“Appropriate technical & organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction, or damage to personal data".
(Data Protection Act 1998)
Personal Data should be properly safeguarded from accidental loss or destruction which could cause damage or distress to individuals concerned.
This means ensuring that you have created a business continuity plan (Disaster Recovery Plan) which includes backing up data and storing it safely.
Backups containing personal data need to be as secure as data held within the business environment, to ensure compliance with The Data Protection Act.
Backups can range from the very simple to the very sophisticated. The most important thing is to use a strategy which ensures you are saving the data for a period relevant to your business and appropriate to the data held, and that at the end of the retention period for personal data it is reviewed and deleted, unless you have a specific reason for keeping it.
Example: if someone deletes files or data, and you just back up on a daily, weekly and monthly basis, older information, which is still required, could be lost permanently.
An ‘incident’ or ‘disaster’ could mean anything from an employee leaving and deleting important files, a single server failure or a complete loss of an office unit. The business needs to be operational after an incident, with all data restored, as quickly as possibly with the least disruption to your business or individuals who may be affected.
A Business Continuity Plan will map out exactly how you will do this, from which critical systems you recover first to who has responsibility for what, and will help you remain focused on the steps that need to be taken under the possible pressure of an emergency situation.
The next most important step after creating your business continuity plan is to test it, and make sure you are satisfied that the process works and the data is accurate. We suggest that you regularly test it after implementation as things do change, people do leave and systems are constantly updated.
Archiving backups and possibly using compliant offsite facilities may be the solution you require. You should only archive personal data (rather than delete it) if you still need access to it.
If a record is archived you must be prepared to give access to it, under the Data Protection Act 1998.
If it is appropriate to delete a record from a live system, it should be deleted from any back-up of the information on that system.
How can Securious Network Services Ltd help?
We help you to identify your risks and the impact of various ‘disasters’ on your business. We work with you to develop a plan which identifies the critical areas of your business and a backup strategy which will be relevant to you and your data.
We document, help implement and test your business continuity plan, and then retest it regularly.
Most importantly, we help you to ensure that back-up and archived information is maintained in a secure environment, enabling access to these files when required by authorised personnel and ensuring that Data Protection Principles are followed.
|
