DPC Guidance on Redacting Documents and Records

• Ireland

• Privacy, data protection and cybersecurity

12-10-2021

The Data Protection Commission (“DPC”) recently published guidance on Redacting Documents and Records (the “Guidance”). The DPC notes that businesses are required to redact documents for various purposes such as to protect confidential or proprietary information or to comply with rules governing official secrecy, legal privilege or professional confidentiality. In the context of data protection, the DPC notes that redaction is most commonly considered in the context of data subject access requests (“DSAR”) given that the controller is under a duty not to “adversely affect the rights and freedoms of others” when responding to a DSAR.

We have summarised below five practical steps from the DPC’s Guidance which businesses should look out for when redacting documents.

1)   Work on a copy of the document.

The DPC has noted that this point is often overlooked. When redacting a document you should always redact a copy of the original to ensure that if any errors occur, it can be easily rectified. The original form of the document will also likely be required for another purpose and therefore a copy will ensure that this is still possible.

2)   Understand the purpose, structure and terminology of your request.

In order to be confident that you can correctly identify all the relevant personal data in a document, the DPC has stressed that the redactor must first understand the purpose, structure and terminology used in a document or record. On this basis, the DPC advises that a person dealing with the response to a DSAR should be sufficiently familiar with the material being examined to be able to recognise data identifying the data subject.

3)   Use the search function with caution.

While the search function can be extremely useful when looking to identify specific words, the DPC has noted caution as the search function has its limitations. For example, the DPC notes that the search function may not scan all parts of the document such as the table of contents. In addition, the DPC has stated that it is important to bear in mind the possibility that a name may be misspelled or referred to in a different way.

4)   Ensure that all concealed information is reviewed.

The DPC has advised that files produced by word processing applications, emails, spreadsheets, presentation programs or databases contain more information than may appear on screen. This includes:

a)    Hidden content which may be found in spreadsheets and databases, for example concealed columns, tables and worksheets;

b)    File properties which may contain information of the person who created or edited the files; and

c)    Metadata which may contain detailed information generated by the application that created them, by operating systems or other sources. For example, email metadata may contain time and date of creation and the sender’s email and IP address.

5)   Do not rely on highlighting/changing the colour of text.

The DPC notes that highlighting and/or changing the colour of text to redact may render sections unreadable on screen or on print, however, the text content will not be affected and as such the text may still be copied and pasted into a text editor or otherwise be legible or recoverable. Instead, the DPC recommends redacting by replacing words with symbols or words such as [REDACTED] or [XXXXX].

For more information, please contact

Marie McGinley, Partner and Head of IP, Technology & DP - MarieMcGinley@eversheds-sutherland.ie

Leona Chow, Solicitor in IP, Technology & DP - LeonaChow@eversheds-sutherland.ie