I was prompted by a judgment published last week to write about redaction errors. Before I tell you why, let me just explain the term redaction – lawyers will be familiar with it but it’s one of those words that is not always familiar to those in other walks of life.
Interestingly, I’ve discovered a surprising variation in definitions of redaction online, but for our purposes, redaction is the process of removing those bits of information which need to remain confidential when preparing a document for disclosure or publication. It differs from anonymisation or editing because pseudonyms aren’t used, and the text isn’t written but a place marker is left so that the reader can see something has been removed. Sometimes a short description of what has gone is inserted in [brackets] to help the reader make sense of what is left.
The Information Commissioner’s Office describes it like this :
Redaction is the separation of disclosable from nondisclosable information by blocking out individual words, sentences or paragraphs or the removal of whole pages or sections prior to the release of the document.
So, on to the subject of redaction whoopsies. The judgment that set me off is London Borough of Lambeth v AM (Judgment No. 2)  EWHC 186 (QB) – not a case in the family court, but a case arising from child protection documents held by a local authority, which were released to a data subject following a data protection subject access request. That case was about the local authority’s frantic attempts to sort things out after the data subject managed (a parent) managed to undo the redaction and identify that it was his own family members who had made child protection referrals about his children. Whoopsy.
In summary, the judgment tells us this is what happened :
Lambeth attempted to redact any details that would reveal HJ’s identity. It did so electronically without realising that anyone reasonably proficient in the use of Adobe would be able to defeat the redaction and restore the original text. AM did so and used the documents obtained from Lambeth to write a letter before action accusing HJ of malicious defamation, breach of confidence and harassment.
Upon discovering that AM had been able to circumvent the redaction of the file, Lambeth issued this claim seeking injunctive relief to protect the alleged confidentiality of its file and orders requiring him to destroy all copies of the unredacted information.
In the circumstances, I can understand why the local authority in question might have felt it needed to take action – and the court accepted their arguments that the material was confidential, that he knew he should not have breached that confidentiality by removing the redaction, or by keeping an un-redacted copy and using it to threaten legal action against his family members – and an injunction was made (presumably requiring him to destroy copies, although the judgment does not specify). But what I wondered immediately on seeing the judgment was :
- Why did they send him documents that still contained the confidential information waiting to be found in the first place?
- Have they reported themselves to the Information Commissioner’s Office?
Ultimately, AM (the data subject who got around the redaction) could not have done what he did if the LA had done proper redaction in the first place – and nor would Lambeth have been in the awkward and expensive position of having to fund protracted litigation in the Queen’s Bench Division of the High Court. Think about it :the hard copy equivalent of what is described is sending a printed copy of the disclosure but putting a post it note marked ‘don’t read this bit’ over every reference to confidential information. Not really the sort of data processing that the ICO is terribly fond of.
In this case the data breach seems to have poured fuel on a family feud, probably prompting some rather upset communication from those families members who had held the expectation their identities would be protected. That is bad enough, but in other cases it might jeopardise a placement or put a child or parent at direct risk of harm. I know this because I too have had cases (a number of them) where someone’s failure to properly redact has only been spotted after circulation. Fortunately none of my cases have involved actual harm but I’ve seen a few scenarios which were a bit too close for comfort.
Until a few years ago redaction was carried out with tipex or a black marker pen, and disclosure was delivered in the form of photocopied hard copy documents. Then the problem was the lettering still being visible through the marker or the tipex. Now, you don’t get that, but there are equivalent problems with digital files, with their version histories, and optical character recognition and searchability. Most disclosure exists digitally, is redacted digitally and is served digitally rather than in hard copy.
I have a pretty good idea what happened in the Lambeth case because it’s happened in mine. The judgment doesn’t go into much detail because the purpose of the case was to fix the problem not investigate how it arose, so we only have a pretty slender description. But from the description given, this doesn’t sound to me like a member of the public performing some high level IT wizardry to undo properly redacted redactions, in ways that Lambeth could never have foreseen. It sounds to me like someone doing what any competent person can do with Adobe (a standard and readily accessible piece of software) if the redactions have not been properly done in the first place. I know this because it has been me on occasion who has ACCIDENTALLY discovered that someone at a LA has purported to redact but in fact has just stuck a black box over some text, without removing the text beneath. I discovered it when a keyword search resulted in multiple hits on a confidential name, a name that could be located behind the black ‘redaction’ boxes – but which could be dragged out from behind the black box (or the box deleted) to reveal the purportedly redacted text.
I don’t want to be all preachy here. There is and will always be human error when redacting large volumes of documents with repeated references to confidential names and addresses – one often slips through – and that can only be minimised by good processes involving checking and double checking – but what happened in this case (or at any rate what seems to have happened) is of a different nature. It has a high potential for harm and yet is so easily avoidable – and if used properly is pretty foolproof.
There is a proper Redaction function on Adobe DC Pro (other software is available but it’s a good example and pretty standard). Adobe DC Pro costs 12 quid a month. It substitutes text for a black box – it does not merely superimpose it. I cannot understand why any local authority does not do this as standard. I have had twitter exchanges with some (diligent and knowledgeable) local authority lawyers this week telling me how LA bureaucracy means that this is all impossible because of budgets and silos and procurement and lack of software … well, blah, blah. I get, and am familiar with that sort of infuriating impossibility loop (far too familiar) – but really? Most local authorities need and have some form of pdf software for bundling purposes (though a few still seem to be in the 20th century), so it is difficult to see how they can be unable to ensure that a redaction tool is available and used. Someone needs to sit the Director of Childrens’ Services or Head of Finance and Silos (or whoever) in those local authorities down, and tell them how much the ICO might fine them, how much it might cost to pay damages to the adoptive family or domestic abuse victim that has to move house, as a result of this sort of elementary data breach. Quite apart from the human cost to families the cost to a LA who causes such an issue by failing to redact properly is going to be substantially more than twelve piddling quid a month.
What my twitter exchanges did establish (in combination with my own experience) is that this is not a one off in one local authority. I strongly suspect that these sort of errors are probably more commonplace than can be justified, but that many are caught in the nick of time, or go unnoticed by the recipients of the information. It’s really quite alarming.
My experience suggests that it isn’t always lack of software though – sometimes it is just people not knowing how to work it. I had one case where a social worker had decided to be helpful by doing their own redaction rather than running it through legal (or whichever department is nominated to do it in the LA). That too can and should be pretty easily sorted, through process review or training.
Someone will probably accuse me of writing a sort of terrorists cookbook for those trying to breach confidentiality – well, respectfully they can naff off – this stuff is so basic that any fule can do it. All the more reason for great care by those with primary responsibility for looking after and processing this sensitive data. The buck really stops with them. If you don’t hand the nosey parkers and the dangerous stalkers of this world the information in the first place, they won’t be able to access it and do bad things with it.
The potential for the manipulation of pdfs is not a new or unknown phenomenon and by now LAs (and the rest of us) should be on top of our game. The ICO has a whole massive guide on how to disclose information safely here. I would have thought it was key reading for any local authority department responsible for subject access requests or disclosure of papers in the context of litigation, and that it ought to have informed any LA data policy and data risk assessment. It has a whole section on ineffective redaction and the dangers of using black highlighters that leave text beneath. It also links to a Redaction toolkit which has been available for almost a decade. So nobody can tell me that this is something novel or surprising. Any Local Authority with a robust data protection policy and risk assessment should have the necessary staffing, software and processes to be able to redact sensitive information about vulnerable children and families without redaction whoopsies.