Redacting the right way
The Office of the Victorian Information Commissioner (OVIC) often receives notifications from agencies about privacy breaches (both actual and suspected). A few of these breaches have arisen from agencies inadvertently releasing or publishing documents containing personal information that has not been properly redacted, if at all. This can occur in a range of different circumstances – for example, where agencies publish documents such as public submissions, reports, and council meeting minutes.
One example of this is the use of markers to black out personal information in hardcopy documents, however the information underneath may still be legible to the person receiving the document. Another example is drawing solid boxes over exempt personal information in electronic documents; while this may seem like a safe and easy way to redact information, it is possible for the recipient to reverse this process and reveal the text underneath.
Mistakes can also happen during the process of redacting information. We have come across some cases where an individual’s personal information was considered exempt under the Freedom of Information Act 1982 (Vic) and accordingly redacted – however in one or more instances throughout the document(s), that same individual’s information had not been redacted, simply by accident or oversight. Some of the more extreme (and well publicised) cases have involved published documents where personal information had not been redacted at all.
These examples highlight how easy it is for an inadvertent privacy breach to occur when agencies release or publish documents. In light of this, we would like to highlight the importance of redacting documents properly to avoid potential privacy breaches in the future.
Things to consider when redacting personal information
When dealing with individuals’ personal information officers must always consider their privacy obligations under the Information Privacy Principles (IPPs), outlined in the Privacy and Data Protection Act 2014. These principles set out the minimum standards for how Victorian public sector employees should handle personal information.
IPP 4 is particularly relevant in this instance. It states that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification or disclosure. In line with this principle, officers must ensure that when preparing documents for release or publication, personal information is redacted where appropriate or necessary and in a proper manner, in order to avoid unauthorised disclosure and consequently, a breach of privacy.
The following list includes some useful tips and reminders for officers going through the process of redaction:
If releasing a hardcopy, don’t use markers to redact personal information in that copy of the document. This is not a secure method to redact information, as there is a risk that the blacked-out information may be legible to a person who gains access to the document. If markers are the only option, provide a scanned or copied version of the document that has been marked on – make sure that the information underneath is not visible or legible.
When providing electronic copies of documents, make sure that exempt personal information has been completely and irrevocably deleted from the document. It is not sufficient to draw solid boxes over the information, as this process can potentially be reversed by an individual. Use appropriate software that will allow for information to be removed from a document, not just covered.
Be sure to check for and remove document metadata that might also contain personal information. For example, Microsoft Word and PDF documents often contain information about their author, such as when they were created and even the computer they were created on (have a look in ‘File > Properties’ next time you’re editing a Word document if you don’t believe us!). Metadata can be particularly dangerous when you’re receiving and collating documents from a range of sources — for example, in a consultation process where some people want to remain anonymous.
If there is no appropriate software available to securely redact documents (and remove document metadata), consider using solid boxes (or some other method of manual redaction) over the personal information to be deleted, then printing those documents and rescanning them to create an electronic copy that cannot be altered. Ensure that the quality of the scanned copy of the document is still clear and accessible.
Whatever the chosen method of redaction, ensure that officers are properly trained to minimise the risk of error.
Once personal information has been properly redacted, go through the documents a second time to make sure that no information has been missed. Where possible, it may be helpful to have a colleague assist with double checking the documents. Although this can be time-intensive, particularly if there are a lot of documents or personal information to go through, double checking redactions will help mitigate the risk of a privacy breach through unauthorised disclosure of personal information.
Of course, mistakes do happen, particularly when there are time and resource constraints. If personal information is inadvertently disclosed, OVIC is here to help. You can find our Breach Guidelines on our website, or you can give us a call on 1300 00 6842 (1300 00 OVIC).