Your Guide To Redacting Documents: Examples and Instructions

Digitization in every aspect of our personal and work lives is a reality we must accept and be prepared for. Digital copies of documents are routinely created, accessed and shared, opening out a distressing question—who is in control of our information here? Who can access our personal data once we submit it to an organization? 

Information privacy has become one of the most pressing concerns for organizations across industries. Any organization that collects, processes or stores customer or user data is legally bound to ensure that confidential data or personally identifiable information is not exposed to individuals who do not have the privilege or authorization to view that data.

In this scenario, redaction becomes a vital component of any data privacy strategy. This article discusses a series of questions about redaction, how to implement a redaction project and who can help you with redaction services.

 

HubSpot Video

 

 

TABLE OF CONTENTS

  • What is document redaction?
  • Why is it essential to redact sensitive information from a publicly visible document?
  • The process of redacting documents:

- What do I need to know before redacting a document?

- What are the steps in the document redaction process?

- What kind of data do I need to redact?

  • Which information should be redacted from public medical records?
  • What to redact in a legal document
  • Common ways of redacting documents

- Redacting paper documents

- How can I redact a scanned document?

- High-volume redactions using automated tools

- Engaging a digitization partner to scan and redact documents

  • Digitizing and redacting documents with sensitive information
  • Choosing the right company to scan and redact documents

What is document redaction? 

Redaction is the process of permanently removing visible information (including text or graphics) from a document. During redaction, any confidential information that may be used to identify an individual is removed from a document before publishing it or making it publicly viewable. 

For electronic documents, sensitive information may be present on the visible part of the file, but more importantly, it may also be embedded as metadata in the document's code or, in the case of TIFF images, in the image header. So the PII should also be removed from such metadata tags or TIFF headers.

So, what is a redacted copy of an electronic file?

Let's take an example: When a company or institution captures a user's credit card number, they need to ensure that only the last 4 digits of the number are visible. The remaining digits are encrypted, so the card information cannot be misused.

Data redaction can transform personally identifiable information (PII) into an illegible pattern, encrypt sensitive data or block users from viewing sensitive information contained in metadata or image headers.

 

NEW GUIDE: How to become a paperless company in 90 days

Why is it essential to redact sensitive information from a publicly visible document?

When customers or users submit their personal or financial information to a business or institution, there is an element of trust that the information will remain safe and not be made publicly accessible or visible. 

Today there is increasing pressure to make government records, education records and legal documents publicly accessible. But when such documents are publicly viewable, it is essential to remove any information that makes an individual identifiable or exposes the individual to the risk of cyber crime or exposure to hackers. 

Data privacy laws and industry-specific compliances, such as the GDPR (General Data Protection Regulation), and HIPAA (Health Insurance Portability and Accountability Act), impose restrictions and penalties for public disclosure of confidential information.

If crucial details such as an individual's name, address and social security number are publicly viewable, a hacker can misuse the information for fraudulent activities using that information.

The process of redacting documents

Redaction is a complex process. While we can discuss some general guidelines about how redaction projects should be addressed, there is no standard sequence to follow. Every redaction project is different—depending on the type of records to be redacted, whether it can be automated or requires manual intervention, and the goals of the redaction.

Let's look at some of these aspects in detail:

  • What do I need to know before redacting a document?
  • What are the first steps in the document redaction process?
  • What kind of data do I need to redact?

What you need to know

Are your documents in paper or digital format? Are there multiple copies of the document, and if so, is the information to be removed from the original as well as all copies?

Do you need to remove the sensitive information permanently? Are there any industry or government regulations you need to keep in mind? Do you need to hide the information from both public and internal staff? You will also need to put in an approval process. Find out who will decide what information is to be redacted and from which documents. Who will test and verify the redacted version before it is published or made accessible for public view? 

Steps in the process of redacting documents

Now that you have the basic information let's move on to the details: How do you redact a document?

