Both are two subjects that I’m becoming very interested in recently. In trying to develop a clear understanding of all the implications of National (Irish), European and World Market (US, predominantly) data retention legislation I’ve been having a look at the Irish Data Protection Act. More information is available at the authoritative DataProtection Commissioner’s website. However, the following point struck me.
Section 2 of the original 1988 Act (which is still valid AFAIK) states that
A data controller should observe certain principles in relation to personal data:
- The data or information constituting the data shall be obtained and processed fairly
- the data shall be accurate and where necessary kept up to date.
- Data held for back-up purposes is exempt
- shall be kept for one or more specified or lawful purposes – specified refers generally to purposes specified in any registration document, where applicable
- shall not be used or disclosed in any manner incompatible with such purpose(s)
- shall be adequate, relevant and not excessive in relation to that purpose(s)
- shall be kept for no longer than is necessary; data held for historical, statistical or research purposes is exempt.
What’s worrying me is the point in bold print. The problem isn’t whether this data is currently used as part of a live data set but what happens if data that does not meet the terms of the act is restored, after information system loss or damage. The nature of some database and structured data records means that offending data WILL ALMOST CERTAINLY have to be restored from an incorrect archive AS LONG AS IT’S IN THE ARCHIVE IN THE 1ST PLACE. It’s a subtle point but surely, the onus should be on companies to ensure that they always have a backup or archive that contains only non-offending data that doesn’t breach any part of the act. Therefore, backup policy MUST be affected by this act.