All organizations house data – customer data, employee data, and their own company data. There have always been scenarios when certain data needs to be redacted, but with an increase in privacy laws sweeping the globe and more consumer awareness around data ethics and transparency, more businesses are facing situations in which data redaction is becoming more common than ever. But it can be challenging to understand when exactly DSAR redaction is necessary and exactly how to execute the process correctly and compliantly. In this article, we answer six of our most frequently asked questions centered around one common theme: When is DSAR redaction necessary?
Watch the webinar: Redaction for DSARs: What You Need to Know
When is redaction needed in the context of a DSAR?
When a customer, employee, or former employee makes a request for their personal information, often the requester’s data may be found along with the personal data of other people. In these instances, you’re required to redact any personal information that isn’t about the person making the request.
What are the most common types of requests that create the need for redaction?
- An employee or former employee making a request to the employer. Often, there can be another issue or situation at play – for example, the employee may be concerned about discrimination that they are facing at work, not getting promoted, not getting a pay increase, or being dismissed unfairly. This context is important to understand because the data request becomes part of a bigger picture. In these types of requests, the information relating to an employee is significant. In particular, information in emails, chats, internal documents, etc. will contain not only the requester’s information, but other people’s information or confidential or sensitive information, which requires redaction.
- A customer making a request where their information is commingled with other people’s information. For example, customer information in customer service chats or emails may contain other customers’ information, staff information, or sensitive information to the organization.
- A customer making a request where their information might be stored in files or databases that contain confidential labels and terminology which may need to be redacted.
Do we need to disclose the entire file/document/email that contains a requester’s information?
We often hear from customers that the context of the information is what the data requester is really interested in. In most cases, the customer or employee knows the company has their name, email, address, etc. But their personal information also includes information that relates to them beyond their name and address – for example, what other people thought about this person’s performance in their role as an employee.
Another consideration outside of privacy is if the relevant information is not disclosed properly under a privacy law request, there is a risk that in a potential litigation between the employee and the employer that information comes to light through the legal discovery process. That can put the organization in a risky situation where they could potentially be found to not have complied with privacy laws in the context of litigation.
What if the third-party is known to the data subject making the request and their information is contained in a report that the data subject has already seen. Should we still redact the third-party information?
It depends on whether the third party’s information which was shared to the data requester in one context is appropriately shared in a different context. There may be related issues of consent, purpose limitation, and data minimization that arise under relevant privacy laws. From a practical perspective, redacting third party information helps avoid some of those risks.
As a general rule, what information should be redacted?
Choosing what information should be redacted will vary across different situations. A few guiding principles that may be useful here:
- Redact the personal information of anyone who is not the data requester – this could include information such as the third-party’s name, address, email address, tax ID, etc.
- Redact information that is confidential to the organization and does not relate to the data requester.
Is it possible and is it recommended to customize the redactions (e.g., to have the option of redacted data not being black in color)?
The OneTrust DSAR Redaction product has the functionality to customize the redactions, so different colors can be applied. In addition, you can write text in the redacted area. Customizing the redactions might be useful when using the black box to redact data may give too little information to the data requester. That may create follow-up questions from the requester on the redactions that have been applied.
How does OneTrust help with DSAR redaction?
OneTrust Data Redaction helps your organization automatically discover sensitive information such as names, addresses, and credit card numbers in a wide variety of file types and formats and redact files programmatically or embed manual review processes before finalizing redactions. Securely upload documents, PDFs, images, spreadsheets, presentations, emails and more to be scanned, classified, and redacted by our AI-driven redaction engine. The redaction process removes all instances of the data as well as the metadata associated with the information to provide a secure and irreversible solution. Enabling your organization to embed redaction where it’s needed most. You can leverage our application to upload, scan, and redact files, or simply use the API to integrate redaction into your existing tools and processes.
Further Redaction Resources:
- Watch the webinar: Redaction for DSARs: What You Need to Know
- Read the blog: How To Automate Your DSAR Process with Discovery & Redaction
- Download the infographic: The 4 Step Checklist for Fulfilling Employee DSARs