Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Back-up systems

Back-up data are defined in the Data Protection Acts, 1988 & 2003 as being

 " data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged".

In order to come within the definition of 'back-up data', data cannot be part of a live system nor can they be used for any purpose other than replacing lost, destroyed or damaged data.

What constitutes lost, destroyed or damaged data?
Data that are either accidentally, or deliberately, deleted can be considered to be destroyed. Data that can no longer be found may be considered to be lost. Damaged data may result from files being corrupted.
However, a draft of a work in progress which is later overwritten is not considered to have been damaged or destroyed unless there is a clear policy of retaining drafts, in which case the draft should not have been overwritten.

What is the purpose of backing-up data?
There is a requirement in the Data Protection Act that adequate measures be taken to prevent the unauthorised destruction or alteration of data.

2(1)(d) "appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data.."

By backing-up data, a data controller/processor is taking steps to recover from such actions. In general, back-ups are most useful in a disaster recovery situation, where there has been a catastrophic system failure resulting in a large scale, if not total loss or corruption of data.

For how long should back-up data be held?
This depends on how long after an event is it likely to be discovered that data have been lost, destroyed or damaged. This time period will depend both on the nature of the data and the nature of the organisation processing the data.