What should I do if we find scanned PII in a digitization project that should have been redacted before public release?
Finding personally identifiable information (PII) in a scanned record that has already been released publicly is a privacy incident, and it should be handled as one. The discovery may feel like a small clerical slip, but unredacted Social Security numbers, medical details, financial data, or other sensitive information can cause real harm. Treat the situation with urgency and follow your organization’s established process rather than acting alone.
Contain the exposure first
Move quickly to limit further disclosure:
- Take the affected image or document set offline, or restrict access, while you investigate.
- Preserve the original record and the released version exactly as they are — do not silently overwrite or delete. You need an accurate record of what was exposed.
- Note when the exposure began, what was visible, and through what channel (public portal, FOIA reading room, open dataset, etc.).
Report through the right channels
Do not attempt to quietly fix and re-post. Notify the people whose job it is to evaluate the incident:
- Your records manager or information governance lead.
- Your privacy officer, FOIA officer, or general counsel, depending on your organization.
- Where applicable, the official responsible for breach assessment, who determines whether notification to affected individuals or oversight bodies is required.
Privacy frameworks and the Privacy Act are built around accountability and timely handling of exactly this kind of event, so the determination of next steps belongs to those designated roles.
Remediate properly
Once the incident is logged, correct the underlying record:
- Apply true redaction that removes the data from the image and any text layer (OCR), not a visual overlay that can be copied or stripped away.
- Re-release only the properly redacted version, and confirm the original unredacted copy is access-controlled.
Fix the process, not just the file
A single missed redaction usually points to a workflow gap. Strengthen the quality-control step in your digitization and release pipeline: require a redaction review before public posting, document who performs it, and build PII detection into intake. For broader guidance, see the digitization and imaging topic hub.
Handled well, an exposure becomes an opportunity to make your release process more trustworthy.
Sources & further reading
Authoritative government and non-profit references.
- Privacy Act of 1974 — U.S. Department of Justice
- NIST Privacy Framework — NIST
How to cite this page
APA
RM University Editorial. (2026). What should I do if we find scanned PII in a digitization project that should have been redacted before public release?. Records Management University. https://www.recordsmgmt.org/questions/what-to-do-if-scanned-pii-not-redacted-before-release/
MLA
RM University Editorial. "What should I do if we find scanned PII in a digitization project that should have been redacted before public release?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-to-do-if-scanned-pii-not-redacted-before-release/.
Related questions
- Are Microsoft Copilot and ChatGPT outputs considered records, and how do you capture them?
- Are scanned copies legally admissible in the UK under the BS 10008 standard the same way they are in the US?
- Are scanned copies of documents admissible to the SEC and FINRA, and do broker-dealers still need WORM storage after digitizing?
- Are scanned documents legally admissible in court?
- Are there industries where scanning and shredding originals is prohibited by law?