When establishing retention periods for data in applications and databases, the focus is on the data that is in current use. When data is lost in a disruption, it can often be restored using a backup copy, better known as a backup. The backup copy then also contains personal data, for which the established retention periods also apply. In this article, I highlight points of interest around backups from a privacy perspective.
Backups or backup copies are made to restore data in the event of a disruption. In the past, this often involved equipment failure, such as a crashed hard drive. Today, the risk from hackers and ransomware is more prominent. Hackers use ransomware to render data unreadable by encryption. They then ask for payment of a ransom to make the data readable again. In the Netherlands, this has mainly become known for the incident in late 2019 at Maastricht University, in which teaching and research data became available again only after payment of a ransom. Backups also help in other hacking and ransomware attacks to rebuild a secure system.
Backups were made at night and on weekends for a long time, because the systems could not be used during backup. In addition, backups could take hours because tapes/magnetic tapes were still being used at the time. For this reason, a complete copy was often made on weekends and only a copy of changed data on weekdays. An advantage of backups on "tape" was that the tapes were in a closet ("offline") and not accessible to hackers.
An advantage of today's backup technology is that backups can be made frequently and during the operation of a system, sometimes several times a day or an hour, depending on the requirements of the business process. Also, more and more use is being made of hard disks that are accessible via the network ("online") for making backups. This creates the risk that hackers or ransomware not only damage or make unreadable the production data, but also the backups. Thus, having backups available offline remains important.
With privacy in mind, it is important that data be and remain available even after a disruption. Under information security, the General Data Protection Regulation (AVG) explicitly mentions the risk of data destruction, loss or alteration. This makes making backups an obligation under the AVG, which at the same time provides a basis for making and keeping backups.
The loss of data is also considered a data breach. After all, the unavailability of data can also have major consequences for data subjects. Consider exculpatory evidence in a criminal investigation, the repayment of a debt or the filing of an objection or appeal against a government decision.
The existence of backup copies can also be a privacy risk. Where are the backups kept and who has access to them? But also: how are the backups erased? In the days of tape backups, the - relatively expensive - tapes were reused and overwritten and thus an old backup was automatically erased. Nowadays, storage capacity is much cheaper and backups are stored as files in cloud storage. It happens that backups are then kept (too) long "just to be sure."
In principle, it does not matter whether personal data are in the database used by employees or in a backup. After the expiration of the established and/or legal retention period, they must be deleted from the backup. This applies in particular to data that is deleted at the request of a data subject, for example under the AVG, the Medical Treatment Agreement Act (WGBO) or the Youth Act.
By the letter of the law, individual personal data or records must be removable from a backup. But current backup technology usually does not provide for this. This is also seen by the Personal Data Authority (AP), which therefore states that these data or files must still be deleted if a backup has been used to restore the system.
The AP also states that careful thought should be given to how long backups are useful.
The starting point here too should be to keep the backup no longer than necessary for the purpose of information security. After all, that can be seen as a legal obligation and thus a basis. Does it still make sense to restore a backup from a year ago when a backup from a day or a week old is also available? Probably not. As an example, the AP gives a retention period of 3 months for backups. Often that will be sufficient. Some backup strategies keep day-old backups a week, week-old backups a month and month-old backups a year. An even longer period than a year requires sound justification. For example, look at the relationship between the data retention period and the backup: a one-year retention period for a backup of a healthcare record that must be kept for 20 years is easier to explain than that same period for a personnel file that must be deleted after two years.
It is important to distinguish between backups and archiving. Archiving is used to keep data available outside the regular system for consultation, audits, archiving in the public interest (especially in government), etc. Archived data will therefore need to be retained for as long as consultation is required. This may only be done within the applicable retention periods. Backups should be kept only as long as they are needed to restore data in the event of a disruption.
Your organization may also use cloud applications or vendors that back up your data. Your organization is responsible for this, as the suppliers often have the role of processors. Have you made agreements on how long backups can be kept? Often suppliers are not asked about this. When asked, one supplier turned out to keep backups for seven years, "just to be on the safe side." This put the supplier's customers in violation of the AVG.
In summary, it is important to pay attention to backups and their preservation. To properly protect backups and prevent improper use, the following is important:
Create an overview of backups.
Determine with ICT and the privacy officer how long they should be kept.
Verify that the backups were made successfully.
Periodically check restoring backups.
Delete old backups after the specified retention period, preferably automatically.
Limit access to backups to a few employees.
Make sure deleted data is deleted again after restoring a system using a backup.
Also agree with vendors on the maximum time period for keeping backups.
