UK ICO: A how-to on scrubbing personal data

The UK Information Commissioner’s Office has a released a new guide to help organisations not to disclose personal data by mistake when responding to information requests under the Data Protection Act 1998 and the Freedom of Information Act 2000.

Handy tips include:

  • hiding personal data in “hidden data fields” of the document is not good practice, and is an ineffective way of removing or masking personal data for the purposes of redaction.
  • when using a highlighter tool to mark text for someone else to redact, do not use a black highlighter.  A different colour (eg yellow) should be used to clearly indicate which text requires redaction yet also show that the original text remains.  Further, for permanent redaction, organisations should specific redaction software.
  • a large amount of meta-data can be embedded within files (such as word documents, spreadsheets, and emails).  If one intends to redact information such as the sender’s or recipients’ email address or part of the email subject, this information should also be removed from the meta-data or remove the meta-data entirely.

Link(ICO): ICO Guide