Redacting Documents for FOI and SAR Disclosure

Disclosure obligations & redaction

When an organisation receives an FOI request or a SAR, it's typically required to provide the requested information - but not all of it. Personal data belonging to third parties (in an FOI response) or information that falls under a valid exemption must be redacted before disclosure.

Under Article 15 of GDPR, individuals have the right to access their own personal data. But a SAR response might include documents that also contain someone else's personal data - a colleague's name in an email chain, a witness statement in an HR file, a doctor's name in a medical report. That third-party data generally needs redacting.

FOI requests under the Freedom of Information Act 2000 (UK) or equivalent legislation operate differently. The requester asks for information held by a public body. Section 40 of the FOI Act exempts personal data where disclosure would breach data protection principles. So you release the document, minus the personal data that shouldn't be public.

The redaction challenge is the same in both cases: identify everything that needs removing, remove it permanently, and verify the removal is complete. All within a statutory deadline.

Building a repeatable process

Ad hoc redaction - different staff handling requests differently, using whatever PDF tool is to hand - creates inconsistency. Some organisations have formalised their disclosure workflows to reduce risk.

A typical process involves five stages. First, gather all responsive documents and consolidate them into a review set. Second, run automated PII detection to flag personal information across the full set. Third, a reviewer examines the flagged items and marks additional content for redaction - exempted material, legally privileged information, third-party personal data. Fourth, apply redactions using a pixel-burn tool (not overlay). Fifth, run a verification check on the output files before they leave the building.

The volume of documents in a single request varies enormously. A SAR from a former employee who worked at the organisation for eight years might require reviewing hundreds of emails, HR files, meeting notes, and performance reviews. A straightforward FOI request might involve three documents. The process should accommodate both without shortcuts on the verification step.

Where mistakes happen under deadline pressure

Tight deadlines cause corners to be cut. The statutory response period doesn't extend because you have a lot of documents to redact (although GDPR does allow a two-month extension for particularly complex SARs, if you notify the requestor within the initial month).

The errors we see most often in deadline-pressured disclosure work:

Overlay redaction used instead of pixel-burn, because the person doing the work used whatever PDF tool was already open. The result looks redacted but isn't.

Metadata left intact. The document properties show the original author, the subject line references a person, the comment history contains reviewer names. All personal data, all sent out with the disclosure.

Inconsistent treatment of names. The same individual is fully redacted on one page and referenced by surname three pages later. In an email chain, the "To" and "From" fields are redacted but the signature block at the bottom isn't.

No final verification. The redacted documents go straight from the reviewer to the requester without a second pair of eyes or an automated check.

Verification before release

Before any redacted document leaves your organisation, check the output file independently. Open it in a PDF viewer that isn't the tool you used to redact it. Try to select and copy text from redacted areas. Search the file for strings you know should have been removed - names, reference numbers, email addresses.

If your tool supports verification certificates, include them with the disclosure. A certificate with a cryptographic signature (such as Ed25519) provides evidence that the document was redacted using a specific tool at a specific time and hasn't been modified since. This protects the organisation if a requester later claims the document was tampered with or improperly redacted.

RedactProof generates these certificates automatically. Each certificate includes a QR code that enables offline verification without needing the original tool.

Handling mixed document types

A real disclosure bundle rarely consists of neat, text-searchable PDFs. You'll encounter scanned letters (image-only PDFs), Word documents with track changes, Excel spreadsheets with personal data in unexpected cells, email exports in various formats, and occasionally paper documents that need scanning before they can be processed.

Scanned documents need OCR before PII detection can work. Word and Excel files should be converted to PDF and then redacted - attempting to redact within native Office formats risks leaving data in revision history, comments, or hidden fields. Emails should be exported as PDFs rather than forwarded, to avoid metadata leakage.

Standardising everything to PDF before redaction isn't glamorous, but it gives you a consistent format to process, verify, and release.