Oliver Fjellvang - CEO
Want to get familiar with redaction?
What is redaction? After the EU boosted their fines on non-compliance with the GDPR-regulative in 2016, more companies find themselves searching for a definition of the word “redaction”. Are you also curious on the term? Do you want to avoid redaction errors? Then familiarize yourself with redaction here! A basic understanding can save you lots of costly professional trials and errors in the future.
Definition redaction – the short version
In short, redaction is a way of hiding personalized content in documents. Companies or individuals searching the internet may type the following into Google: “What is the definition of redaction”. Or “what does it mean to redact something”. We have searched the internet for good definitions and find this one very useful:
“The act of obscuring or removing text from a document prior to publication or release.”
The beauty sometimes lies in the simplicity. This definition is highly accurate, because it describes the act as one of “removing” or “obscuring” text bits. At the same time, it tells us clearly when the process of redaction takes place. Namely prior to the publication or release of documents to third parties. Simply put, the purpose of redaction is to preserve the meaning of content, while hiding classified information.
A good example is pseudonymization. Pseudonymization is all about replacing personal information with a meaningful substitute. We know it from journalistic reports with anonymous sources or police material re-classifying the victims for security purposes. Here, authorities would list a whistleblower with the actual name Chris Walker under the pseudonym “Witness 1” in official reports in order to protect his identity. Likewise, a company such as Google can be called “Company 1”.
Like other forms of redaction, pseudonymization is a tool to avoid distortion of meaning in the redacted document. What is distortion of meaning? Let's take an example. In a text, it is confusing to insert a lot of black lines or dots as a replacement for a specific name. The reader could conclude, that the real identity is unknown to the author. Which is hardly the truth.
The whole idea is not to change the document. The knowledge must remain intact and kept sacred at the same time. That is the tricky art of good redaction!
What is redaction? Some commonly confused words
One of the most common mistakes that people make, when they look up synonyms for “redacting” is to replace it with the word “editing.” When one looks up alternative words, these usual suspects appear:
However, as we just established, redaction must not change any meaning in a text. In contrast, editing or rewriting is all about changing content! When you edit, you change words, phrases or structure in ways that improve the outcome or transforms the reader's interpretation of a text. When you redact, your goal is to hide classified and personal information without changing the meaning. Be aware of the difference.
We generally find it challenging that there is no easily applicable synonym for the technical term redaction. Today, redaction remains an unknown word to many. We find the word estranged and wish, that there was another simpler word disclosing the same meaning. None of the words listed above fit the bill. They confuse more than they benefit, really.
An interesting one, which some may consider a decent replacement, is the word “censoring”. The definition of censoring is to examine any publication such as books, TV or magazines for parts to be suppressed for the public. Yet, censoring is not a valid synonym either for one big and obvious reason: The purpose is completely different! Censoring is done to remove parts of a publication that are deemed objectionable on moral, political, ethical or religious grounds. In other words, it is editing in a somewhat aggressive form based on values and rules.
Redaction is a non-judgmental process in comparison. Here, the sole purpose is to disclose personal data by blackening it out or providing synonyms. No assumptions or moral judgments involved.
Redaction software or the manual way
If we cut to the chase, there are two ways of dealing with redaction today.
Buy a proper redaction tool.
Do it the old-fashioned way and redact manually by hand.
If you are looking to buy a redaction software tool, we recommend you to look for these 10 features.
Automatized redaction tools combine artificial intelligence and machine learning to help scan and identify sensitive personal information. That could be anything from places, names over dates to logos. Make sure that the redaction tool you use completely removes the information underneath the blackened line or replaced information. Otherwise, you merely “mask” the data – a mistake that we explain later on. A redaction tool also helps remove metadata from the document. Simply put, metadata is all data such as origin, classification or technical information describing a document.
However, due to the risk of slip-ups many private and public organizations go for manual redaction as well. Case workers feel safer and more comfortable going through it all by hand to safeguard themselves against potential issues. Should sensitive data slip out, it can have severe consequences in form of fines or in worst case - firings. But make no mistake. The manual way is a long and lengthy one. Typically, it looks like this:
The caseworker prints out the documents.
The caseworker blacklines sensitive information such as names, social security number or classified company information. Alternatively, the information is replaced with a pseudonym, which is quite difficult to do by hand.
The caseworker scans the documents upon completion of the manual redaction to return them into an electronic format.
The caseworker prints the documents out for the second time and performs the whole process all over again. Why? Otherwise you risk, that people can see the hidden information, when holding the paper against a light source such as a lamp.
No need to say that this is hardly the most thrilling process to spend your working hours on. It takes very long time, and if you make mistakes, you have to start all over again. Furthermore, it is impossible to review your redaction, since the data is physically blacked out. Printing out a ton of papers is not necessarily environment-friendly practice either...
Who performs redaction in their daily work?
Well, essentially all organizations dealing with sensitive information. Or at least they need to consider redaction methods in their work. Once in a while it occurs, that a particular document containing personal information needs to be shared with a third party. To stay compliant with the GDPR-rules (General Data Protection Regulation), you need a crystal-clear approval from the person, whose information is in the document, before sharing it with “outsiders”. This is where redaction comes into the picture.
