skip to main content
research-article

Exploring How UK Public Authorities Use Redaction to Protect Personal Information

Published: 11 September 2024 Publication History

Abstract

Document redaction has become increasingly important for individuals and organizations. This article investigates public-sector information redaction practices in order to determine if they adequately protect personal information from accidental disclosure due to redaction errors. Despite the importance of this in respect of data protection, 66.4% of those Public Authorities that responded did not hold formal policies or procedures at all. To assess those policies that did exist, we produced a 17-item check list of minimum best practice. Even those with policies and procedures had substantial defects to some degree (with the median performance being 29.4% on our checklist), with policies frequently recommending the use of high-risk redaction methods and overlooking essential practices. This means that these existing practices amount to widespread breaches of data protection law on the ground. To remedy this, we articulate a new set of document redaction standards, which overcome the existing inadequacies in current guidance, as well as make proposals for regulatory reform in this space.

References

[1]
UK Government. 2022. “Departments, agencies and public bodies - GOV.UK - GOV.UK,” 2022. Retrieved April 06, 2022 from https://www.gov.uk/government/organisations
[2]
UNESCO. 2019. “UNESCO launches SDG survey on access to information at the UN. UNESCO, Jul. 18, 2019. Retrieved September 28, 2022 from https://en.unesco.org/news/unesco-launches-sdg-survey-access-information
[3]
Information Commissioner's Office. 2018. How to disclose information safely. 2018. Retrieved January 27, 2023 from https://ico.org.uk/media/2013958/how-to-disclose-information-safely.pdf
[4]
D. Sánchez and M. Batet. 2016. “C-sanitized: A privacy model for document redaction and sanitization: C-Sanitized: A privacy model for document redaction and sanitization. Journal of the Association for Information Science and Technology 67, 1 (2016), 148–163. DOI:
[5]
P. Rane, A. Rao, D. Verma, and A. Mhaisgawali. 2021. Redacting sensitive information from the data. In Proceedings of the 2021 International Conference on Smart Generation Computing, Communication and Networking (SMART GENCON), 2021, 1–5. DOI:
[6]
T. Cushing. 2014. New York times suffers redaction failure, exposes name of NSA agent and targeted network in uploaded PDF. Techdirt (2014). Retrieved March 29, 2022 from https://www.techdirt.com/2014/01/28/new-york-times-suffers-redaction-failure-exposes-name-nsa-agent-targeted-network-uploaded-pdf/
[7]
H. B. Dixon. 2019. Embarrassing redaction failures. The Judges’ Journal 58, 2 (2019), 37–39.
[8]
D. P. Lopresti and A. L. Spitz. 2005. Information Leakage Through Document Redaction: Attacks and Countermeasures. Bellingham WA: SPIE, 2005, 183–190. DOI:
[9]
E. Bier, R. Chow, P. Golle, T. H. King, and J. Staddon. 2009. The rules of redaction: Identify, protect, review (and repeat). IEEE Security Privacy 7, 6 (2009), 46–53. DOI:
[10]
P. Pedley. 2022. Facet: Title Detail Essential Law for Information Professionals by Paul Pedley. 2019. Retrieved April 05, 2022 from https://www.facetpublishing.co.uk/page/detail/essential-law-for-information-professionals/?K=9781783304356
[11]
J. Levin, A. Mak, and J. L. Fischer. 2020. Ghislaine maxwell deposition redactions: How to crack them. 2020. Retrieved April 15, 2023 from https://slate.com/news-and-politics/2020/10/ghislaine-maxwell-deposition-redactions-epstein-how-to-crack.html
[12]
N. Nielsen. 2021. EU admits redaction error in AstraZeneca contract. EUobserver, (2021). Retrieved 2023 from https://euobserver.com/health-and-society/150799