  1.  Identify the document (and any copies) that contains the text that needs to be redacted. Estimate the volume of records that require changes.
  2. Specify the exact information or data fields that have to be removed. This is probably the most critical step, as each document may have several data fields to be redacted, which may be different for different documents. After all, if you redact the wrong information, it can cause quite a lot of trouble!
  3. Decide who will execute the redaction. Is it one individual or a team? Is it an in-house project, or do you need to outsource the redaction process to a service provider? 
  4. If your documents are in paper format, decide if you want to redact the original paper document or if you want to scan the document and redact only the digitized file. 
  5. If you are redacting digital files and have an existing content management system, you must ensure that edit rights are available with the person or team executing the redaction. 
  6. Find out if you have the necessary software to execute redaction on digital files.
  7. Evaluate how many resources you will need if you implement the redaction manually and in-house. 

What kind of data do I need to redact?

Any combination of information that can potentially identify an individual or access accounts, credit cards or bank accounts must be redacted before the document is made public. Make sure to study any regulations or policies regarding data privacy or compliances like HIPAA to identify what information must be redacted.

For example, commonly redacted information fields include bank account numbers, complete address and phone number, date of birth, Social Security numbers (SSNs), or other identifiers like driving license numbers. Remember that such information is redacted only when more than one data field is visible, making it possible to identify or trace it to an individual.

Which information should be redacted from public medical records?

Patients share their name, address, social security number, medical history, and prescription information with their healthcare providers and insurers. If such information is leaked or exposed to hackers, the healthcare industry can be hit hard by penalties and litigations related to data privacy. 

According to HIPAA Journal, in the decade between 2009-2019, there were 3,054 healthcare data breaches affecting more than 500 patient records. 

HIPAA mandates healthcare providers to protect patients' names, contact information, insurance details and other PII. 

The most commonly redacted information fields in medical documents to meet compliance requirements are:

  • MRNs (medical record numbers)
  • Patient names
  • Dates of birth
  • Credit card information
  • Insurance plan details
  • Bank account numbers 

Read more about HIPAA and the latest updates to regulations for the healthcare industry to find out details about what information you need to redact from medical documents.

What to redact in a legal document

Legal departments and law firms routinely work with documents that contain sensitive information, including bank information, medical records, patent disputes, employee contracts, and more. A data breach in a law firm can jeopardize its clients' privacy and safety and can also damage the firm's credibility and reputation. 

Law enforcement agencies have to search through public documents for case-related research. But there could be identity credentials or confidential details in these documents, which should not be visible to them. This could include Personal Identifiable Information (PII) such as names, dates of birth, email addresses, financial account information, or figures and sums. Such information must be redacted from documents that are released for access to law enforcement personnel.

Law enforcement agencies and vendors who handle sensitive legal documents or intelligence data must comply with stringent CJIS compliances. Learn more about how digitization and redaction play a major role in enabling paperless, remote court proceedings and digital arbitration for dispute resolution

Another example of the importance of redaction is the newly passed bill AB 1466, which requires all counties in California to identify and redact unlawfully restrictive covenants from property records.

All instances of discriminatory language or racially restrictive covenants must be redacted so that the objectionable content is not readable or visible. Given the scale of the project and the high volumes of property records, automated document redaction services using predefined parameters and patterns for temporary or permanent redaction are the only feasible method of complying with the requirements of AB 1466.

Law enforcement agencies, boards of supervisors, county clerks, and courts can all benefit from the easy, secure sharing of scanned documents. Sensitive information can be redacted in these digital copies to comply with privacy regulations and IG best practices.

Common ways of redacting documents

 

1476882_DRSInfographics4_102422

Redacting paper documents

There are many instances when you may want to black out or redact information in paper documents. There are no automated ways of doing this. Manually finding the information in the documents and hiding the personal data with ink or pasting rectangular pieces of paper on the text are some ways of concealing information on paper. But blacked-out documents are not the correct way to redact a paper document. A better way to do this is to scan the document, redact text in the digital copy and possibly destroy the original paper document (if retention policies allow it). 

