Redaction Whoopsies

I was prompted by a judgment published last week to write about redaction errors. Before I tell you why, let me just explain the term redaction – lawyers will be familiar with it but it’s one of those words that is not always familiar to those in other walks of life.

Interestingly, I’ve discovered a surprising variation in definitions of redaction online, but for our purposes, redaction is the process of removing those bits of information which need to remain confidential when preparing a document for disclosure or publication. It differs from anonymisation or editing because pseudonyms aren’t used, and the text isn’t written but a place marker is left so that the reader can see something has been removed. Sometimes a short description of what has gone is inserted in [brackets] to help the reader make sense of what is left.

The Information Commissioner’s Office describes it like this :

Redaction is the separation of disclosable from nondisclosable information by blocking out individual words, sentences or paragraphs or the removal of whole pages or sections prior to the release of the document. 

 

So, on to the subject of redaction whoopsies. The judgment that set me off is London Borough of Lambeth v AM (Judgment No. 2) [2021] EWHC 186 (QB) – not a case in the family court, but a case arising from child protection documents held by a local authority, which were released to a data subject following a data protection subject access request. That case was about the local authority’s frantic attempts to sort things out after the data subject managed (a parent) managed to undo the redaction and identify that it was his own family members who had made child protection referrals about his children. Whoopsy.

In summary, the judgment tells us this is what happened :

Lambeth attempted to redact any details that would reveal HJ’s identity. It did so electronically without realising that anyone reasonably proficient in the use of Adobe would be able to defeat the redaction and restore the original text. AM did so and used the documents obtained from Lambeth to write a letter before action accusing HJ of malicious defamation, breach of confidence and harassment.

Upon discovering that AM had been able to circumvent the redaction of the file, Lambeth issued this claim seeking injunctive relief to protect the alleged confidentiality of its file and orders requiring him to destroy all copies of the unredacted information.

In the circumstances, I can understand why the local authority in question might have felt it needed to take action – and the court accepted their arguments that the material was confidential, that he knew he should not have breached that confidentiality by removing the redaction, or by keeping an un-redacted copy and using it to threaten legal action against his family members – and an injunction was made (presumably requiring him to destroy copies, although the judgment does not specify). But what I wondered immediately on seeing the judgment was :

  • Why did they send him documents that still contained the confidential information waiting to be found in the first place?

and

  • Have they reported themselves to the Information Commissioner’s Office?

Ultimately, AM (the data subject who got around the redaction) could not have done what he did if the LA had done proper redaction in the first place – and nor would Lambeth have been in the awkward and expensive position of having to fund protracted litigation in the Queen’s Bench Division of the High Court. Think about it :the hard copy equivalent of what is described is sending a printed copy of the disclosure but putting a post it note marked ‘don’t read this bit’ over every reference to confidential information. Not really the sort of data processing that the ICO is terribly fond of.

In this case the data breach seems to have poured fuel on a family feud, probably prompting some rather upset communication from those families members who had held the expectation their identities would be protected. That is bad enough, but in other cases it might jeopardise a placement or put a child or parent at direct risk of harm. I know this because I too have had cases (a number of them) where someone’s failure to properly redact has only been spotted after circulation. Fortunately none of my cases have involved actual harm but I’ve seen a few scenarios which were a bit too close for comfort.

Until a few years ago redaction was carried out with tipex or a black marker pen, and disclosure was delivered in the form of photocopied hard copy documents. Then the problem was the lettering still being visible through the marker or the tipex. Now, you don’t get that, but there are equivalent problems with digital files, with their version histories, and optical character recognition and searchability. Most disclosure exists digitally, is redacted digitally and is served digitally rather than in hard copy.

I have a pretty good idea what happened in the Lambeth case because it’s happened in mine. The judgment doesn’t go into much detail because the purpose of the case was to fix the problem not investigate how it arose, so we only have a pretty slender description. But from the description given, this doesn’t sound to me like a member of the public performing some high level IT wizardry to undo properly redacted redactions, in ways that Lambeth could never have foreseen. It sounds to me like someone doing what any competent person can do with Adobe (a standard and readily accessible piece of software) if the redactions have not been properly done in the first place. I know this because it has been me on occasion who has ACCIDENTALLY discovered that someone at a LA has purported to redact but in fact has just stuck a black box over some text, without removing the text beneath. I discovered it when a keyword search resulted in multiple hits on a confidential name, a name that could be located behind the black ‘redaction’ boxes – but which could be dragged out from behind the black box (or the box deleted) to reveal the purportedly redacted text.