At Cleardox, we quickly found that especially law firms and government institutions shares loads of documents back and forth. Here, redaction is a very common practice. Not only, when employers need to transfer documents to parties outside the organization, but also when they need to share them inside the organization. You may wonder about common use cases for redacted documents.
We have made a brief overview:
Knowledge libraries: Knowledge intensive organizations such as law firms have huge knowledge libraries, where employees share valuable documents with each other. The purpose is to maintain the content and save the knowledge for future use. However, in that case the documents need redaction. Why? Because employers are automatically considered “third parties”, if they have not been directly involved in a case. Despite the fact that they are part of the same law firm, who has handled a case for a client.
Access to government documents: One of the merits of living in a democratic society is that the public can obtain access to governmental documents. Yet, before say a journalist or an institutional leader can get these documents, a case worker needs to redact them for classified and personal information.
Mergers and acquisitions: Not surprisingly, law firms provide thousands of transactions each year. Many of those occur, when the firm represents a client that needs to sell a company. In that case, lawyers upload documents into a data room after having redacted them.
Newsletters and social media: Every once in a while law firms want to share news about a case – especially if they won a lawsuit. They cannot share a story without redacting sensitive information first.
Deletion of old cases: According to the GDPR-rules, companies must delete old case files after a certain period of time. Depending on the case matter, we talk about between 10 and 15 years. Companies can circumvent this mandatory deletion, if they redact the case files for personal data. The rule of thumb is: No personal information = no required GDPR-compliance. In a law firm, the mere thought of deleting old case files gives an attorney the creeps. Knowledge is gold to them, and they would do (almost) anything to protect it over time.
Access during trial: It is far from unusual for third parties to get access to documents in a court case. Before that happens … Can you guess it? Yes! The documents need redaction.
Naturally, there are a dozen other use cases, but we have to somewhat limit this article to the bare necessities.
Don´t fall into the masking trap when you think you are redacting!
Redaction can be performed on multiple document sources or just a single one. In the past decade, we have seen spectacular redaction errors exposing national security secrets and classified corporate information. No one is apparently immune. We have witnessed lawyers representing Paul Manafort, the British Ministry of Defense, Facebook, the U.K. Department for Transport, the U.S. Transportation Security Administration, the media outlet New York Times and last but not least former Illinois governor Rob Blagojevich all accidentally disclosing information, they assumed had been redacted.
When scrutinizing these cases, there is one clear common denominator. Say confidential information is disguised with black boxes, when the documents are converted into a PDF. What good is that, if the recipient can just move the black boxes around afterwards? Masking text in one document and transferring it to another is not redaction. When you copy and paste from Word to PDF or from PDF not Notepad, the previously hidden information will often be visible. The common mistake is to mask instead of redact information.
You may ask yourself, whether your redactions would pass the test. Wanna uncover unnecessary risks in your PDF redaction workflow and avoid embarrassing mistakes that can potentially harm your professional reputation? The first step is making sure, that nobody can remove your black boxes digitally. You need to ingrain them in your file.
GDPR-rules: Not exactly new, just more costly
A central theme in the General Data Protection Regulation rules in Europe is the right to privacy. That right can only be upheld, when personal information is protected. Therefore it comes as no surprise, that more and more companies have talked about reduction in the wake of the new GDPR-rules adopted in 2016. Below you see a figure showing the trend in keyword search on “personal data” – a good proxy term for GDPR. The number of searches peaked around May 2018. No wonder, since May was the deadline for complying with the new rules.
It is worth noting, that the GDPR-rules are not new though. What is new, are the consequences, when a company or person do not follow the rules. Fines have become more expensive, which has caught the attention of both companies and government institutions. Today, there are two tiers of administrative fines that can be levied as penalties for non-compliance. The “lowest” is up to €10 million or 2% of annual global turnover (whichever is higher). The other can go up to €20 million or 4% of annual global turnover.
Such high fines are rarely given. Yet companies still take the matter extremely seriously, even today two years after the law was implemented in Europe. An accidental slip is simply not worth the financial risk. But remember one thing. If you have already redacted a document for personal information, you no longer need to comply with GDPR. You are exempted from the rules, since there is no sensitive data in your material!
Quite brilliant, right? Surely saves you a lot of resources when sharing in the future. However, it is worth noting that companies perform redaction for various reasons. Complying with GDPR is just one. Another would be the disclosure of confidential company information such as trade secrets.
Redaction is here to stay!
Whether you are a fan or not, redaction is here to stay. More and more work is digitalized these days, and the GDPR-rules are probably not gonna change anytime soon. Not only in Europe, is protection of personal information essential. Recently, Canada implemented their own version of the GDPR rules. And in California they have taken similar initiatives.
Your choice then is whether to deal with redaction manually or the automatic way. If you opt for the later, then we may have the solution for you.
Interested in getting a closer look at our product? Sign up for a demo here!
The Cleardox team