How can I redact a scanned document? 

When you have large volumes of documents to redact, it is best to work with digital files. If you don't have digital copies or don't know how to redact a scanned pdf file, engage a digitization company to scan the documents first. There are a number of software applications that can be used to redact information from PDF documents or any other digital format—for example, Adobe Acrobat or even Microsoft Word. If you are handling the redaction project yourself, you can find out the exact instructions for redacting documents from the respective software vendors. However, there are many other aspects to redaction that you need to consider. 

For example, is your team familiar with redacting digital documents? Digital documents have embedded tags or metadata which may contain PII. Similarly, TIFF image headers may also contain sensitive information like names or account numbers that are not visible but must also be redacted. This is critical because if this invisible information is not redacted, it can inadvertently result in data leaks and lead to hefty penalties or even litigation. If your team does not have the expertise to remove sensitive data from metadata or headers, you may need to outsource the redaction project to a third-party service provider.

High-volume redactions using automated tools

When there are reams of documents to be redacted, manually sorting through them to identify and remove sensitive information (even using simple redact tools) becomes an impossible task! That's why it's best to rely on a professional service provider for automated redaction. Automated redaction is handled by software that analyzes the documents and redacts specified private information from the visible text as well as invisible metadata or headers. As a result, human operators only need to verify and manually validate some hard-to-read characters that the redaction software flags. Automated redaction tools use intelligent algorithms and advanced data extraction software to analyze the content of digital documents. They capture key data and validate it using contextual and operational rules. They make it possible to process high volumes of documents quickly and accurately. 

Engaging a digitization partner to scan and redact documents

Engaging a service provider is preferable to in-house digitization and redaction of documents when dealing with large volumes. An experienced service provider has the resources, tools, and best practices to execute a large redaction project accurately and has the expertise needed to ensure compliance with stringent industry compliances.

 

INDUSTRY REPORT: Top digital transformation innovations changing your industry

Digitizing and redacting documents with sensitive information

When you are dealing with documents with sensitive information, there could be legal implications if the data is not redacted properly. That's why it is best to use a redaction expert trained to do redactions and verify the redacted sections to ensure they are no errors or mistakes. It may be more cost-effective to engage a company specializing in scanning and redaction rather than employing an expert or training one of your team members.

DRS Imaging offers a professional redaction service that saves your team time and effort, mitigates the risks of non-compliance, and prevents penalties. 

Mercury, our Enterprise Content Management solution, has advanced redaction capabilities such as:

  • Permanent and temporary redaction based on user roles and privileges
  • Dynamic redaction by pattern, fixed x/y coordinates, business rules or workflows

Mercury supports seamless, collaborative file sharing. At the same time, it has stringent access control features and security levels to prevent unauthorized personnel from accessing highly sensitive information in digital documents.

 

1476882_DRSInfographics3_102422

Choosing the right company to scan and redact documents

It is important to choose a company specializing in digitizing and redacting services for document-intensive industries such as medical, government or legal. 

DRS Imaging has extensive experience in providing tailored scanning and redaction solutions to a wide variety of industries and sectors. Our industry experts are always on hand to help you find the appropriate solution to suit your needs.

When you work with DRS Imaging as your document digitization partner, we plan for redaction during the scanning project. When documents are prepared for scanning, we identify those that require redaction. 

Our automated document redaction services use predefined parameters and patterns for temporary or permanent redaction. 

We use state-of-the-art data capture methods, including advanced OCR and ICR technologies. Mercury, our industry-leading ECM, provides a secure document repository with access control and strict audit trails so that the storage and archival of redacted documents comply with IG best practices.

Our redaction services facilitate digital access to public records while managing all aspects related to data security and regulatory compliance.


Connect with a DRS redaction expert today and get a quote for your redaction project.