[13]
Office of the Victorian Information Commissioner. 2018. Redacting the right way. Office of the Victorian Information Commissioner, Retrieved April 23, 2018 from https://ovic.vic.gov.au/blog/redacting-the-right-way/ (accessed 2023)
[14]
D. Lopresti and A. Spitz. 2004. Quantifying information leakage in document redaction. In Proceedings of the 1st ACM workshop on Hardcopy Document Processing. ACM, 2004, 63–69. DOI:
[15]
L. Reed. 2023. Redaction whoopsies. Pink Tape. Retrieved February 21, 2021 from http://www.pinktape.co.uk/rants/redaction-whoopsies/ (accessed 2023)
[16]
P. Coppel QC. 2020. Information Rights: A Practitioner's Guide to Data Protection, Freedom of Information and Other Information Rights (5th ed.). : Bloomsbury Publishing Plc, London., 2020.
[18]
G. Manes, L. Watson, D. Greer, A. Barclay, and J. Hale. 2007. Towards redaction of digital information from electronic devices. Annual ADFSL Conference on Digital Forensics, Security and Law. Retrieved April 2007 from https://commons.erau.edu/adfsl/2007/session-12/1
[19]
M. Grechanik, C. McMillan, T. Dasgupta, D. Poshyvanyk, and M. Gethers. 2014. Redacting sensitive information in software artifacts. In Proceedings of the 22nd International Conference on Program Comprehension, in ICPC 2014. New York, NY, USA: Association for Computing Machinery, 314–325. DOI:
[20]
J. Heckman. 2010. Protecting the metadata in your word and PDF documents. IQ: The RIMPA Quarterly Magazine 26, 3 (2010), 16–17. DOI:
[21]
V. Huynh, Z. J. Sasiene, P. M. Mach, T. D. Golden, and G. F. Verbeck. 2016. Laser ablation coupled with DAPNe-NSI-MS applied to redacted documents. Science & Justice 56, 5 (2016), 329–340. DOI:
[22]
S. Hill, Z. Zhou, L. Saul, and H. Shacham. 2016. On the (in)effectiveness of mosaicing and blurring as tools for document redaction. Proceedings on Privacy Enhancing Technologies 2016, 4 (2016), 403–417. DOI:
[23]
M. Gati and A. E. Simay. 2020. Perception of privacy in the light of GDPR. In 11th Emac Regional Conference - Challenging the Status Quo in Marketing Research. M. Fuduric, S. Horvat, T. Komarac, and V. Skare, (Eds.), Zagreb: Univ Zagreb, Fac Economics & Business, 2020, 62–70. Retrieved March 23, 2022 from https://www.webofscience.com/wos/woscc/full-record/WOS:000654145000007
[24]
Information Commissioner's Office, “Principle (a): Lawfulness, fairness and transparency,” Retrieved January 17, 2022 from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/
[25]
R. N. Zaeem and K. S. Barber. 2020. The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems 12, 1 (2020), 2:1–2:20. DOI:
[26]
A. Savage and R. Hyde. 2014. Using freedom of information requests to facilitate research. International Journal of Social Research Methodology 17, 3 (2014), 303–317. DOI:
[27]
M. Cherry and D. McMenemy. 2013. Freedom of information and ‘vexatious’ requests — the case of scottish local government. Government Information Quarterly 30, 3 (2013), 257–266. DOI:
[28]
K. Walby and A. Luscombe. 2020. Freedom of Information and Social Science Research Design. (1st ed.). In Routledge Advances in Research Methods. Routledge, Milton. DOI:
[29]
B. Goodwin. 2021. Government bodies refuse FOI requests on basis of misleading database search times, says academic. ComputerWeekly.com, 2021. Retrieved from https://www.computerweekly.com/news/252509483/Government-bodies-refuse-FOI-requests-on-basis-of-misleading-database-search-times-says-academic
[30]
H. Dennett. 2021. FOI exemption misuse isn't always about government secrecy | The Canberra Times | Canberra, ACT. 2021. Retrieved from https://www.canberratimes.com.au/story/7087660/culture-of-secrecy-doesnt-explain-bulk-of-foi-problems/
[31]
