The utmost care is required when redacting documents in response to subject access requests. You’re obligated to provide as much data as possible, but you must also omit any data that can identify other people who did not submit the request. In this guide, we’ll give you some tips to help you in this area so you can handle these SARs appropriately.
Under the legislation, you are obligated to provide as much of the data requested as possible. However, in many circumstances, such as health and social care records, the release of an individual’s data could also identify another individual who hasn’t made the request. When this occurs, you must apply redactions to the data to carefully disclose information that is relevant to only the Data Subject.
SARs can be submitted in any shape or form, therefore it is vital that you familiarise yourself with the request. It can be easy to presume that the Data Subject is requesting all the data you have about them, however, they are often only looking for something specific. If the request is unclear, contact the Data Subject to determine the scope. Understanding the request before you start redacting is key, and it could save you a lot of time!
Now that you have understood the scope of the request, ensure you make a copy of the collected data that you will apply the redactions to, failure to do so could permanently damage the original data. For manual redactions using paper copies, make sure each page is single-sided. This will minimise the risk of removing information on one side, leaving the other side unreadable. We recommend, where possible, digitalising your paper copies and using redaction software. For more information or advice on redaction software, please get in touch.
The Right of Access is the right to obtain ‘personal data’. Some key things to consider when redacting are:
However, there are exemptions to this and should be considered on a case-by-case basis.
When responding to a SAR, there are many exemptions that give the data controller the right to withhold information that:
Be sure to document the reasoning behind any exemptions you are applying, as the Data Subject has the right to appeal such decisions. For a full list of exemptions, please visit the ICO’s website.
When using redaction software, be sure to remove metadata – hidden text/images/data. This will remove the risk of reidentification by hidden methods. Most redaction software has this functionality, so be sure to apply this before you start your redactions.
When marking a document for redaction, make sure your redaction boxes cover the desired text completely, this will minimise the risk of data being accidentally released. It’s best practice to have the redactions checked by a second expert or equivalent to ensure that the quality assurance process and the SAR policy is adhered to.
If you require specific guidance on DSARs please get in contact. We provide both training and an expert in-house redaction service.
If you have any other questions or concerns, get in touch with us. We can support you in dealing with complex subject access requests, and can also train your staff.
Want to receive a copy of our monthly Data Protection newsletter and news from the DPAS team?
Helping organisations access the value of their data, create a vision, embed the change and build the future.
Please note all information on this website is for your help and guidance. It should not be regarded as an authoritative or definitive statement of the law.
