The ICO exists to empower you through information.

Exemptions and redactions

Share Download options

Pages

Format

Control measure: Processes to properly consider whether to withhold or redact information relating to the person or a third party are in place.

Risk: Failure to properly consider exemptions or redactions, or prevent disclosure of information relating to other people or third parties, could result in a personal data breach or reputational damage. 

Ways to meet our expectations:

  • Document how to apply exemptions, including redacting third party information, clearly in the relevant policies.
  • Ensure staff apply exemptions and redactions appropriately and correctly.
  • Ensure a senior staff members reviews and authorises exemptions and redactions (or a sample of them).
  • Provide specialised training for staff who apply, review or authorise exemptions.

Options to consider:

  • Produce anonymised examples of exemptions and redactions as training aids for staff.
  • Produce quick reference guides for staff.
  • Review training content regularly to keep it up-to-date.
  • Check that staff feel knowledgeable about exemptions and redactions and feel supported to apply them.

 

Control measure: A consistent approach is taken to removing confidential or third-party information from information provided in response to requests.

Risk: If exemptions and redactions are applied inconsistently or to different standards, confidential information may be inappropriately disclosed, resulting in personal data breaches or complaints.

Ways to meet our expectations:

  • Implement an appropriate redaction method.
  • Review or sample exemptions and redactions to check staff are taking a consistent approach.
  • Keep records of all redactions to capture who did the redaction, the date, and the justification.
  • Retain these records for reference, in line with the retention schedule.

Options to consider:

  • Procure electronic redaction software.
  • Add a general explanation of why information might be redacted to your template text for letters and emails.
  • Produce specific template text for exemptions that you frequently apply, so you communicate exemptions consistently.
  • Add a peer review stage within your redactions and exemptions process to promote consistency.