Auto redaction: how to mask information for privacy and GDPR compliance.
Redaction and privacy: compliant data for approved eyes only
Redaction is the process of masking key document details. Redaction is used frequently to hide information in documents from unauthorised in-house readers, and also to protect the data privacy rights of individuals when documents are shared externally. Document Logistix document management software enables automated redaction of senstive information.
Several needs for privacy
Why is redaction so topical today? On one hand, organisations are obliged to govern access to internally-held information, and on the other, recent legislation imposes strict rules on how personal data is shared that has highlighted the requirement for masking solutions.
An easy way to imagine redaction in the historical world of paper is to picture a familiar scene in spy films, when words in documents are blanked and labelled “Top Secret.” An analogue form of redaction!
In the digital age, many documents are stored on in-house servers or in the Cloud, where people have direct access from anywhere in the world.
The documents stored cover a vast range of types and topics, from company accounts and HR records to proprietary assets and criminal case matter.
There are many instances when an individual will need access to some of the information contained in a document, but some aspects of the document are too sensitive for unapproved people to see.
Masking sensitive in-house information
Consider the case of the payment details or the pension details of a senior executive that are held among a company’s HR records.
While the HR Director may need to have access to complete information, it would be a risk to allow all members of the HR team to have the same access. The risk could be reputational or legal, or both. For example if information were leaked by a dissatisfied, or merely careless employee, the resulting publicity could be damaging if it became a ‘fat cat’ story in the media. There could also be severe financial implications in the event of a data privacy breach.
To protect sensitive information in digital documents (whether scanned or electronic in origin), appropriate access rights can be assigned so that if a staff member does not have rights, information will be completely ‘blacked out’. For example, while the executive’s payment schedule or transaction dates may be readable, the financial details could be redacted by panels.
Access rights can be granted progressively and automated so that system users see more or less of a document, depending on what they need to see to carry out their job.
Complex regulations govern external information sharing
In-house information protection procedures depend on the robustness of the digital document management system in place, as well as proper policing and testing. There is always the potential for a data breach, yet it will be easier to contain matters internally if systems and policies are properly maintained.
When it comes to sharing documents externally, the regulations and requirements surrounding documents shared with third parties are wide-ranging and complex. Privacy protection, and the redaction with which protection often goes hand in hand, must be understood and adhered to by anyone sharing data.
In the UK, The Information Commissioner's Office (ICO) is the independent regulatory office that deals with the Data Protection Act 2018, the General Data Protection Regulation, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Freedom of Information Act 2000, and the Environmental Information Regulations 2004.
It takes quite some time to digest the ICO’s ‘How to disclose information safely’ and considerably longer to implement practices and procedures to ensure that your organisation is fully compliant. Yet failure to do so can result in very large fines.
In essence, the ICO protects people’s privacy by ensuring that no personal data is shared without the permission of the subject(s). However, privacy becomes a minefield when data is construed as anything from a graphical chart, or photograph, or video, or document, in physical or digital form.
The ICO disclosure advice document refers to redaction as a potential data protection mechanism many times, but it also warns redactors about potential tripwires.
Beware recoverable redacted information
Sometimes redacted information is not as secure as it looks.
Notable embarrassing redaction failures include a legal example from the USA, when the lawyers for former Donal Trump campaign chair Paul Manafort failed to redact pleadings properly that they filed in federal court.
Redacted information was exposed by a simple copy-and-paste of redacted information contained in a PDF document.
In this instance, redaction failures revealed details about Manafort’s ties to his former Russian business partner, Konstantin Kilimnik, whom the FBI said had active ties to Russian intelligence. The redaction failures revealed that 1) Manafort and Kilimnik had a meeting in Madrid, 2) Manafort shared Trump presidential campaign polling data with Kilimnik, and 3) Manafort and Kilimnik discussed a Ukraine peace plan.
So beware; redaction does not always mean un-recoverable. A document that looked securely redacted was unstitched by simple copy-and-paste!
Beware traps hiding in plain view
The ICO draws our attention to the hidden dangers for anyone sharing information, such as when sharing components embedded in a document:
“A chart or summary table might not appear to contain any personal data on the surface, but it could in fact have a copy of the individual data points embedded within and allow this data to be made accessible with nothing more than a couple of clicks. Complex file types can also contain meta-data which may not be appropriate for disclosure, such as photographs with embedded GPS coordinates or the routing information of an email.” (How to disclose information safely, p.9)
The ICO recommends various practices to anonymise data, and cites complete redaction as a viable solution in the majority of disclosure cases, with a heavy emphasis, of course, on the nature of ‘complete’.
Extended definitions of document
A document is considered to be “a piece of written, printed, or electronic matter that provides information or evidence or that serves as an official record.” However, for our purposes, we should be clear that in the context of data privacy a document could be a video, photograph, audio recording or an item such as a car number plate.
In each case redaction can provide the means to protect sensitive information or personal privacy. In the case of static items, redaction is likely to take the form of masking. In the case of dynamic items, such as video, in order to meet privacy regulations, all but the subject(s) of interest must be completely obscured or removed before the footage can be shared in a compliant manner.
Systems such as Document Logistix Document Manager enables the central storage of digital documents, graphics and video, which are auto redacted according to user authorisation. Financial and HR documents have regulatory shelf-life. Document Manager’s auto retention functionality also enables organisations to manage the fretful time-stamped matter of retention and destruction of information held on file.
Policies and penalties
It is highly advisable for companies to have in place access policies for standard business documents held by departments such as Finance, HR, Production and Customer Services. The majority of staff will have specific access privileges, such as ‘read only’ or ‘write’; or access rights that are restricted by department or document type; or partial access, such as a view of redacted content.
Since GDPR became law in May 2018, companies have to consider very carefully how they manage external requests for documents, which may take the form of a police request for information, or a staff or member of the public’s subject access request, or SAR. It is illegal to share documents before personal data has been removed or redacted.
In the fourth quarter of 2019, the ICO recorded 75 cases of ‘failure to redact.’ On its trends report page, the ICO reiterates the additional measures to be taken to stay secure: 1) Consider metadata when redacting information, 2) Check all data has been redacted and is not reversible before releasing, and 3) Get someone to double check redactions.
The fines for GDPR offences are high, up to 4% of company turnover. Redaction, therefore, is not a matter that can be overlooked.
The ICO’s consistent reference to redaction loopholes should alert potential solution purchasers to ask solution providers just how robust and irreversible their redaction system is.
If you are concerned about information visibility or security, or GDPR privacy compliance, get in touch.