Neils comments
<<As the exemption for backup data has gone this is another area which would
give problems.>>
<<As a matter of interest how have other organisations handled subject
access to backup data? >>
Under 1984 Act Exemption 17 'Back-up' data was exempt from subject access.
This continues until end of transitional period 1 ( Sch8 (12)) therefore not
an issue until 24/10/01. Then its all hands to the pump given that assuming
the data controller has not implemented new processes to solve e.g. mirror
all data in real time and not backup to offline storage. Very few data
controllers will be lucky enough to be able to solve through technology
solutions alone. A controller can try to argue disproportionate effort
(Section 8 2a) due to the recovery of an entire system as opposed to the
individual records or convince the data subject to not pursue the backup
data (Section 8 2b). How successful these would be depends on what the data
subject knows about the Act, how annoyed they are with the controller and
how persistent they are in convincing the Commissioner to support the letter
of the Act.
I have heard several arguments along the lines of the back up is only a
copy of the live position. This clearly depends on the methods of backup and
technology used. Clearly a risk for data subjects is that recovery from
back-up puts back all errors corrected by data subject since back-up used to
recover was made. E.g.. Data subject pursues and wins a case for libellous
email. Offending email deleted from live system backup systems forgotten.,
computer breakdown, recovery to last known position, libellous email
resurrected New case.
The 1998 act does not exempt any data controller from supplying the record
set on backup just because it is the same as the set on live systems
(Section 7 c (i) ). It is up to the data subject to assess the impacts to
themselves and claim compensation where such impacts are due to failed
processes operated by the data controller. Very few controllers actually
test a recovery of live data in a real environment, so they do not get the
individual reporting problems which they formerly corrected
I suggest controllers do not annoy a knowledgeable data subject such as
those on this list, they can make your life hell. E.g. Why have I not got
two copies of everything do you not have a backup? Personally I am
approaching 24/10/01 with trepidation due to access rights on back-up data
and manual files. I suspect 75% of data subjects will be persuaded that
backup data is not really necessary but 25% are usually annoyed enough to
want their pound of flesh. As Mark Thomas Channel 4 says 'Subject access is
the gift that keeps on giving'
David Wyatt
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of Neil Chadwick
Sent: 01 February 2001 09:45
To: [log in to unmask]
Subject: Re: 40 days or not 40 days that is t
It's easy to search for a text string on an NT or Novell server but
mainframes
are a different matter as they don't necessarily have all the data loaded at
any one time - it could only be fully automated where automatic media
management is installed. Manual, microfiche etc would obviously be out of
the
scope of such a tool. Even if you got a text match someone would have to
sift
through the results to find out if it referred to the correct data subject.
As the exemption for backup data has gone this is another area which would
give
problems.
As a matter of interest how have other organisations handled subject access
to
backup data?
Neil
__________________________________
Neil Chadwick
Stoke-on-Trent City Council
Ian Welton (31/01/01 9:29 pm):
>Have personally come to the conclusion that persons involved in processes
or
>particular jobs are not always aware of all of the information which is
>available relating to that job, or any person mentioned within the data in
>their area, and cannot always find it all. I know to my cost that some
>subject access requests which are limited to specific data are not always
>easy to deal with when reliance is placed on human memories or application
>specific search mechanisms.
>
>I would be interested to hear of any software tools which are available and
>in use to search networks in order to compile a response to subject access
>requests.
>
>It is not unusual in my circumstances to receive the occasional subject
>access request for all personal data held, which can be particularly
>difficult to deal with effectively, so any tools which can simplify the
task
>would be a great boon. The dream search tool would be able to search
e-mail,
>word processing, spreadsheets, databases and other application specific
data
>containing personal information across an organisational LAN/WAN. What
>about the security headache then though?
>
>
>Ian W
>
>----- Original Message -----
>From: "Broom, Doreen" <[log in to unmask]>
>To: <[log in to unmask]>
>Sent: Wednesday, January 31, 2001 3:59 PM
>Subject: Re: 40 days or not 40 days that is t
>
>
>> All
>> I note what you say but as I work with a local authority - I always write
>to
>> ask if there is specific information - one of my recent replies:
>> "Please send me the information I am entitled to under Section 7(1) and
>> 7(1)(d) of the DP Act 1998"...this does not give me specific information
>> e.g. Financial information etc...I think rather than be difficult - why
>not
>> give them their information (if they are entitled to it) and I put myself
>in
>> their position - what if it was me requesting the information? We are
all
>> entitled to it!
>> Doreen Broom
>> Data Administrator
>> Scottish Borders Council
>> Council HQ
>> Newtown St.Boswells
>> Melrose
>> Borders TD6 0SA
>>
>> Tel: 01835 824000
>>
>>
>> > -----Original Message-----
>> > From: [log in to unmask] [SMTP:[log in to unmask]]
>> > Sent: 31 January 2001 15:15
>> > To: [log in to unmask]
>> > Subject: Re: 40 days or not 40 days that is t
>> >
>> > As far as I am concerned, you can definitely wait until the data
subject
>> > has provided all the 'necessary' information before the 40-days begins.
>> >
>> > Regards
>> >
>> > Matthew
>> >
>> >
>> >
>> >
>> > [log in to unmask]@JISCMAIL.AC.UK> on 31/01/2001 15:01:00
>> >
>> > Please respond to [log in to unmask]
>> >
>> > Sent by: This list is for those interested in Data Protection issues
>> > <[log in to unmask]>
>> >
>> >
>> > To: [log in to unmask]
>> > cc: (bcc: Matthew Nunn/Registry/Southampton Institute)
>> > Subject: 40 days or not 40 days that is t
>> >
>> >
>> > Date: 31 January 2001
>> > To: internet EXTERNAL
>> > From: Stuart Roderick GBSAFE00 HR Systems
>> >
>> > Subject: 40 days or not 40 days that is the Q
>> >
>> > /internet
>> > to: [log in to unmask]
>> >
>> > Dear All,
>> >
>> > Under the DPA98 we have to comply within 40 days of receiving a request
>> > from
>> > an individual.
>> >
>> > My question is this- What happens if the individual does not supply
>> > sufficient
>> > data on their letter to enable us to search for them on our systems.
If
>> > we
>> > respond to their request and ask for more details and they take 38 days
>to
>> > respond can we start the 40 days from the date of their response or is
>it
>> > from
>> > the initial date of the 1st letter??
>> >
>> > Many thanks for your help
>> >
>> > Stuart
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Stuart Roderick
>> > HR Systems Executive
>> >
>> >
>> >
>> >
>**************************************************************************
>> > **
>> >
>> > * Unencrypted electronic mail is not secure and may not be authentic.
>> > *
>> > * If you have any doubts as to the contents please telephone to
confirm.
>> > *
>> > * The information contained in this message is confidential and is
>> > *
>> > * intended for the addressee(s) only. If you have received this message
>in
>> > *
>> > * error or there are any problems, please notify the originator
>> > *
>> > * immediately. The unauthorised use, disclosure, copying or alteration
>of
>> > *
>> > * this message is strictly forbidden. Opinions, conclusions and other
>> > *
>> > * information expressed in this message are not given or endorsed by
>> > *
>> > * Safeway unless otherwise indicated by an authorised representative
>> > *
>> > * independent of this message.
>> > *
>> >
>**************************************************************************
>> > **
>>
>>
>> ________________________________________________________________
>>
>> This e-mail is privileged, confidential and subject to copyright.
>> Any unauthorised use or disclosure of its contents is prohibited.
>> The views expressed in this communication may not necessarily
>> be the views held by the Scottish Borders Council.
>> _________________________________________________________________
|