Skip to content

Data redaction vs. data masking: The key difference

| Written by Altlaw

Although similar, data redaction and data masking have their differences. Where data masking creates test data by removing personal information, redaction is used to release readable information without disclosing classified data.

In this blog post, we’ll explore data redaction and masking before looking into some examples of when data may be redacted in court.

What is data redaction?

Data redaction is the process of obscuring information that’s personally identifiable, confidential, classified or sensitive. The data redaction should be applied to a copy of the original document. Data redaction should be done securely, such as by encryption or removal in a way that ensures the redaction is irreversible.

With the ever-growing amount of data organisations need to deal with, data redaction is now a crucial part of any data strategy. Whether it’s employee, customer or company data, redaction can protect from leaks or unauthorised access.

Redacting unnecessary information can mitigate risk and provide a higher level of security. Regardless of industry, you’ll likely need to use data for your business processes. Therefore, by applying an effective data redaction policy, your company will desensitise its data, making it suitable for use.

If the sensitive data is the data you need, then you’ll likely need to explore avenues outside of redaction.

What is data masking?

Data masking is another tool in data security, but it has its differences when compared to data redaction.

While data redaction is the removal or blocking of sensitive or classified information, data masking refers to sensitive and authentic information being replaced by inauthentic data with the same structure.

Information Governance Guide

The process can be used for testing or training purposes, ensuring no personal information is used during a testing phase within a company. Due to the data’s structure remaining the same, applications can still process it during testing or training.

Here are some of the main techniques when it comes to data masking:

  • Substitution — Authentic-looking values replace the original data, often used in testing
  • Masking out — Certain fields or characters are masked to protect sensitive information, such as when a credit card number is seen as XXXX-XXXX-XXXX-4289
  • Shuffling — Similar to substitution, original data is replaced by data which looks authentic. The difference between the two is that numbers in the same column are randomly shuffled rather than replaced
  • Averaging — This method sees the original values of a dataset replaced with the average value of a table’s columns

In terms of eDiscovery, any use of data masking would be seen as fraud. Changing the data presented is not an option when it comes to litigation. Although data masking is not permitted, there are instances in which data can be redacted in court cases.

What happens when data is redacted in court cases?

When disclosing information in court, it may be necessary to redact data, especially if it's classed as sensitive or confidential.

The ICO's Guide to Freedom of Information is a valuable resource which guides what you should consider when redacting documents to be presented in court. The National Archives defines redaction in its redaction toolkit, which is as follows:


"Redaction is the separation of disclosable from nondisclosable information by blocking out individual words, sentences or paragraphs or the removal of whole pages or sections prior to the release of the document. In the paper environment, some organisations will know redaction as extracts when whole pages are removed, or deletions where only a section of text is affected." 


In court, redaction is the irreversible removal of exempt information from the redacted version of the information. It's vital to ensure data isn't deleted from the original file, which can be seen as data spoliation.

An example of redaction in court is when it's necessary to provide an email which supports a case. Where appropriate, personal data should be redacted from the file.

Data redaction is often necessary in DSARs (Data Subject Access Requests). When a DSAR is made, the party receiving it must send across all relevant personal data they hold on the subject.

However, when doing so, it's essential not to compromise the integrity of another data subject's private information. It's the duty of the controller to redact any sensitive information from the data they submit, protecting the integrity of anyone else's data.

For permanent and effective redaction when presenting information in court, it's beneficial to use redaction software, such as RelativityRedact. Redaction software such as this can save legal professionals time with large caseloads while reducing the risk of human error.

Access all of our resources in one click

That's right, we're offering all of our educational guides, videos and content in just one click. Simply fill in your details and click submit on our Content Hub and you'll gain unlimited access to all of our locked content.

This means you can accelerate your eDiscovery learning by accessing tonnes of insightful content — all in one place.

Ready to get started? Click below to head to our Content Hub.