 |
 |
It seems to me that the operative point here is that the material is ONLY on > the backups. In other words, it has been deleted from the live systems. I > think it could be argued that this information is not relevant for a data > subject access request. The only way of finding out if there is any relevant > data would be to restore the backups and do a search. I personally think > this is going over the top in these cases. ----- During the first transitional period back up data is not available under the subject access provisions (Section 12, Schedule 8.) However it appears archived material is. After 24 October 2001 back up data may be accessible via subject access if the data subject so requests. In discussing the necessity to access back ups in response to a subject access requests (when that becomes necessary) it will probably be down to a judgement of the person responsible for data protection within the organisation on what constitues disproportionate effort when balanced against the data subjects requirements. Difficult decisions are ahead for some. Any decision will need to be defendable at Tribunal or Court. Will some test of proportionality (as in the Human Rights Arena) be required as data protection develops in this area.... Ian ----- Original Message ----- From: Tim Wright <[log in to unmask]> To: Data Protection List <[log in to unmask]> Sent: Friday, March 24, 2000 2:28 PM Subject: Re: monitoring of computer (mis)use > > the problem is that some of the information is ONLY available on the > > backup tapes - e.g. web access logs that have since been overwritten, > > copies of emails that were in transit at the time, etc. > > > > If my employer holds this personal data and is holding it for a notified > > purpose (e.g. monitoring or investigation of alleged misuse) then it is > > surely reasonable for the data subject (me) to have this information > > disclosed on request. > > It seems to me that the operative point here is that the material is ONLY on > the backups. In other words, it has been deleted from the live systems. I > think it could be argued that this information is not relevant for a data > subject access request. The only way of finding out if there is any relevant > data would be to restore the backups and do a search. I personally think > this is going over the top in these cases. > > Take the instance where information is on a hard disk, and is subsequently > deleted. The fact that the data *could* be retrieved by forensic techniques > doesn't in my book mean that it's reasonable to expect it to be provided in > the case of a subject access request. I consider a backup to be outside the > scope for similar, if not so well-defined, reasons. > > If backups were to be relevant, it would indeed be difficult to comply with > the law. Consider where a data subject points out some inaccuracy. OK, the > controller makes the relevant change on the current system. But I can't see > any court, let alone the Data Protection Commissioner, expecting the changes > to be reflected in all the existing backups. > > Anybody else have a viewpoint on this? > > -- > Tim Wright > IT Security Manager > Fuji Bank, London %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%