What Data is Redacted in Government Documents?
March 15, 2021 | 7 minutes read
Redaction in Government
Many interactions with governments, whether local, state, or federal, will require you to give up some personal information. What are the rules for protecting your personal data when it is in the hands of a government agency? You may be surprised that the US does not have all-encompassing privacy legislation. It does have several rulings about how government agencies should conduct business when it comes to private data.
One ruling is the E-government Act of 2002, which is a US Statute that was put into place with its stated purpose to improve the management and promotion of electronic government services. This ruling works hand-in-hand with other regulations such as FISMA (Federal Information Security Management Act of 2002) and the title V program CIPSEA (Confidential Information Protection and Statistical Efficiency Act.)
Many individual rulings, including Rule 5.2 of the Federal Rules of Civil Procedure, these rules target how a government agency must handle personal data. Information that must be redacted is generally the same across the rulings, such as the requirement to redact social security numbers, birthdates, personal addresses, and account numbers. From the federal government to daily business transactions, these are the details that consumers have come to expect to be protected from abuse or misuse.
While the US has a long way to go to consolidate and protect its citizens’ privacy on a broad scale, these minor rulings and regulations are meant to protect your data when it is in the hands of government agencies. Any interaction you may have with a government agency, such as financial details with the IRS, court cases in federal courts, employment or purchases from government agencies, or registering your new home purchase with the local government, are protected because of those rulings and regulations.
There are some exceptions when it comes to local court cases. Though many courts are learning that they need to tighten their privacy protections, there is a great debate in some jurisdictions about what should and should not be redacted. Does the information that is already publicly available count? The discussion should be muted as they are a government agency that should put the people’s interest first, and regardless of “what information is publicly known,” they have a responsibility first to do their job with honor and dignity. These courts should not play these “what if” games with people’s private data and simply build a secure redaction system that is equal and adequate for everyone.
How Are Government Secrets Maintained with Redaction?
When we are discussing specifically government documents or classified documents that have been redacted, another term is generally used ‘Sanitization.’ In government, each agency has its own regulations or rulings on how to handle redaction or sanitization of their specific data. For example, the IRS has issued Media Sanitization Guidelines for all their employees to follow. All classified information is redacted to remove essential details such as military secrets, the informant’s identity, and more. The general idea is to protect the confidentiality of sensitive information that could harm someone or another entity if that data was publicly released.
The IRS guidelines make a point to explain the importance of these rules. “The purpose is to clarify requirements and provide guidance for implementing media sanitization techniques (clearing, purging, destroying) for media that contain FTI (Federal Tax Information) when the media is going to be reused or disposed of by the agency.” In these terms, media refers to both hard paper copies and digital information.
The point here is that data is released. It may be sent to an outside agency for review; it could be given to the individual who owns the data or released as part of a Freedom of Information Act (FOIA). The necessity of sharing information in any form means that having a solid policy to follow, and redacting accurately and thoroughly is even more critical. Releasing data to the wrong hands can have lasting damage, especially for government agencies. The rules in the IRS guidelines are similar to other government agencies and have three categories of sanitization.
- Clearing – When clearing data, this means it is at a level of media sanitization that protects the confidentiality of loss against the severe threat of a keyboard attack. This level of protection means that simply deleting data is not sufficient. Clearing means that data can not be retrieved through digital means, disk, file recovery utilities, or even keystroke recovery attempts. Data must be resistant to data scavenging tools. Overwriting is acceptable.
- Purging – Media sanitization for purging is done at a level that can protect against a laboratory attack. Clearing media alone would not be sufficient. These attacks could include a threat with the resources and knowledge to use nonstandard means to conduct data recovery. Execution of the firmware Secure Erase or degaussing is the only acceptable method for purging.
- Destroying – The ultimate form of sanitization is the destruction of the media. Destruction means that the media used to contain data cannot be reused. Physical destruction includes disintegration, incineration, pulverizing, shredding, and melting.
What are the National Archives Rules for Redaction?
Many documents that were previously classified are later released through the National Archives. What are their rules for redaction? They post the details of how the redaction process, what data is removed, what they will release, and when. When a document is declassified, it will still contain redactions. The redactions that remain are either personally identifiable details or data that cannot be released to the public. The redaction codes posted by the National Archives show a variety of types of data that they will continue to redact while classified and even after documents are declassified.
- Items involving military plans, weapons, or operations.
- Data that involves foreign governments.
- The National Archives does not release data on intelligence activities.
- Confidential sources, foreign relations, or foreign activities.
- Any type of data, technical, scientific, or economic that involves national security.
- Any data used for safeguarding nuclear systems.
- Any data related to the development, production, or storage of weapons of mass destruction.
There are further categories for documents that have passed the 25-year release ruling, such as continued redaction of personal information on informants or individuals.
At the 50-year and 75-year declassification rules, data that would still harm an individual’s privacy and security or national security are continued to be redacted.
Learning More with FOIA
What is FOIA? Since 1967, Americans have had the right to request government entities’ information through the Freedom of Information Act (FOIA). The act allows the public to ask for access to records from any federally funded government agency. When the law was passed, it was described as “the law that keeps citizens in the know about their government.” Federal agencies must disclose any information requested under FOIA unless the data falls under one of nine exemptions. These exemptions are in place to protect interests such as personal privacy, national security, and law enforcement.
FOIA works on behalf of the people. The law requires full or partial disclosure of information that has been previously unreleased. It also included documents controlled by the federal government. The ruling defines which agency records are subject to disclosure. It also mandates the types of details that must be redacted to ensure privacy or national security. The idea behind FOIA was to help the public with transparency in government, allowing a method to access information that they may need or be interested in.
Reading Between the Black Bars
Using proper redaction software or sanitization techniques is extremely important. Gone are the days when it was appropriate to use black tape and make a photocopy. The methods previously used for the redaction of information became somewhat of a challenge to those looking to find the details. Can you figure out a word if you can see tall, short, or letters that fall below the line? If the black tape missed a letter, is it enough to give away a person’s identity?
Reading between the black bars became a challenge to some, like solving puzzles or cryptograms. The good news is that now that most of our data has become digitized, these mistakes rarely happen. There are still some who try to use Word to create a black bar over letters, thinking they have entirely redacted the information. They find it later when it is uploaded, and a mouse highlights the redacted portion; it shows what is underneath. Here is an example: Health Record – Patient: David Mcbrayer Date of Birth: 03/15/54. Go ahead and highlight the black boxes using the mouse and see how you can see the information that is highlighted.
This is a common mistake. Highlighting the content with a black box is not the same as redaction. Proper redaction techniques are as important as the act of redaction itself. If it is done wrong, it fails. The government has opened documents to FOIA to ensure trust in the government. Transparency is needed to continue to have faith that the government is making decisions based on what is best for them, the people, not for the representative’s pocketbooks. Having a systematic way of handling data, such as the IRS or National Archives, and following procedures protect our data, our nation, and us.