Compliant Data For Authorized Eyes Only
Redaction is the method of masking specifics of key details in documents. Today, redaction is used to hide information from unauthorized in-house readers of documents and to protect the data privacy rights of individuals when documents are shared externally.
The Need for Secrecy and Privacy
Why is redaction so topical today? On the one hand, organizations are obliged to govern access to internally-held information. On the other, recent legislation imposes strict rules on how personal data is shared that has highlighted the requirement for redaction solutions.
An easy way to visualize editorial work in the historical world of paper is to picture a typical scene in spy films where words in documents are made unreadable and labeled “Top Secret.” An analog form of redaction!
Document Redaction and Privacy
Most records are kept on in-house servers or in the Cloud during the digital age, where people can have direct access from anywhere in the world.
The collected documents cover a wide range of forms and subjects, ranging from contracts and HR reports to private properties, patient records, and criminal case issues. There are many occasions when an individual needs to view some of the information contained in a document. Still, some parts of the document are too sensitive to be seen by unauthorized eyes.
Masking Sensitive In-House Information
Consider the case of a senior executive’s payment details or pension details, which are kept among the HR records of a business.
While the HR Manager might need to have access to complete information, requiring all HR team members to have the same access would be a risk. The danger could be lawful or reputational, or both. For example, if a disgruntled or merely careless employee leaked the information, the resulting coverage could be harmful if it became a ‘fat cat’ story in the media. In the case of a data privacy violation, there could also be serious financial consequences.
Appropriate access privileges can be assigned to protect sensitive information in digital records (whether printed or electronic in origin) so that if a member of staff has no rights, the information is fully ‘blacked out.’ For example, while the payment schedule or transaction dates of the executive may be readable, panels may redact the financial details.
Access rights can be given gradually so that device users can see more or less of a text, depending on what they need to see for their job to be completed.
Complex Regulations Govern External Information Sharing
Procedures for protecting information in-house rely on the robustness of the current digital document management framework, as well as adequate policing and testing. Data breaches are always possible, yet if processes and procedures are properly maintained, it will be easier to contain matters internally.
When it comes to the international exchange of information, the rules and standards relating to documents shared with third parties are unique and complex. Protection of privacy and the wording that often goes hand in hand with protection must be understood and adhered to by anyone who shares data.
Data protection laws in Europe are some of the most strict in the world and have long been a thorn in the side of the data-guzzling tech giants, financial institutions among other business entities.
The U.S. is one of only a few countries without a federal data protection law (along with Venezuela, Libya, Sudan, and Syria). Rather than comprehensive legal protection for personal data, the United States has multiple patchworks of sector-specific laws for data protection. Currently, one senator wants to bring many of those concepts to the federal level. Sen. Kirsten Gillibrand has published a bill which, if passed, would create a U.S. federal data protection agency designed to protect the privacy of Americans and with authority to enforce data practices across the country. The bill, which Gillibrand calls the Data Protection Act, will address the gaps left out by state laws in the U.S., the senator said.
In the United Kingdom, The Information Commissioner’s Office (ICO) is the independent administrative office dealing with the 2018 Data Protection Act, the General Data Protection Regulation, the 2003 Regulations on Privacy and Electronic Communications (EC Directive), the Freedom of Information Act 2000 and the 2004 Environmental Information Regulation.
It takes a bit of time to digest the ICO’s ‘ How to securely disclose information ‘ and even longer to enforce policies and procedures to ensure that your company is fully compliant. But failing to do so can lead to substantial fines.
Primarily, the ICO protects the privacy of individuals by ensuring that no personal data are exchanged without the subject(s)’s permission. However, when data is viewed in physical or digital form as anything from a graphic map, or photograph, or video, or text, privacy becomes a minefield. The ICO disclosure guidance document several times refers to redaction as a potential data protection mechanism but also alerts redactors of potential tripwires.
Beware Recoverable Redacted Information
Not all redaction software is created equal, and redacted information sometimes isn’t as reliable as it seems. Recent humiliating redaction errors include a U.S. legal example when the former campaign chairman Paul Manafort’s attorneys failed to properly redact pleadings they submitted in federal court.
A quick copy-and-paste of redacted information contained in a PDF document has revealed the redacted information. In this case, redaction failures revealed details of the connections between Manafort and his former Russian business partner, Konstantin Kilimnik, whom the FBI believed to have active ties to Russian intelligence.
So look out; redaction must always mean unrecoverable. Easy copy-and-paste revealed a text that looked safely censored! That is why you have to find our tools for automatic video redaction.
In most disclosure cases, the ICO suggests different practices to anonymize data, and cites full redaction as a viable solution, with a strong emphasis, of course, on the essence of ‘complete.’
Extended definitions of document
A document is regarded to be “a piece of written, printed, or electronic content that contains information or evidence or acts as an official record.” Furthermore, for our purposes, we should be aware that a document could be a video, photograph, audio recording, or object such as a car number plate in the context of data privacy.
Redaction can provide the mechanism to protect sensitive information or privacy in each case. In the case of static objects, redaction takes the form of masking. In the case of interactive objects, such as video, all but the subject(s) of interest must be wholly obscured or omitted before the content can be transmitted lawfully to comply with the privacy regulations.
There are software and systems available to enable organizations to carry out in-house video redaction. For example, CaseGuard Studio is a leading, fast, and reliable video redaction solution that was launched to help organizations manage their CCTV video FOIA requests and GDPR compliance.
Policies and Penalties
It is strongly recommended that companies have access policies in place for standard business documents owned by departments such as accounting, HR, development, and customer services. Most personnel will have unique access privileges, such as’ read-only’ or’ write,’ or access rights limited by the type of department or document; or partial access, such as a view of redacted content.
Multiple states have adopted similar privacy laws to protect consumers in their states after the California Consumer Privacy Act passed in 2018. Since GDPR became law in May 2018 and following the pioneering Consumer Protection and Privacy Act of California (CCPA), the first comprehensive consumer privacy law passed in the United States came into force in January of 2020, companies have to consider very carefully how they manage external requests for documents. These may take the form of a police request for information or staff or members of the public’s subject access request or requests under the Freedom of Information Act (FOIA). It is illegal to share information before deleting or redacting personal data.
Document redaction in the digital age is becoming more difficult than it should be. So, why do so many people get it that wrong? The first question to ask, and perhaps most obvious, is, “do you have redaction software in your organization?” If the answer is no, then you need to get robust software such as CaseGuard studio. The same is true of metadata management software. Businesses cannot afford to expose themselves and their clients to unnecessary risk. Once you have redaction software, the next question to ask is, “how does it handle different file types?”
The ICO reported 75 cases of ‘ failure to redact ‘ in the final quarter of 2019. The ICO reiterates on its monitoring page of patterns the additional measures to be taken to stay safe include:
- Consider metadata when redacting information;
- Verify that all redacted data are not reversible before release.
GDPR fines are high, up to 4 percent of company turnover. Therefore redaction is not a problem that can be ignored. This consistent reference to redaction loopholes should alert potential solution purchasers to seek solution providers with robust and irreversible redaction software.