DPC Guidance on Redacting Documents and Records

by Marie McGinley, Partner and Head of IP, Technology & DP at Eversheds Sutherland Ireland

The Data Protection Commission (“DPC”) recently published guidance on Redacting Documents and Records (the “Guidance”). The DPC notes that businesses are required to redact documents for various purposes such as to protect confidential or proprietary information or to comply with rules governing official secrecy, legal privilege or professional confidentiality. In the context of data protection, the DPC notes that redaction is most commonly considered in the context of data subject access requests (“DSAR”) given that the controller is under a duty not to “adversely affect the rights and freedoms of others” when responding to a DSAR.

We have summarised below five practical steps from the DPC’s Guidance which businesses should look out for when redacting documents.

- Advertisement -

1)   Work on a copy of the document.

The DPC has noted that this point is often overlooked. When redacting a document you should always redact a copy of the original to ensure that if any errors occur, it can be easily rectified. The original form of the document will also likely be required for another purpose and therefore a copy will ensure that this is still possible.

2)   Understand the purpose, structure and terminology of your request.

In order to be confident that you can correctly identify all the relevant personal data in a document, the DPC has stressed that the redactor must first understand the purpose, structure and terminology used in a document or record. On this basis, the DPC advises that a person dealing with the response to a DSAR should be sufficiently familiar with the material being examined to be able to recognise data identifying the data subject.

3)   Use the search function with caution.

While the search function can be extremely useful when looking to identify specific words, the DPC has noted caution as the search function has its limitations. For example, the DPC notes that the search function may not scan all parts of the document such as the table of contents. In addition, the DPC has stated that it is important to bear in mind the possibility that a name may be misspelled or referred to in a different way.

4)   Ensure that all concealed information is reviewed.

The DPC has advised that files produced by word processing applications, emails, spreadsheets, presentation programs or databases contain more information than may appear on screen. This includes:

a)    Hidden content which may be found in spreadsheets and databases, for example concealed columns, tables and worksheets;

b)    File properties which may contain information of the person who created or edited the files; and

c)    Metadata which may contain detailed information generated by the application that created them, by operating systems or other sources. For example, email metadata may contain time and date of creation and the sender’s email and IP address.

5)   Do not rely on highlighting/changing the colour of text.

The DPC notes that highlighting and/or changing the colour of text to redact may render sections unreadable on screen or on print, however, the text content will not be affected and as such the text may still be copied and pasted into a text editor or otherwise be legible or recoverable. Instead, the DPC recommends redacting by replacing words with symbols or words such as [REDACTED] or [XXXXX].

The author would like to thank Leona Chow, Solicitor in IP, Technology & DP at Eversheds Sutherland Ireland for her contribution to this article.

About the author

Marie McGinley is a Partner and Head of the Intellectual Property, Technology and Data protection Departments at Eversheds Sutherland Ireland. Marie practises in both contentious and commercial intellectual property/technology matters for a broad range of domestic and international clients. She is also a registered Irish Trade Mark Agent. Marie advises on commercial, regulatory and transactional matters.

Marie is a regular speaker and contributor on matters relating to technology, outsourcing/commercial contracts, data protection and cyber security.

Marie lectures and tutors in the area of Intellectual Property, Information Technology and Data Protection at the Law Society of Ireland.

- Advertisement -