Capture-time PII redaction with an auditable evidence trail
Patterns for redacting at capture rather than after the fact, and how to make the redaction itself ICO-auditable.
"Download PDF" opens your browser's print dialog — choose Save as PDF as the destination.
Redact at capture, log the redaction
After-the-fact redaction leaves a window of exposure and a regulator-unfriendly answer to 'who saw this between capture and redaction?'. Capture-time redaction inverts the question: nobody saw the raw value, and the redaction event is itself a log entry.
The implementation matters. Capture-time detectors must be deterministic, versioned, and applied before any human or model sees the input. The redacted token, the detector ID and the policy version are all recorded.
Making redaction auditable
ICO auditors ask three questions about a redaction control. Did the detector match? Was the matched span correctly redacted? Is there evidence the raw value never crossed the trust boundary? The first two are answered by the redaction log; the third is answered by infrastructure — the raw value was never written to a log, never sent to a downstream service, never seen by a model.