Back up tapes and subject access requests

Clients often ask about including personal data on back up tapes in responses to subject access requests.  The short answer is that personal data on back up tapes that is not held elsewhere should be disclosed in response to a subject access request.  Many back up tapes are incremental, meaning that a full copy is held as at a specific date and then changes are recorded between that date and the next full back up.  So, to recreate a record would involve restoring the full back up and working forward day by day to ensure that any changes to the specific record are identified.

In the past the Information Commissioner’s Office took a relaxed view of incremental back ups, recognising that these were being created, not to be an archive, but to facilitate a system restore.  In fact incremental back ups are almost impossible to search and it can’t be done quickly as explained above.

However the 2017 version of the Subject Access Requests Code of Practice published by the Information Commissioner highlights a change of view:

“You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up.  The process of accessing electronically archived or backed up data may be more complicated than the process of accessing “live” data.  However, as you have decided to retain copies of the data for future reference, you will presumably be able to find the data, possibly with the aid of location information from the requester.  So you will be required to provide such information in response to a SAR.”

This is consistent also with the interpretation of what information has to be included to respond to a request under Freedom of Information where case law has established that information on back up tapes that is not held elsewhere must be disclosed.

This is a call to action to review current practices around back up tapes.  Aim to eliminate any non-essential back ups.  If you keep a three month total back up and daily increments between quarter dates, then do you really need the earlier back ups once you pass a quarter date?  Or, if you decide that it is appropriate to keep six months of quarterly and incremental back ups, can you delete older back ups and keep doing this as time passes and older back ups are replaced by newer ones?  Consider the history of requests from the business to restore to a back up point and base your future policy in on that experience.

It is also time to start looking around for alternative back up facilities that will facilitate searching for personal data relating to a named individual.  bear in mind that the issue of personal data on back up tapes has implications for the other subject rights under GDPR, the right to erasure, restriction of processing and data portability.