Cyber SecurityThe recent High Court case of London Borough of Lambeth v A.M. offers a salutary lesson in the importance of properly redacting documents. This issue comes up more than you’d think – and certainly more than it should.

You’ll recall that, in the spirit of transparency, the European Commission recently publicized a heavily redacted version of its AstraZeneca COVID-19 vaccine contract. The problem was that the Commission had been too transparent – literally. All of the redacted content in the contract could be viewed by simply using the bookmark tool in Adobe Acrobat’s Reader. Redactio ad absurdum.

A similar issue arose before the High Court. A.M., the father of a girl about whom welfare concerns had been raised, was able to restore the redactions that Lambeth applied to protect the confidentiality of the individual who had raised the concerns (H.J., the child’s aunt). In doing so, the court found that A.M. had breached the duty of confidence owed to Lambeth by: (i) removing the redactions and examining the unredacted file when he knew he was not entitled to do so; (ii) retaining a copy of the unredacted file; and (iii) using this information to write a pre-action letter to H.J. for alleged defamation and other torts.

Getting redaction right is critical in the DSAR context. Notwithstanding the potential breach of confidence issues identified by the High Court, failing to properly redact content – whether it’s third-party personal data, first-party personal data that are withheld from disclosure, or confidential business information – almost never reflects well on the disclosing party. This is particularly the case where the DSAR is made by a current or former employee, and will often result in settlement arrangements that could otherwise have been avoided.