Redacting Documents for SAR, DSAR, and FOI Disclosure

Two routes to the same problem

FOI requests under the Freedom of Information Act 2000 (UK) require public bodies to release information they hold - subject to specific exemptions. Under Section 10, organisations are generally expected to respond within 20 working days of receiving the request.

Subject Access Requests (SARs) and Data Subject Access Requests (DSARs) are made under Article 15 of the UK GDPR. They give individuals the right to access personal data your organisation holds about them. Under Article 12(3), the standard timeframe for responding to a SAR is one calendar month from receipt. For complex requests, this can be extended by a further two months - but only if you notify the data subject within the initial month and explain the reason.

The redaction challenge is effectively the same in both cases. You need to identify what must be removed, remove it permanently, and verify the removal before the documents leave your organisation. The deadline doesn't flex because the volume is unexpectedly large.

Scoping the request before you start

Before opening a single document, define what's in scope. For a SAR, this means all personal data your organisation holds about the data subject across every system where it might exist: HR files, email accounts, shared drives, CRM records, payroll, case management systems, training records, and systematically filed handwritten notes.

The scope can be narrowed by agreement with the data subject. If they specify they only want data from the last two years, or only from a particular system, you can limit your search accordingly. ICO guidance permits asking data subjects to clarify the request where scope is unclear - provided this doesn't delay the response unreasonably.

For an FOI request, the scope is determined by what information the public body actually holds on the requested topic. Gather all responsive documents into a review set before you start redacting. Working from an incomplete document set and later discovering additional materials wastes time and can result in a partial disclosure that draws a complaint.

What to redact: a working checklist

Work through every document systematically. You're looking for three categories of content to remove.

Third-party personal data. Names, contact details, and any information that could identify someone other than the data subject. This includes co-workers, managers, clients, witnesses, and anyone mentioned incidentally. Be aware that a person can be identifiable without their name - a job title in a small team, a specific date and location, or a description that narrows to one individual all count.

Exempt information. Under UK GDPR, this includes legally privileged material (communications with legal advisors for the purpose of legal advice or proceedings), management planning information that hasn't been communicated (such as planned redundancies), and information that could prejudice a criminal investigation. Under the FOI Act, Section 40 exempts personal data where disclosure would breach data protection principles. Each exemption should be applied narrowly and documented.

Internal opinions about the data subject. Opinions recorded about the individual - performance assessments, disciplinary commentary, subjective manager observations - are generally in scope for a SAR (they are the data subject's personal data). But they may contain third-party opinions that identify the opinion-holder, which itself needs consideration. The ICO's position is that the data subject is generally entitled to see opinions recorded about them, even where those opinions are unflattering.

Practical approach: run automated PII detection across the full document set first. This catches the standard identifiers - names, dates, reference numbers, email addresses, NI numbers, contact details - consistently across every page. Then review manually for contextual identification and exempt information that automated tools won't pick up.

Applying exemptions correctly

Exemptions are not a get-out. Every exemption you claim should be documented, and you should be prepared to justify it if the data subject complains to the ICO. The ICO takes a narrow view of exemptions: if information can be disclosed with portions removed, you should disclose the remainder rather than withhold the document entirely.

Legal professional privilege is the exemption most organisations invoke, and also one of the most commonly misapplied. It covers communications between an organisation and its legal advisors for the dominant purpose of seeking or giving legal advice, or in anticipation of litigation. A general email to HR from an in-house solicitor about company policy is unlikely to be privileged. A letter from external solicitors advising on the strength of a pending tribunal claim almost certainly is.

When you withhold information under an exemption, tell the data subject. You don't need to describe what you've withheld in detail, but you should state that information has been redacted or withheld and cite the relevant provision. Silence about redactions invites escalation.

Workflow from receipt to disclosure

A consistent five-stage process reduces the risk of errors under deadline pressure.

Stage 1 - Gather. Collect all responsive documents from every relevant system into a single review set. Convert non-PDF formats: Word documents with track changes, emails, and Excel files should all be converted to PDF before redaction. Attempting to redact within native Office formats risks leaving data in revision history, comments, or hidden fields.

Stage 2 - Detect. Run automated PII detection across the full document set. This surfaces names, contact details, identification numbers, and other standard identifiers. RedactProof processes documents in your browser - the files do not leave your device - and flags 40+ types of personal information with confidence scoring.

Stage 3 - Review. A human reviewer examines the detection output and marks any additional content for redaction: exempt material, contextual identifiers, legally privileged information, internal management data that falls within an exemption. This step cannot be fully automated. The reviewer should also note which exemptions are being claimed for audit purposes.

Stage 4 - Redact. Apply redactions using pixel-burn (not overlay). Overlay redaction - black boxes drawn over text - is reversible; the underlying text remains in the file. Pixel-burn converts the document page to an image and permanently destroys the text layer. If an ICO investigation or tribunal later looks at your disclosure, you need the redaction to actually hold.

Stage 5 - Verify. Before any document leaves, test it. Open the output in a different PDF viewer. Try to select and copy text from redacted areas. Search the file for strings you know were redacted - names, reference numbers, email addresses. If your tool produces verification certificates, include them with the disclosure.

Scanned documents and mixed formats

A real disclosure bundle rarely arrives as neat, text-searchable PDFs. Expect scanned letters (image-only PDFs where PII detection can't operate on the text layer), Word documents with tracked changes, spreadsheets with personal data in unexpected cells, and email exports in various formats.

Scanned documents need OCR before automated detection can work. Run OCR first, verify the text layer is accurate, then proceed with detection and redaction. RedactProof includes OCR text restoration on Core plan and above, which restores a searchable text layer to the output PDF after pixel-burn redaction.

For email threads, export as PDF rather than forwarding. Forwarding carries metadata - message headers, routing information, sometimes hidden recipient fields - that adds risk. A flat PDF is cleaner.

Verification certificates and your audit trail

A verification certificate provides cryptographic evidence that a document was redacted using a specific tool at a specific time and has not been modified since. RedactProof generates Ed25519-signed certificates automatically. Each certificate includes a QR code that allows offline verification without needing the original tool.

Include the certificate alongside the redacted document in your disclosure. If the data subject later claims the document was tampered with, or argues that redactions were applied after the fact, the certificate provides an auditable timestamp. For organisations subject to ICO investigation, this is material evidence.

Separately, keep an internal redaction log. Note which documents were reviewed, what was redacted and under which exemption, and who signed off the disclosure. This log stays inside your organisation - it's your compliance record, not part of the disclosure bundle. HR teams handling frequent SARs may find it useful to read our guide to document redaction for HR teams, which covers recurring SAR workflows in more detail.

What to include with the disclosure

For a SAR response, the documents themselves aren't the complete obligation. Article 15(1) requires you to also provide: the purposes of processing, categories of personal data held, recipients or categories of recipients, retention periods, information about the data subject's rights (to rectification, erasure, restriction, and complaint), and the source of the data if not collected directly from the subject.

Many organisations produce a standard covering letter that addresses these points, then attach the redacted document bundle. This is sensible practice. It reduces the risk of forgetting a required element and gives the data subject a readable summary before they wade through the documents.

For FOI responses, include an explanation of any exemptions claimed. The requester is entitled to understand why information has been withheld, and has the right to request an internal review if they disagree. Transparency here reduces the likelihood of an ICO referral.

Deliver securely. The disclosure package contains personal data, which means it's subject to the same protection as any other personal data in transit. Encrypted file transfer, secure email, or recorded post depending on the sensitivity of the material.