Audit evidence
Defensible by construction. Not by recollection.
Every passage decision lands in a hash-chained ledger. When the ICO asks why a passage was redacted, the answer is already written: the rule, the reasoning, the reviewer, the time.
Hash-chained
Each record's hash includes the prior record's hash. Tamper anywhere, integrity verification fails everywhere downstream.
Reproducible
Re-run any decision from inputs at any time. Same bundle, same ruleset version, same result.
Time-attested
Every record carries a server timestamp signed at write. Sequence is not editable after the fact.
Identity-attached
Each reviewer action is bound to a named officer. Anonymous decisions are not possible by design.
The ledger
What ICO sees, if asked.
Every record. Every passage. Every change of mind. The bundle that left your perimeter, and the chain of reasoning behind it.
| Seq | Passage | Rule | Decision | Reviewer | Audit | Hash (prev → this) |
|---|---|---|---|---|---|---|
| 0001 | p.3 / 0x07 | TP-PII | Redact | K. Owusu (DPO) | concur | 0000 → 4f3a |
| 0002 | p.3 / 0x12 | NOT-REL | Out of scope | K. Owusu (DPO) | concur | 4f3a → b91e |
| 0003 | p.7 / 0x1A | TP-PII | Redact | K. Owusu (DPO) | concur | b91e → 28cc |
| 0004 | p.12 / 0x03 | MGMT-NEG | Override → Release | K. Owusu (DPO) | dissent (logged) | 28cc → e07f |
| 0005 | p.14 / 0x0B | LPP | Redact | K. Owusu (DPO) | concur | e07f → a142 |
Illustrative ledger. Real ledger entries include full rule-ID versioning, the reviewer's signed reason for any override, and the integrity verifier's signature on export.
ICO defensibility
The defensible answer is already written.
UK GDPR and the Data Protection Act 2018 don't require perfection — they require defensibility. The standard the ICO applies to a complaint is whether your decisions were reasonable, attributable, and documented at the time they were made.
SART's ledger is built to answer those three questions in one motion: the recommendation, the human override (if any) with its reason, the named reviewer, the timestamp, and the hash chain that proves nothing was edited after sign-off.