IANAL, but that looks like a DPA violation.
I'd suggest that returning the data in usable form on request up to a
year after they close down would be a reasonable expectation, and
individually alerting users, and ensuring that the users have
understood, before removing access or making the data unusable by
recovery may be an expectation which would be widely supported.
Actually sending the user's data to the user is something I think comes
close to proper practice, either as hard copy, or more economically and
usefully on a USB chip.
I shall emphasise again that I never trusted them to be reliable or
useful, based on observations of such things in association with
administration and the NHS over many years.
--
A
|