I don’t want to be all preachy here. There is and will always be human error when redacting large volumes of documents with repeated references to confidential names and addresses – one often slips through – and that can only be minimised by good processes involving checking and double checking – but what happened in this case (or at any rate what seems to have happened) is of a different nature. It has a high potential for harm and yet is so easily avoidable – and if used properly is pretty foolproof.

There is a proper Redaction function on Adobe DC Pro (other software is available but it’s a good example and pretty standard). Adobe DC Pro costs 12 quid a month. It substitutes text for a black box – it does not merely superimpose it. I cannot understand why any local authority does not do this as standard. I have had twitter exchanges with some (diligent and knowledgeable) local authority lawyers this week telling me how LA bureaucracy means that this is all impossible because of budgets and silos and procurement and lack of software … well, blah, blah. I get, and am familiar with that sort of infuriating impossibility loop (far too familiar) – but really? Most local authorities need and have some form of pdf software for bundling purposes (though a few still seem to be in the 20th century), so it is difficult to see how they can be unable to ensure that a redaction tool is available and used. Someone needs to sit the Director of Childrens’ Services or Head of Finance and Silos (or whoever) in those local authorities down, and tell them how much the ICO might fine them, how much it might cost to pay damages to the adoptive family or domestic abuse victim that has to move house, as a result of this sort of elementary data breach. Quite apart from the human cost to families the cost to a LA who causes such an issue by failing to redact properly is going to be substantially more than twelve piddling quid a month.

What my twitter exchanges did establish (in combination with my own experience) is that this is not a one off in one local authority. I strongly suspect that these sort of errors are probably more commonplace than can be justified, but that many are caught in the nick of time, or go unnoticed by the recipients of the information. It’s really quite alarming.

My experience suggests that it isn’t always lack of software though – sometimes it is just people not knowing how to work it. I had one case where a social worker had decided to be helpful by doing their own redaction rather than running it through legal (or whichever department is nominated to do it in the LA). That too can and should be pretty easily sorted, through process review or training.

Someone will probably accuse me of writing a sort of terrorists cookbook for those trying to breach confidentiality – well, respectfully they can naff off – this stuff is so basic that any fule can do it. All the more reason for great care by those with primary responsibility for looking after and processing this sensitive data. The buck really stops with them. If you don’t hand the nosey parkers and the dangerous stalkers of this world the information in the first place, they won’t be able to access it and do bad things with it.

The potential for the manipulation of pdfs is not a new or unknown phenomenon and by now LAs (and the rest of us) should be on top of our game. The ICO has a whole massive guide on how to disclose information safely here. I would have thought it was key reading for any local authority department responsible for subject access requests or disclosure of papers in the context of litigation, and that it ought to have informed any LA data policy and data risk assessment. It has a whole section on ineffective redaction and the dangers of using black highlighters that leave text beneath. It also links to a Redaction toolkit which has been available for almost a decade. So nobody can tell me that this is something novel or surprising. Any Local Authority with a robust data protection policy and risk assessment should have the necessary staffing, software and processes to be able to redact sensitive information about vulnerable children and families without redaction whoopsies.

4 thoughts on “Redaction Whoopsies

  1. Your supposition about what happened in this case is right, but, in addition, I can confirm that ICO is indeed aware. However, it appears that, rather than (or, I guess, possibly as well as) taking civil enforcement action against Lambeth, it has brought criminal proceedings against AM under the Data Protection Act 2018. I’ve blogged twice about the case, and it was in an interim hearing that details came out.

    https://informationrightsandwrongs.com/2020/06/05/high-court-subject-access-breach-of-confidence-and-the-offence-of-reidentification/
    https://informationrightsandwrongs.com/2021/02/06/high-court-subject-access-breach-of-confidence-and-the-offence-of-reidentification-part-2/

    • Jon thanks for these – how interesting! I have recently reported a similar redaction error to another local authority (not a SAR but disclosure within proceedings) – it had not occurred to me that the recipients of the failed redaction could be prosecuted for misuse of the information that they were sent – one would have thought the primary responsibility lies with the person sending material that they should not be sending!

  2. Oh to have been a fly on the wall when whoever it was at Lambeth realised that “someone had blundered”!

  3. AnonymousLALawyerForever

    Thank you for this extremely enlightening post!
    I am a locum lawyer and I have had to pay for my own Pro Adobe licence! To ensure I can properly redact but also to ensure I carry out *Recognise Text* run so that my court bundle is searchable. Imagine in the 21st century working with a pdf bundle cant even do search and find on some documents which are scanned! The zbility to find text in seconds is so important in case prepping. Gone are the days of cramming page numbers. In my case I hv to pay for thine Adobe privilege:-(
    I agree with you its so much cheaper to just pay for lawyers to have the licence.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.