Secure redaction of sensitive documents

Redacted

During the past year, the Trust has had information governance breaches where redaction on documents was not used correctly, i.e. the redaction was able to be lifted and the person reading the document could read all of the document, and not only the parts they were allowed. This type of breach, depending on the information released, would be reported to the Information Commissioners Officer (ICO) who would also investigate the breach.

For an example: you open and use the normal Adobe Reader which is installed on all of the Trust’s computers. The highlight function is used (in black) to hide/redact certain parts of the document which the requester does not have the privilege to view. This document is then saved and sent through to the requester. The requester opens the document, clicks the highlighted area and presses delete which then shows the text underneath. The highlighting tool is not a redaction tool and can be easily removed.

Redaction can also be removed if highlighted on Word and the document is then converted to PDF. A quick search and you can find websites which will help unredact documents of this nature.

A special version of Adobe, Redaction, must be bought to ensure redaction is carried out correctly. The only other way redaction can be safely used is if the text is highlighted, printed out and then rescanned into the system.

The Trust has designated members of staff who have this software, the Subject Access Request and Release of Information teams with the Information Governance team.

It is also worth bearing in mind that if you try to unredact documents disclosed to you then you could be committing an offence under S.171 of the Data Protection Act 2018.

If you have any questions about redaction, or whether you are able to release documents outside of the SAR/RFI/FOI team please contact informationgovernance@eastamb.nhs.uk and one of the team will be able to answer any of your queries.

Any information governance breaches must be reported via Datix as soon as the incident happens/or when you become aware of the breach.

 

Published 17th June 2020

0 Comments
Leave a Comment
Name (required)
Email Address (required, never displayed)
Enter a message

(all comments are moderated - your submission will be posted on approval.)