When Redactions Un-Redact Themselves: The Cornwall Council GDPR Breach Explained

In February 2026, a UK local authority handed a councillor something no data controller should ever send: a set of PDF documents that appeared redacted on the surface but revealed the full personal details of 10 complainants the moment the files were opened. Names, home addresses, email addresses, and phone numbers — data that four of those complainants had explicitly requested be withheld — were all suddenly visible.

The councillor’s response, posted publicly on social media, summed up the absurdity perfectly: “Want to know how it became unredacted? I opened the files!”

This is not a sophisticated cyberattack. There was no ransomware, no phishing campaign, no zero-day exploit. This is a straightforward, entirely preventable technical failure — the kind that compliance teams across the public and private sector repeat with alarming regularity. And under UK GDPR, “we thought it was redacted” is not a defence.

What Happened at Cornwall Council

In November 2025, Cornwall Council received ten formal complaints about comments made by Dulcie Tudor, an independent councillor for the Threemilestone and Chacewater area. The complaints related to remarks Tudor made during a council meeting touching on the UK Supreme Court’s April 2025 ruling on the legal definition of a woman under the Equality Act 2010.

Standard procedure in complaints handling is to share the complainant submissions with the person complained about — in this case, Councillor Tudor. Four of the ten complainants had explicitly requested that their personal identifying information be redacted from the copies shared with her.

Here is where Cornwall Council’s data protection process failed.

The complaints were sent to Cllr Tudor as PDF attachments. The council’s position, communicated after the breach came to light, was that “no wrongdoing occurred because when the complaints were sent to [her] as attachments, the complainants’ personal information was redacted.”

But when Tudor opened the files, all ten complainants’ full details were visible — including the four who had specifically opted out of identification. She could see home addresses. Phone numbers. Email addresses. She noted she could also identify whether complainants were council officers or elected councillors.

“It’s crazy,” she said. “I shouldn’t know that.”

Making matters worse, because of the complaints, Tudor was required to pass the documents to the Free Speech Union, which was representing her — meaning the inadvertently exposed personal data was shared even further. Tudor also reported the breach to the Information Commissioner’s Office (ICO) on behalf of the complainants, since Cornwall Council had not confirmed it had done so itself, nor had it confirmed whether complainants had been notified.

The Technical Failure: How Redactions Un-Redact Themselves

For anyone outside document management or data protection, the idea of a redaction “un-redacting” sounds almost comically incompetent. But this failure mode is well-understood in technical circles and startlingly common in practice.

The Black Box Problem

The most widespread redaction failure is deceptively simple: someone takes a Word document or PDF, draws a black box or black highlight over the sensitive text, and exports or saves it. Visually, the document looks redacted. But the underlying text is still there.

This occurs because many PDF creation and editing tools treat visual elements as separate layers from the text layer. When you place a black rectangle over text in many applications, you are not removing the text — you are merely covering it. The text data remains embedded in the file. Anyone who selects all, copies, and pastes into a text editor will see everything. Alternatively, editing the PDF to remove or recolour the black overlay instantly restores visibility.

Adobe Acrobat’s own documentation explicitly warns that “redaction removes only visible text and graphics” and that “hidden data, such as metadata or embedded content, must be sanitized separately.” This distinction — between marking for redaction and applying permanent redaction with sanitization — is lost on countless document handlers.

PDF Layers and Metadata

PDFs can contain multiple layers. A document might have a scanned image layer, a text recognition (OCR) layer, annotation layers, and embedded metadata — all stacked on top of one another. A black rectangle placed in an annotation layer does nothing to the text layer beneath it.

In some configurations, particularly with PDFs that have been through OCR processing or certain print-to-PDF workflows, the redaction overlay can simply disappear when the file is opened in a different PDF viewer, on a different operating system, or in certain accessibility modes. The “redacted” document that looks correct in one context can display entirely unredacted in another.

The Export/Re-Save Trap

Another common failure: a user correctly applies redaction in a tool like Adobe Acrobat Pro (which, when used properly, does permanently delete the underlying content), but then saves a copy of the pre-redaction version alongside the redacted version, and sends the wrong file. Or the document management system automatically versions files, and the attachment retrieved for sending is the pre-redaction draft.

Given that Cornwall Council confirmed the files “were redacted when sent,” the most likely scenario is one of these first-category failures: a visual overlay that provided no actual protection, or a version control error that sent the wrong file.

