the requested documents. Personal data can include names, addresses, contact details, financial information, and other personally identifiable information.
Consider whether the identified personal data needs to be provided as part of the SAR; is the information about them or does it only include their name? For example, an office-wide email is sent to all staff about new legislation. Sarah has put in a SAR request for all data about her; this email will come up in a search as her name is in the ‘To’ field of the email, however, aside from the email being sent to Sarah it is not related to her in any other way so does not need to be provided as part of the SAR request.
Ensure that you have a legitimate legal basis for redacting certain information. This may include protecting the rights and freedoms of other individuals, confidential business information, or legal privileges.
There may be occasions where collected data also contains information about another individual. Section 7(4) of The Data Protection Act 2018 states:
4. Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless –
(a) the other individual has consented to the disclosure of the information to the person making the request, or
(b) it is reasonable in all circumstances to comply with the request without the consent of the other individual.
If it is not possible to gain the consent of the other individual, then it is still possible to provide information as part of a SAR if the information that would identify the other individual has been redacted.
Make sure steps are documented of the redaction process. Original records should be retained, and care taken to protect against deleting data from the original file.
If the information does not relate to the individual making the SAR, then it should be redacted.
A thick black marker should be used to redact information in paper format. Care should be taken to make sure that information that has been redacted cannot be read through the marker.
Specialist software/tools should be used to redact information from an electronic file; specific redaction software redacts information permanently rather than it just being ‘hidden’. Additional meta-data (data within data that is embedded within the file) can still be accessed through an electronic file if information has not been redacted through appropriate software/tools.
The following from the Information Commissioner’s Office (ICO) goes into more detail of hidden data and meta-data within electronic documents: https://ico.org.uk/media/for-organisations/documents/2021/2619016/how-to-disclose-information-safely-20201224.pdf
Carefully review the redacted document(s) to ensure that all sensitive information has been properly redacted. Unintentional disclosure of personal data can occur if mistakes are made in the redaction process.
Explain the redactions made through a cover letter or accompanying documentation and what the legal basis is for the redactions.
Make sure secure methods are used for sharing the document(s) with the individual making the SAR. Consider password-protecting electronic files before sending via email.
Keep records of the SAR, your response, and the redacted document(s) for compliance and auditing purposes.