 |
 |
-----Original Message-----
From: Ian Welton [mailto:[log in to unmask]]
Sent: 27 March 2000 02:39
To: [log in to unmask]
Subject: Re: monitoring of computer (mis)use
----- Original Message -----
From: Tim Wright <[log in to unmask]>
To: Data Protection List <[log in to unmask]>
Sent: Monday, March 27, 2000 9:22 AM
Subject: Re: monitoring of computer (mis)use
> I would suggest that there is more than a subtle difference between
routine
> backup and a data archive. It may, depending on the circumstances, be
> necessary to provide information from an archive in response to a subject
> access request. However, I think it would generally be unreasonable to
> access backups for this purpose.
>
----The debate of unreasonableness needs to be undertaken following receipt
of each subject access request. Consider an individual who has suffered
very significant harm as a result of personal data which has been deleted
from the main system but which would still exist in the back ups, or if it
did not exist that none existence would provide a defence for the
organisation. It would seem unreasonable not to respond to that particular
request.
Issues such as this will at times become difficult for data protection
practitioners, as they may on occasions be seen to be going against their
organisations interests. But relating that back to the EU Directive
(95/46/EC), which the DPA 1998 is based on and where our responsibilities
come from:-
"on the protection of individuals with regard to the processing of personal
data and on the free movement of such data"
makes it clear such stances may be required. Meanwhile back in the real
world is difficult to get organisations to realise that the most efficient
way of running a back up regime is not necessarily the best, when these other
considerations may need to be dealt with.
Ian Welton