Clients often ask about including personal data on back up tapes in responses to subject access requests. The short answer is that personal data on back up tapes that is not held elsewhere should be disclosed in response to a subject access request.
In the past the Information Commissioner’s Office took a relaxed view of incremental back ups, recognising that these were being created, not to be an archive but to facilitate a system restore. In fact incremental back ups are almost impossible to search and it can’t be done easily.
However the 2017 version of the Subject Access Requests Code of Practice published by the Information Commissioner highlights a change of view:
“You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up. The process of accessing electronically archived or backed up data may be more complicated than the process of accessing “live” data. However, as you have decided to retain copies of the data for future reference, you will presumably be able to find the data, possibly with the aid of location information from the requester. So you will be required to provide such information in response to a SAR.”
I interpret this as a real call to action to review current practices around back up tapes. Aim to eliminate any non-essential back ups. If you keep a three month total back up and daily increments between quarter dates, then do you really need the earlier back ups once you pass a quarter date? Or, if you decide that it is appropriate to keep six months of quarterly and incremental back ups, can you delete older back ups and keep doing this as time passes and older back ups are replaced by newer ones? How far back do back ups need to go in practice? It is a good idea to consider the history of requests from the business to restore to a back up point and base your policy in future on that history.
Obviously it is also time to start looking around for alternative back up facilities that will facilitate searching for personal data relating to a named individual and let the rest of us know when you find a viable alternative to back up tapes.
The issue of personal data on back up tapes could also have implication for the new subject rights under GDPR, the right to erasure, restriction of processing and data portability.