You’d think we’d nailed redaction by now. With the right tools and good intentions, what could go wrong? Turns out, quite a lot. Sensitive information still leaks out, not through malice or software failures, but because someone didn’t understand how redaction actually works.

Redaction isn't just visual

Redaction is about irreversible removal. Not hiding, not masking, but deleting. True redaction removes content from the source file, the metadata, and any revision history. It should survive a copy-paste, a metadata scan, and a version rollback.

Yet, people still “redact” by changing font colour to white or drawing shapes over text. Some export a file thinking it’s secure, unaware that the raw data is still layered underneath. One council recently responded to a subject access request using a PDF that had black boxes over text. The boxes didn’t delete the words, just covered them. Anyone could highlight and extract the full content.

These aren’t isolated incidents. They’re common. And they usually stem from poor training.

Where training breaks down

Most redaction training is treated as a side note. It’s squeezed into a wider privacy briefing or bundled into a legal compliance slide deck. It’s rarely hands-on, and even less often is it tailored to the specific tools that people actually use.

At our Privacy Operations Centre, we’ve seen this pattern many times. A team processes subject access requests using Adobe tools, but no one’s shown how to apply permanent redaction or flatten a file. Legal teams create disclosure bundles in Word, then email originals with version history intact. HR shares “anonymised” grievance notes, but forgets to remove names from file properties.

What’s missing isn’t knowledge, it’s confidence. Staff don’t feel equipped to question the output. They assume the tool did its job. They assume “Save As PDF” means safe.

Practical fixes that don’t need more tech

Redaction isn’t about having fancier software. It’s about helping staff understand the risks and giving them habits they can apply confidently.

That starts with showing real-world failures — anonymised case studies, redacted files that aren’t truly redacted. We’ve seen organisations run short “redaction challenge” sessions where staff try to break poor redactions before learning how to fix them. It lands better than any policy doc.

Next is tool-specific walkthroughs. If your team uses Acrobat, they need to practise with Acrobat. If redactions happen in Word before conversion, that’s where the training must focus. And each team needs its own checklist — FOI teams, legal, HR — because the risks and formats vary.

We encourage organisations we work with to build redaction into their review process. Just as you’d proofread a document before sending it, redaction should be a separate check. Ideally, it’s signed off by a second person. One pair of eyes to redact, another to test. It’s not about mistrust. It’s about margin for error.

You don’t need a full-day workshop. A 45-minute session with real documents, a step-by-step checklist, and a feedback loop is enough to shift the standard.

Redaction done properly isn’t just about compliance. It’s about control. It signals professionalism and earns trust, especially when dealing with FOIs or subject access requests. Small changes in training make that trust sustainable.