Data Protection Act Ireland
Back-up data are defined in the Data Protection Acts, 1988 & 2003 as being ” data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged”. In order to come within the definition of ‘back-up data’, data cannot be part of a live system nor can they be used for any purpose other than replacing lost, destroyed or damaged data.
What constitutes lost, destroyed or damaged data?
Data that is either accidentally0 or deliberately deleted can be considered to be destroyed. Data that can no longer be found may be considered to be lost. Damaged data may result from files being corrupted.
However, a draft of a work-in-progress which is later overwritten is not considered to have been damaged or destroyed unless there is a clear policy of retaining drafts, in which case the draft should not have been overwritten.
What is the purpose of backing-up data? There is a requirement in the Data Protection Act that adequate measures be taken to prevent the unauthorised destruction or alteration of data.
“appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data..”
By backing-up data, a data controller/processor is taking steps to recover from such actions. In general, back-ups are most useful in a disaster recovery situation, where there has been a catastrophic system failure resulting in a large scale, if not total loss or corruption of data.
For how long should back-up data be held? This depends on how long after an event is it likely to be discovered that data have been lost, destroyed or damaged. This time period will depend both on the nature of the data and the nature of the organisation processing the data. For most situations, it would not be reasonable to keep more than a small number (ten or less) back-up tapes. On a daily back-up regime, this would allow for two working weeks in which to discover that data were lost, destroyed or deleted.
“93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster.” National Archives & Records Administration in Washington)
Security of Personal Data
“Appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”
The security of personal information is all-important. It will be more significant in some situations than in others, depending on such matters as confidentiality and sensitivity. High standards of security are, nevertheless, essential for all personal information. Both “data controllers” and “data processors” must meet the requirement to keep data secure.