What Personal Information Must Be Redacted From Legal Files?

Redacting personal information from legal files involves two overlapping sets of obligations: statutory and rule-based requirements that mandate specific redactions as a condition of filing or disclosure, and professional responsibility obligations that require attorneys to protect client and third-party information as a matter of competence and confidentiality. Both apply simultaneously, and neither excuses compliance with the other.

Statutory and rule-based requirements

FRCP 5.2 sets the federal civil baseline for documents filed with federal courts. It requires partial redaction of five categories:

• Social Security and taxpayer identification numbers: last four digits only
• Financial account numbers: last four digits only
• Dates of birth: year only
• Names of minor children: initials only
• Home addresses in criminal cases: city and state only

Federal Rule of Criminal Procedure 49.1 mirrors these requirements for criminal filings. State court rules are substantially similar, with many states adding categories that FRCP 5.2 does not cover. New York's 22 NYCRR 202.5(e) adds medical and mental health information. California Rule of Court 1.201 covers SSNs and financial account numbers. Illinois Supreme Court Rule 138 covers SSNs, dates of birth, driver's license numbers, financial account numbers, and debit and credit card numbers.

Categories that appear across rule sets and regulations

Beyond the FRCP 5.2 minimum, the following categories of personal information appear consistently across federal and state requirements, professional rules, and regulatory frameworks:

• Home addresses and personal contact information: Private residential addresses and personal phone numbers for parties and non-parties are redacted in many state courts and whenever documents are publicly disclosed.
• Driver's license and government ID numbers: Covered by many state court rules and state data breach notification statutes.
• Immigration status: A category with extraordinary sensitivity. 8 CFR 208.6 restricts disclosure of asylum application information. Many state courts treat immigration status as presumptively confidential.
• Medical and health information: Medical records, diagnoses, treatment details, and prescription information appear in personal injury, employment, workers' compensation, and family law matters. Even outside HIPAA-governed contexts, medical information is redacted when not directly material to the proceeding.
• Mental health records: Most states give mental health records heightened statutory protection separate from general medical records. Psychiatric evaluations, therapy notes, and mental health diagnoses require redaction in most contexts even when other medical records would be produced.
• Substance use treatment records: Protected by 42 CFR Part 2 at the federal level, which imposes consent requirements before disclosure that are stricter than HIPAA.
• Sexual history and orientation: Protected in family law, criminal, and civil rights matters. Many states bar disclosure without judicial authorization.
• Financial account details beyond the FRCP 5.2 minimum: Full account statements, credit scores, and loan histories are redacted in discovery and in court filings beyond what the last-four-digit rule technically requires, under the terms of most protective orders.

Professional responsibility obligations

Model Rule of Professional Conduct 1.6 prohibits disclosure of information relating to the representation of a client without informed consent, a recognized exception, or implied authorization. Model Rule 1.1 requires competent representation, which includes competent handling of client and third-party information. The ABA has issued multiple formal opinions clarifying that inadvertent disclosure of information through failed redaction can constitute a violation of Rule 1.6.

Non-party information presents a distinct obligation. When legal files contain personal information about individuals who are not parties to the matter, including witnesses, family members, employees, and bystanders, the attorney has no client relationship with those individuals but still owes them reasonable care against unnecessary exposure. Redacting non-party personal information from documents that will be filed publicly or produced in litigation is standard practice and, in many courts, required.

What AI detection covers

RedactifyAI automatically identifies over 40 entity categories across PDFs, Word documents, and scanned images, including SSNs, dates of birth, financial account numbers, addresses, medical record numbers, immigration-related identifiers, and names configured as non-party individuals. This allows reviewers to flag every instance of a sensitive category across a document batch before applying manual judgment to each redaction decision, rather than searching for identifiers line by line.

Context controls the scope

The required scope of redaction shifts based on where the document is going. A document produced under a protective order in discovery may require only the categories the order defines. A document submitted as a public court exhibit must comply with FRCP 5.2 and local rules. A document released in response to a public records request must comply with the applicable state public records statute, which often has its own exemption list that overlaps with but does not duplicate the court filing rules. Always confirm the destination and the governing framework before finalizing any redaction set.