Redacting Documents for Subject Access Requests

What a SAR requires you to do

Under Article 15 of GDPR, individuals have the right to access their personal data. When someone exercises that right, your organisation must provide a copy of the personal data you hold about them, the purposes of the processing, the categories of data, recipients, and retention periods. This is their data. They're entitled to it.

The complication is that their data rarely exists in isolation. An email from their manager contains the manager's name and opinions. A meeting note references three other colleagues. A grievance file includes witness statements from people who aren't the data subject. All of that third-party personal data generally needs redacting before you hand the documents over.

Article 15(4) states that the right to obtain a copy "shall not adversely affect the rights and freedoms of others." In practice, this means you redact other people's personal data from the response.

Scoping the response

Before you start redacting, define what's in scope. A SAR covers personal data in any format that your organisation holds, processes, or stores - including email accounts, shared drives, HR systems, CRM databases, handwritten notes if they're filed systematically, and CCTV footage.

Start by identifying where the data subject's information is likely to exist. For an employee SAR, that typically includes: HR personnel file, email (sent and received), line manager's records, payroll system, any case management system, training records, access logs, and any ad hoc files or notes.

The scope can be narrowed by agreement with the data subject. If they specify that they only want their disciplinary records from the last two years, you don't need to search everything. ICO guidance encourages organisations to ask data subjects to clarify their requests where the scope is unclear - this is permitted and sensible, provided it doesn't delay the response unreasonably.

Identifying what to redact

Once you have the documents, work through them systematically. You're looking for two categories of information to remove.

Third-party personal data. Names, contact details, and identifying information of other individuals who appear in the documents. This includes co-workers, managers, clients, witnesses, and anyone else who isn't the data subject. Remember that a person can be identified without their name being present - a job title in a small team, a specific date and location combination, or a description that narrows to one person.

Exempt information. Certain data is exempt from the SAR right. Legally privileged information (communications between the organisation and its legal advisors for the purpose of legal advice or proceedings) can be withheld. Management planning information (such as planned redundancies that haven't been communicated) may also be exempt under certain conditions. Information that would prejudice a criminal investigation is exempt. Each exemption should be applied narrowly and documented.

A practical approach: run automated PII detection across the full document set first. This flags the standard identifiers - names, dates, reference numbers, contact details - across every page. Then review manually, focusing on contextual identification and exempt information that automated tools won't catch.

The redaction process under time pressure

SARs have a one-month deadline. For a straightforward request involving a handful of documents, that's generous. For a complex request involving years of correspondence and multiple systems, it's tight.

If you realise early that the request is complex, consider notifying the data subject of an extension under Article 12(3) - you can extend by a further two months, but you must notify within the initial month and explain why the extension is needed.

Prioritise by risk. Documents that contain the most third-party personal data or the most sensitive information (health data, disciplinary records, financial details) need the most careful review. Straightforward correspondence with limited third-party data can be processed more quickly.

Use batch processing where possible. If you have 50 documents to redact, loading them individually into a redaction tool is slow. Tools that handle multiple documents in sequence and apply consistent detection settings across a batch save significant time. RedactProof processes documents individually in the browser but maintains detection settings across your session.

Keep a log as you work. Note which documents you've reviewed, what redactions you applied and why, and any exemptions you've claimed. If the data subject complains to the ICO about your response, you'll need to justify your redaction decisions.

After redaction - what to include in the response

The SAR response isn't just the documents. You need to include supplementary information required by Article 15(1): the purposes of processing, categories of personal data, recipients or categories of recipients, retention periods, information about the data subject's rights, and the source of the data if not collected directly from them.

If you've redacted information or withheld documents, tell the data subject. You don't need to describe what was redacted, but you should explain that information has been withheld and cite the relevant exemption. This transparency protects the organisation and respects the individual's rights.

Consider how you deliver the response. Secure email, encrypted file, or recorded post. The response itself contains the data subject's personal data, so it needs appropriate handling during transmission.