This breach is not merely embarrassing — it has clear legal dimensions under UK GDPR and the Data Protection Act 2018.

Article 5: Principles of Data Processing

UK GDPR Article 5(1)(f) requires that personal data be processed with “appropriate security… against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” (the integrity and confidentiality principle).

Sending documents with ineffective redaction directly violates this principle. The council had a procedural obligation to verify that redaction actually worked before sharing documents containing personal data.

Article 32: Security of Processing

Article 32 requires data controllers to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk. For documents containing home addresses and contact details of individuals who had specifically requested anonymity — people filing complaints who might face retaliation — the risk level was clearly elevated.

A basic verification step (open the document, check the redactions hold) would have caught this failure. The absence of such a step suggests missing or inadequate organisational procedures.

Articles 33 and 34: Breach Notification

Under Article 33, Cornwall Council had a 72-hour window from becoming aware of the breach to notify the ICO. The fact that Cllr Tudor — not the council — appears to have made the ICO notification, and that the council had not confirmed its own notification at the time of Tudor’s public video, raises significant concerns about whether this obligation was met.

Under Article 34, where a breach is likely to result in a high risk to the rights and freedoms of individuals, the affected data subjects must be notified directly “without undue delay.” Given that home addresses were exposed for complainants who had explicitly requested anonymity — a group that may have had specific personal safety reasons for that request — this threshold appears to have been met. Whether complainants were notified, and how quickly, had not been confirmed publicly at the time of writing.

The “No Wrongdoing” Defence

Cornwall Council’s position that no wrongdoing occurred because files were redacted at the time of sending is legally and practically untenable. Under UK GDPR, the question is not the controller’s intent but the outcome: personal data was processed in a manner that resulted in unauthorised disclosure. The council is responsible for ensuring that its redaction process actually works, not merely that it believed a redaction had been applied.

The ICO has consistently held organisations responsible for redaction failures. In its trends reporting, the ICO has flagged “failure to redact” as a recurring category of breach, recording 75 such cases in a single quarter as far back as Q4 2019. This is a known risk, and organisations have been on notice for years.

A Pattern, Not an Anomaly

Cornwall Council is far from alone. Redaction failures have become one of the most persistent categories of data breach in UK public sector organisations.

The Post Office Horizon scandal produced a notable example in 2025, when the ICO reprimanded Post Office Limited for a data breach involving unauthorised disclosure of personal information belonging to postmasters — another case where document handling processes broke down for people in an already vulnerable position.

Police forces have a particularly troubled record. Academic research has highlighted UK police forces sharing FOI responses where sensitive information was “redacted” by converting Word documents with highlighted text to PDF — a method that preserves the underlying text completely. The University of East Anglia’s law school research specifically warned that PDF conversion from Word is not effective redaction.

Legal and financial sectors face the same problem. Court filings have repeatedly exposed personal and commercially sensitive data through failed redaction, including a notable 2021 incident in US federal courts where lawyer redaction failures in high-profile cases exposed confidential information. The UK courts have seen similar issues in heavily litigated matters.

NHS and healthcare trusts regularly appear in ICO reprimand records for redaction-related breaches, particularly in Subject Access Request responses where sensitive third-party information should be withheld but is merely covered rather than removed.

The common thread: organisations treat redaction as a visual task rather than a data removal task.

How to Actually Redact Documents Properly

Redaction done properly means permanently removing content from the document file — not hiding it behind a visual element that can be moved, removed, or ignored.

For PDFs: Adobe Acrobat Pro

Adobe Acrobat Pro includes a dedicated Redact tool (found under Tools > Redact a PDF). Critically, this tool does two things when applied correctly:

Mark for redaction: Selects the content to be removed.
Apply redactions: Actually deletes the underlying content and replaces it with a redaction mark.

The key step that many users miss: after marking, you must click Apply — this is what performs the actual deletion. Marking alone does nothing permanent. After applying, Acrobat also prompts to run the Sanitize Document function, which removes hidden metadata, embedded content, scripts, and other data that may remain even after visible redaction.

Always save the redacted document as a new file. Never overwrite your master copy.

For Word Documents

Microsoft Word’s Inspect Document feature (File > Info > Check for Issues > Inspect Document) can identify and remove hidden data, comments, tracked changes, and metadata before you export to PDF. However, for the most sensitive documents, export to plain text and rebuild is safer — Word’s PDF export can retain more metadata than users expect.