R. Kirkham. 2018. How long is a piece of string? The appropriateness of search time as a measure of ‘burden’ in access to information regimes. Government Information Quarterly 35, 4 (2018), 657–668. DOI:
[32]
Y. Baruch and B. C. Holtom. 2008. Survey response rate levels and trends in organizational research. Human Relations 61, 8 (2008), 1139–1160. DOI:
[33]
J. Corderoy. 2021. Cabinet office announces review into controversial FOI unit. Cabinet Office Announces Review Into Controversial FOI Unit, 2021. Retrieved from https://www.opendemocracy.net/en/freedom-of-information/cabinet-office-announces-review-controversial-foi-unit/
[34]
International Standards Organisation. ISO/IEC 27038:2014. ISO. Retrieved from https://www.iso.org/standard/44382.html
[35]
The National Archives. Redaction Toolkit: Editing exempt information from paper and electronic documents prior to release. 2022. Retrieved from https://cdn.nationalarchives.gov.uk/documents/information-management/redaction_toolkit.pdf
[36]
[37]
Federal Court of Australia. 2023. Guide to redacting documents in electronic form. Retrieved May 17, 2019 from https://www.fedcourt.gov.au/online-services/preparing-documents-for-the-court/guide-to-redacting-documents-in-electronic-form
[38]
Office of the Information Commissioner Queensland. 2013. Providing access to documents. Office of the Information Commissioner Queensland, 2013. Retrieved from https://www.oic.qld.gov.au/guidelines/for-government/access-and-amendment/accessing-documents/providing-access-to-documents
[39]
Irish Data Protection Commmision. 2021. Redacting Documents and Records | Data Protection Commission. Redacting Documents and Records | Data Protection Commission, 2021. Retrieved from https://www.dataprotection.ie/dpc-guidance/redacting-documents-and-records
[40]
[41]
The Government of South Australia. 2022. FOI and Redaction of Documents. 2022. Retrieved from https://www.archives.sa.gov.au/__data/assets/pdf_file/0011/829451/FOI-and-Redaction-of-Documents.pdf
[42]
V. Braun and V. Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3, 2 (2006), 77–101. DOI:
[43]
R. Kirkham. 2023. The ethical problems with IT ‘experts’ in the legal system. IEEE Computer Press, 2023.
[44]
E. Shepherd, A. Stevenson, and A. Flinn. 2010. Information governance, records management, and freedom of information: A study of local government authorities in England. Government Information Quarterly 27, 4 (2010), 337–345. DOI:
[45]
NCSC. 2018. General data protection regulation (GDPR). 2018. Retrieved from https://www.ncsc.gov.uk/information/GDPR
[46]
C. McCluskey. 2018. How will the GDPR affect FOI law?. 13, 5 (2018), 1–3. Retrieved from https://www.pdpjournals.com/overview-freedom-of-information
[47]
W. He et al. 2019. Improving employees’ intellectual capacity for cybersecurity through evidence-based malware training. Journal of Intellectual Capital 21, 2 (2019), 203–213. DOI:
[48]
C. Colwill. 2009. Human factors in information security: The insider threat – who can you trust these days?. Information Security Technical Report 14, 4 (2009), 186–196. DOI:
[49]
J. Ames. 2015. Law society drops lord harley redaction clanger. Legal Cheek, (2015). Retrieved from https://www.legalcheek.com/2015/08/law-society-drops-lord-harley-redaction-clanger/
[50]
BBC. Failed redaction reveals Paul Manafort's ‘lies to FBI. BBC News, Jan. 08, 2019. Retrieved from https://www.bbc.com/news/world-us-canada-46804127
[51]
E. Jacobs. 2019. Home Office v Information Commissioner and Cruelty Free International (Information rights - Freedom of Information - exceptions) [2019]UKUT 299 (AAC). 2019. Retrieved March 24, 2022 from https://www.bailii.org/uk/cases/UKUT/AAC/2019/299.html
[52]
