The Art of Redaction: Protecting Third-Party Privacy in DSAR Responses

When Redaction Is Required

GDPR Recital 63 states that the right of access should not adversely affect the rights or freedoms of others. When a DSAR response contains information about other identifiable individuals (third parties), you must consider whether disclosing that information would violate the third party's own privacy rights. If so, redaction is required.

Common scenarios requiring redaction include:

• Email threads mentioning other employees or customers by name
• Investigation notes referencing witnesses or complainants
• Documents containing contact details of other individuals
• Records jointly involving the requester and other data subjects
• References written by identifiable third parties

The Balancing Test

Redaction is not automatic. Before redacting, balance the requester's right of access against the third party's right to privacy:

• Would the third party consent to disclosure if asked? If yes, disclosure may be appropriate.
• Is the third party's information inextricably linked to the requester's data? If so, provide a summary or description rather than the raw document.
• Would disclosure cause harm or distress to the third party?
• What is the nature and sensitivity of the third party's information?

Redaction Techniques

Manual Redaction

Reviewing each document and manually removing or obscuring third-party information. This is the most accurate method but also the most time-consuming. Best suited for small-volume requests or highly sensitive documents.

Automated PII Detection and Redaction

AI/ML-powered tools can scan documents for patterns matching personal data (names, emails, phone numbers, addresses, national ID numbers) and automatically flag or redact them. Key considerations:

• Automated tools are good at detecting structured PII (emails, phone numbers) but may miss contextual references.
• Always have a human review automated redactions before sending.
• Configure the tool to handle your jurisdiction's specific PII patterns.

Category-Based Redaction

Define rules by data category: always redact other individuals' names if they appear in the context of complaints, always redact contact details of witnesses, etc. This provides consistency and speeds up review.

Quality Assurance

Redaction errors create compliance risk in both directions: under-redaction exposes third-party data (a breach), while over-redaction unfairly limits the requester's access rights. Implement QA by:

• Having a second reviewer check all redactions before the response is sent.
• Using a checklist of common redaction points per document type.
• Testing redacted PDFs to ensure hidden text cannot be recovered (remove metadata, ensure true redaction rather than overlaid black boxes).

Documenting Redaction Decisions

For each redaction, document the reason and the balancing test performed. This record protects you if the requester challenges the redaction with the supervisory authority.

Jerisaliant's DSAR module includes AI-powered PII detection, guided redaction workflows, and redaction audit trails for every document in the response package.