Open-Source and Specialist Tools

Dangerzone (open source): Converts documents into a safe PDF by rendering each page as a pixel image, stripping all underlying data — metadata, text layers, embedded objects. Ideal for documents where you need absolute certainty.
QPDF: Command-line tool that can manipulate PDF structure and is useful for verifying what content is actually present in a document.
PDF24 / Smallpdf: Web-based tools with redaction features — useful for low-sensitivity documents but raise their own data protection questions (you’re uploading documents to a third-party server).

Verification: The Step Everyone Skips

After redacting, verify the redaction actually worked:

Open the saved redacted file (not the pre-redaction original).
Use Ctrl+A to select all text, then copy and paste into a plain text editor.
Check that the redacted content does not appear in the pasted text.
Try opening the file in a different PDF viewer (e.g., browser PDF viewer, not just Acrobat).
For highly sensitive documents, run the file through a PDF analysis tool to inspect the document structure.

This is the step Cornwall Council apparently skipped.

Actionable Recommendations for Compliance Officers

If you are responsible for data protection at a local authority, NHS trust, law firm, or any organisation that regularly handles and redacts documents, the Cornwall Council case should be a direct call to audit your procedures now.

1. Audit your current redaction tools and procedures immediately.
Document what tools staff are using to redact documents. Test whether those tools actually work. Many organisations discover for the first time that their “redaction process” is producing cover-only outputs.

2. Implement a mandatory verification step.
Any document that has been redacted must be verified before sending. This should be a formal sign-off step in your document handling procedure — not an informal expectation. The person who applies the redaction should not be the only person who verifies it.

3. Establish a version control protocol for redacted documents.
Redacted documents should be saved as clearly labelled new files (e.g., complaint-smith-REDACTED-FINAL.pdf). The pre-redaction version must not be accessible in the same workflow that handles outbound document sharing.

4. Train staff — specifically on the difference between covering and removing.
Most people’s intuitive model of redaction is “put a black box over it.” GDPR training must explicitly address this misconception. The ICO has flagged staff training as a direct causal factor in redaction failures.

5. Review your Article 33/34 breach response readiness.
Do you know who is responsible for notifying the ICO within 72 hours? Do you have a process to identify affected data subjects and notify them? The Cornwall case suggests the council’s breach response procedures were either non-existent or not followed.

6. Apply heightened scrutiny to complainant and whistleblower data.
Data subjects who have specifically requested anonymity — particularly those filing complaints — represent an elevated risk category. Any document handling involving this data should have additional controls, including a secondary review of redactions before release.

7. Consider dedicated redaction software for high-volume workflows.
Organisations processing large volumes of documents (FOI responses, SAR responses, complaints handling) should evaluate purpose-built redaction platforms rather than relying on general-purpose PDF tools. These include Relativity Redact, Redactable, and government-sector tools like DACS (Document Access Control Solution).

Key Takeaways

Cornwall Council sent redacted PDFs that revealed all personal data when opened — exposing names, addresses, emails, and phone numbers of complainants who had explicitly requested anonymity.
The failure mechanism is a well-known technical problem: using visual overlays instead of actual content removal. Redaction must permanently delete the underlying data, not just hide it.
UK GDPR Articles 5, 32, 33, and 34 are all potentially engaged. The council’s “we thought it was redacted” defence has no legal standing — the obligation is to ensure redaction works, not merely to attempt it.
This is not unusual. Redaction failures are one of the most consistently recurring breach categories in the UK, affecting public authorities, police forces, healthcare providers, and legal services alike.
The fix is not complicated, but it requires deliberate process change: use proper redaction tools (like Adobe Acrobat Pro’s dedicated Redact function with Sanitize Document), implement mandatory verification steps, train staff on the technical reality of PDF redaction, and establish clear version control for redacted documents.
For compliance officers, the Cornwall case is a diagnostic tool. If you cannot clearly describe how your organisation redacts documents, verifies those redactions, and handles version control for redacted files — you likely have the same vulnerability.

Cornwall Council did not respond to media requests for comment at the time of initial reporting. The ICO had not publicly announced an investigation at time of writing, though a complaint was filed on behalf of the affected data subjects.

For UK GDPR compliance guidance on data breaches, see the ICO’s Report a breach page and the ICO’s guidance on keeping personal data secure.