E. Wilde and M. Baschnagel. 2005. Fragment identifiers for plain text files. In Proceedings of the Sixteenth ACM Conference on Hypertext and Hypermedia, In HYPERTEXT ’05. Association for Computing Machinery, New York, NY, USA September 2005, 211–213. DOI:
[53]
M. Bland, A. Iyer, and K. Levchenko. 2022. Story beyond the eye: Glyph positions break PDF text redaction. arXiv. DOI:
[54]
P. Lison, I. Pilán, D. Sanchez, M. Batet, and L. Øvrelid. 2021. Anonymisation models for text data: State of the art, challenges and future directions. In Proceedings of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference on Natural Language Processing (Volume 1: Long Papers), Online: Association for Computational Linguistics (2021), 4188–4203. DOI:
[55]
I. Pilán, P. Lison, L. Øvrelid, A. Papadopoulou, D. Sánchez, and M. Batet. 2022. The text anonymization benchmark (TAB): A dedicated corpus and evaluation framework for text anonymization. Computational Linguistics 48, 4 (2022), 1053–1101. DOI:
[56]
In re Onglyza (Saxagliptin) & Kombiglyze Xr (Saxagliptin & Metformin) Prods. Liab. Litig. 570 F. Supp. 3d 473 (E.D. Ky. 2020). Retrieved from https://www.govinfo.gov/content/pkg/USCOURTS-kyed-5_18-cv-00244/pdf/USCOURTS-kyed-5_18-cv-00244-2.pdf
[57]
L. M. Goldenhar, L. J. Williams, and N. G. Swanson. 2003. Modelling relationships between job stressors and injury and near-miss outcomes for construction labourers. Work & Stress 17, 3 (2003), 218–240. DOI:
[58]
J. J. Hakanen, M. C. W. Peeters, and W. B. Schaufeli. 2018. Different types of employee well-being across time and their relationships with job crafting. Journal of Occupational Health Psychology 23, 2 (2018), 289–301. DOI:
[59]
T. Burke. 2015. Redaction services: In-house or outsource?. Extract Systems, (2015). Retrieved April 11, 2023 from https://www.extractsystems.com/govnews-blog/2015/9/18/redaction-service-in-house-or-outsource
[60]
A. Nath. 2014. Beyond the public eye: On FOIA documents and the visual politics of redaction. Cultural Studies, Critical Methodologies 14, 1 (2014), 21–28. DOI:
[61]
K. A. Latorella and P. V. Prabhu. 2000. A review of human error in aviation maintenance and inspection. International Journal of Industrial Ergonomics 26, 2 (2000), 133–161. DOI:
[62]
G. Bairu. 2020. Forum guide to cybersecurity: Safeguarding your data, 2020, Retrieved from https://files.eric.ed.gov/fulltext/ED611878.pdf
[63]
F. Brudy, D. Ledo, S. Greenberg, and A. Butz. 2014. Is anyone looking? Mitigating shoulder surfing on public displays through awareness and protection. In Proceedings of The International Symposium on Pervasive Displays, in PerDis ’14. New York, NY, USA: Association for Computing Machinery, 1–6. DOI:
[64]
S. L. Garfinkel. 2014. Leaking sensitive information in complex document files–and how to prevent it. IEEE Security & Privacy 12, 1 (2014), 20–27. DOI:

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Management Information Systems
ACM Transactions on Management Information Systems  Volume 15, Issue 3
September 2024
144 pages
EISSN:2158-6578
DOI:10.1145/3613643
  • University Of Florida, Usa:
  • Heng Xu
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 September 2024
Online AM: 12 March 2024
Accepted: 17 February 2024
Revised: 28 June 2023
Received: 28 June 2023
Published in TMIS Volume 15, Issue 3

Check for updates

Author Tags

  1. Document redaction
  2. Freedom of Information
  3. GDPR
  4. redaction practice

Qualifiers

  • Research-article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 326
    Total Downloads
  • Downloads (Last 12 months)326
  • Downloads (Last 6 weeks)18
Reflects downloads up to 28 Feb 2025

Other Metrics

Citations

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

Full Text

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media