The utmost care is required when redacting documents in response to subject access requests. You’re obligated to provide as much data as possible, but you must also omit any data that can identify other people who did not submit the request. In this guide, we’ll give you some tips to help you in this area so you can handle these SARs appropriately.

Under the legislation, you are obligated to provide as much of the data requested as possible. However, in many circumstances, such as health and social care records, the release of an individual’s data could also identify another individual who hasn’t made the request. When this occurs, you must apply redactions to the data to carefully disclose information that is relevant to only the Data Subject.

SARs can be submitted in any shape or form, therefore it is vital that you familiarise yourself with the request. It can be easy to presume that the Data Subject is requesting all the data you have about them, however, they are often only looking for something specific. If the request is unclear, contact the Data Subject to determine the scope. Understanding the request before you start redacting is key, and it could save you a lot of time!

Now that you have understood the scope of the request, ensure you make a copy of the collected data that you will apply the redactions to, failure to do so could permanently damage the original data. For manual redactions using paper copies, make sure each page is single-sided. This will minimise the risk of removing information on one side, leaving the other side unreadable. We recommend, where possible, digitalising your paper copies and using redaction software. For more information or advice on redaction software, please get in touch.

The Right of Access is the right to obtain ‘personal data’. Some key things to consider when redacting are:

  • Context is key. Is the data relevant to the Data Subject and the request? Does the redaction process make the information you are disclosing unreadable? If so, consider whether the information is relevant or can be found elsewhere in a clearer format.
  • In releasing the data are you disclosing information that can identify another individual? If so:
  1. Have they consented to their data being released?
  2. Is it reasonable to disclose the information without the consent of the other individual?

However, there are exemptions to this and should be considered on a case-by-case basis.

When responding to a SAR, there are many exemptions that give the data controller the right to withhold information that:

  • Could bring the safety of the Data Subject or other individuals into question.
  • Has been provided with the expectation of confidentiality.
  • The controller holds on behalf of a third party (Police, court documents).
  • Would prejudice the prevention or detection of a crime.
  • In terms of negotiations, would prejudice said negotiations.

Be sure to document the reasoning behind any exemptions you are applying, as the Data Subject has the right to appeal such decisions. For a full list of exemptions, please visit the ICO’s website.

When using redaction software, be sure to remove metadata – hidden text/images/data. This will remove the risk of reidentification by hidden methods. Most redaction software has this functionality, so be sure to apply this before you start your redactions.

When marking a document for redaction, make sure your redaction boxes cover the desired text completely, this will minimise the risk of data being accidentally released. It’s best practice to have the redactions checked by a second expert or equivalent to ensure that the quality assurance process and the SAR policy is adhered to.

If you require specific guidance on DSARs please get in contact. We provide both training and an expert in-house redaction service.

If you have any other questions or concerns, get in touch with us. We can support you in dealing with complex subject access requests, and can also train your staff.