Document Redaction: Information Sharing with Security and Compliance
Many professionals in highly regulated industries like legal, healthcare, and government handle a myriad of cases, contracts, and forms. However, collaborating on documents comes with a risk. Sharing personally identifiable information (PII) with the wrong person can cause chaos and even result in a lawsuit. That’s why redaction is so paramount to collaboration in so many industries. Where manual paper processes once required a permanent marker, digital solutions now offer redaction capabilities that work even better.
Redaction removes key pieces of information — including sentences, images, and even entire pages — while leaving the bulk of the document’s text intact. Although many tools now empower organizations to “burn in” data redaction so it can’t be removed, they don’t allow users to indicate multiple reasons for redaction.
Many solutions offer a coding system that enables users to tag a piece of redacted information with a single reason code that signifies why the data was hidden. However, they lack the ability to add those reasons while you are redacting, which could save time and effort. Just think of how large some of these files could be, and how manually adding comments throughout the document could take hours after you’ve already finished reviewing the content.
This creates additional pressure from viewers to understand the purpose of redaction, and potential reporting issues if the reason for redaction isn’t properly recorded. Solutions that permit the addition of redaction reasons can help defend key data and close this communications gap.
The Freedom of Information Act (FOIA) and Secure Data Sharing
As noted by CNN, government documents are often partially redacted to obscure personal data such as social security numbers or military information related to intelligence data gathering and applications. Consider a U.S. intelligence agency report made public by FOIA request.
While the Freedom of Information Act forms a critical part of open, effective democracy, data in the report that suddenly becomes public domain — such as the names of confidential sources or the methods used to obtain information about foreign government actions — could jeopardize both the ability of the agency to do its job and put human lives at risk.
Most government redactions expire and are automatically declassified after 50 years, but agencies can also obtain permission for special exemptions which prevent the redaction from being removed. For example, redaction reason 3.3(h)(1)(a) is used to protect the identity of a classified human intelligence source and is exempt from automatic expiration.
There are currently nine FOIA exemptions that are withheld from public release and protected from disclosure. When a portion of a record is withheld from public release, an exemption code may be found listed in the margin. The Federal Bureau of Investigation’s list below showcases what exemption codes are subject to FOIA data withholding:
- (b)(1) (A) Specifically authorized under criteria by an executive order to be kept secret in the interest of national defense or foreign policy and (B) are in fact properly classified to such Executive Order #12958 (3/25/03).
- (b)(2) Related solely to the internal personnel rules and practices of an agency.
- (b)(3) Specifically exempted from disclosure by statute (other than section 552b of this title), provided that such statute (A) requires that the matters be withheld from the public in such a manner as to leave no discretion on issue or (B) establishes particular criteria for withholding or refers to particular types of matters to be withheld.
- (b)(4) Trade secrets and commercial or financial information obtained from a person and privileged or confidential.
- (b)(5) Inter-agency or intra-agency memorandums or letters that would not be available by law to a party other than an agency in litigation with the agency.
- (b)(6) Personnel and medical files and similar files, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.
- (b)(7) Records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information:
- A. Could reasonably be expected to interfere with enforcement proceedings;
- B. Would deprive a person of a right to a fair trial or an impartial adjudication;
- C. Could reasonably be expected to constitute an unwarranted invasion of personal privacy;
- D. Could reasonably be expected to disclose the identity of confidential source, including a state, local, or foreign agency or authority or any private institution that furnished information on a confidential basis, and, in the case of a record or information compiled by a criminal law enforcement authority in the course of a criminal investigation or by an agency conducting a lawful national security intelligence investigation, information furnished by a confidential source;
- E. Would disclose techniques and procedures for law enforcement investigations or prosecutions or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law, or;
- F. Could reasonably be expected to endanger the life or physical safety or any individual.
- (b)(8) Contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.
- (b)(9) Geological and geophysical information and data, including maps concerning wells.
Given these extensive reasons, we can start to understand how there might be reason to include multiple FOIA exemption codes for one piece of redacted information.
Regulatory Compliance & Document Security
For many organizations, adding redaction reasons to shared or publicly-available documents isn’t mandatory, but it can help reduce the risk of both legal and compliance challenges.
Consider a redacted court document shared as part of an eDiscovery process. Without a custom redaction reason, other parties may challenge the necessity of your redaction, especially if no contextual evidence indicates its necessity.
Compliance audits also pose a potential problem. If years or even decades-old documents don’t contain redaction reasons — and the originals aren’t easily located — your organization could face increased regulatory oversight.
Take for example the healthcare industry. There are several clinical studies that require peer review. To keep biases at bay and personal information secure, redaction is critical to the adjudication process. Think about a clinical trial that has specific events related to a test subject. That test subject has participated in a trial for an incentive.
However, that person did not agree to share his or her personal information with a broad audience. Once the panel of experts reviews the results of a clinical trial, the research goes on public record. It’s crucial to protect the participants involved and their PII to ensure that no harm comes to them.
Many document viewing tools make it possible to add single redaction reasons to released documents, but what happens if your organization is dealing with multiple data types? Look for a solution that enables you to add multiple redaction reasons or codes to clarify your intent and keep data secure.