Compliance and Privacy to help organisations to improve security - >Backups, Archives and Subject Access Requests

Latest Resources

Breaking Global News
Global Compliance and Privacy News - Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID

You Tell Us:

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
• Tim Berners Lee's Blog
• Tim Callan's SSL Blog
• Davis Wright Tremaine's Privacy & Security Law Blog
• Emergent Chaos Blog
• Michael Farnum's Blog
• Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
• Stuart King's Security and Risk Management Blog
• David Lacey's IT Security Blog
• Metasploit Official Blog
• Jeff Pettorino's Security Convergence Blog
• Jeff Richards's Demand Insights Blog
• David Rowe's Risk ManagementBlog
• Bruce Schneier's Security Blog
• Larry Seltzer's Security Weblog
• Mike Spinney's Private Communications Blog
• Richard Steinnon's Threat Chaos Blog
• The TechWeb Blog
• Tim Trent's Marketing by Permission Blog
• Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX - BCS Security Forum
'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example
A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

Backups, Archives and Subject Access Requests

We were prompted to look at this by the UBS/Perot/Michael Johnson case. The circumstances of that case mean that one party is calling for Data Backups to be retrieved, originally as part of a Statutory Access Request [SAR], and later by use of a Witness Summons. The other party is resisting. We're not going to comment on the Witness Summons, except to note the huge cost, stated to be £4.27m, of complying. Instead we're confining ourselves to the Data Protection Act 1998 [DPA].

Assuming that the data were to fall under an SAR, UBS argued successfully that it was “disproportionate effort” to restore the data. The “Man on the London Underground” (how we love the legal cliché update to the well known and much loved “Man on the Clapham Omnibus”) would agree. So, according to Silicon.com did the UK Information Commissioner. [Silicon's article states: "In 2002 Johnson made a request for the emails through the UK's data protection watchdog, the Information Commissioner's Office. At the time UBS argued the cost of retrieving the emails was 'disproportionate' without specific evidence to help locate the appropriate messages, and so the ICO took no further action."]

Our issue is with backups at all.

The DPA is designed to cover (we paraphrase) “Data capable of identifying a living individual, held in a mechanism capable of systematic retrieval”. The Man on the London Underground interprets that as “something that stores data about me by my name (for example) and that can be retrieved by my name”.

A backup is almost always a serial device: a tape or a tape-like device. It is capable only of sequential retrieval of data file by file. And the data is not, of itself, stored in a systematic retrieval mechanism that can retrieve data about individuals. Files are not records. Though a file labelled “Peter Andrews-Compliance-and-Privacy-.doc” would be an exception!

So data I store in a backup that is a serial device with serial media, like a tape, is just so many magnetic zeros and ones. To even identify that living individuals are within the data I must present the restored data set to software capable of reading and interpreting the data before even considering the systematic retrieval mechanism.

Extend this to Archives

A recent article on Backups versus Archives seems to reinforce the view. It says at the start "When it comes to compliance, IT managers can ill afford to confuse data backup and archiving. Conceptually related, but practically distinct, each has unique requirements and advantages in terms of retention and accessibility."

We agree. But we diverge from the theme of the article to look again at what a backup is and is not. An Archive is a clearly defined thing. It is a tranche of data, stored in an archival system, that is freely accessible, is stored within a proper policy for data retention and destroyed with a proper policy for data destruction. It is likely to be, but is not necessarily, separate from and removed from the main data set.

So, What is a Backup?

A backup is a copy of data held in the main system, almost always in a format not intended for "regular" data retrieval. it is not a disk image on cd or DVD that is capable of being presented to (eg) the original email software to be read, nor is it a disk to disk mirror image. That those are a form of backup is not in dispute. Those forms are, we submit, subject to Data Protection law.

A backup is, as we have said earlier, is a serial backup onto a serial device with serial media, like a tape. It is not intended to be presented to anything other than backup software. It is not of itself an archive, and is not capable of systematic search for a particular piece of data which, by itself, or with other data known to the searcher, is capable of identifying a living individual

Equally the purpose for which the backup is held is not to allow retrieval at record level. It is to allow the business to function after some catastrophic failure.

Conclusion

We argue strongly that serial style backups were never intended to be covered under the Data Protection Act, and that there is an overwhelming case against any requirement under a SAR to retrieve any, let alone all backups. We think the Man on the London Underground would agree. The only problem is explaining it to him!