> the problem is that some of the information is ONLY available on the
> backup tapes - e.g. web access logs that have since been overwritten,
> copies of emails that were in transit at the time, etc.
>
> If my employer holds this personal data and is holding it for a notified
> purpose (e.g. monitoring or investigation of alleged misuse) then it is
> surely reasonable for the data subject (me) to have this information
> disclosed on request.
It seems to me that the operative point here is that the material is ONLY on
the backups. In other words, it has been deleted from the live systems. I
think it could be argued that this information is not relevant for a data
subject access request. The only way of finding out if there is any relevant
data would be to restore the backups and do a search. I personally think
this is going over the top in these cases.
Take the instance where information is on a hard disk, and is subsequently
deleted. The fact that the data *could* be retrieved by forensic techniques
doesn't in my book mean that it's reasonable to expect it to be provided in
the case of a subject access request. I consider a backup to be outside the
scope for similar, if not so well-defined, reasons.
If backups were to be relevant, it would indeed be difficult to comply with
the law. Consider where a data subject points out some inaccuracy. OK, the
controller makes the relevant change on the current system. But I can't see
any court, let alone the Data Protection Commissioner, expecting the changes
to be reflected in all the existing backups.
Anybody else have a viewpoint on this?
--
Tim Wright
IT Security Manager
Fuji Bank, London
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|