I was chatting to a client last week discussing a couple of significant Subject Access Request disclosures that we were redacting for them as part of their ongoing GDPR support package with us.
As the spectre of increased artificial intelligence (AI) encroaches on almost all business processes, it occurred to me that despite all of the increasingly automated technology at our disposal, redacting data successfully and lawfully is one aspect of our UK GDPR support that simply can’t be done other than on an individual case-by-case basis.
Of course, here at BLS Stay Compliant, when we carry out large file redaction we use software to recognise certain words and phrases. However, the necessity to understand the nuance and implications of the separation of ‘disclosable’ from ‘non-disclosable’ information is one that I fear AI or automated software would never be able to successfully accomplish.
Our client had two live subject access requests (SARs), both mid-term of their time limit to complete. Both had similar applicants, seemingly looking for the same type of personal data held by our client. Both had requested CCTV images of themselves.
As part of our GDPR services, reading and understanding records held by our clients is vital. We need to really understand our clients and the nature of their business before we can even begin to understand the SARs that they receive. Knowing our clients well before this situation occurs (if it occurs), means that when it comes to gaining a background to the SAR that has been submitted, we have a clear understanding of the issues involved.
Everyone in our team has expert information governance knowledge (in the traditional sense that we have all practiced it in different sectors and environments for many years) to bring understanding and insight before we start the redaction process.
Our existing knowledge base and our commitment to our clients means that when we handle SAR, Freedom of Information (FOI) or Environmental Information Regulations (EIR) applications we can apply intuition, reasoning and judgement that automated processes, and indeed most inexperienced redactors, cannot.
Automation of the redaction process cannot replicate such a manual approach; only redaction experience and considerations based on the relevant legislation and the client’s processes themselves, establishes the context, significant meaning of events or records and allows awareness behind the disclosure decision making.
With regards to the client in question, we approached each subject access redaction in our usual way but inevitably they required a different set of disclosure documents. They followed different paths and the complex nature of the relationships between the records and the entries, as ever, meant that each redaction process deviated from the other. The diverse nature of the backgrounds and quantity of records on file emphasised yet again the essential need to ensure each redaction process we undertake demands a consistent but flexible approach.
With the recent Information Commissioner’s Office (ICO) action against an organisation for inappropriately disclosing personal data, special category data and criminal conviction data, it is essential that balanced, lawful and pragmatic redaction of disclosures under the access gateways is carried out.
Those that rely on automated processes should be wary. Where the ICO considers an organisation has not complied with the UK GDPR by appropriately redacting disclosed records, significant regulatory action may follow. Relying on automated software to ensure UK GDPR compliance is a risky business. It’s not always as simple as it looks.
BLS Stay Compliant has a wealth of experience and regularly works through Subject Access Requests and Redaction with clients, either in bespoke assistance for a live SAR or through training. For bespoke sessions or advice, please do get in touch with us via the below form or, if you’re interested in joining one of our open Subject Access Requests and redaction training sessions, click the link above.