What constitutes lost, destroyed or damaged data?


Data that are either accidentally, or deliberately, deleted can be considered to be destroyed. Data that can no longer be found may be considered to be lost. Damaged data may result from files being corrupted.


However, a draft of a work in progress which is later overwritten is not considered to have been damaged or destroyed unless there is a clear policy of retaining drafts, in which case the draft should not have been overwritten.


What is the purpose of backing-up data?


There is a requirement in the Data Protection Act that adequate measures be taken to prevent the unauthorised destruction or alteration of data.


2(1)(d) "appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data.."


By backing-up data, a data controller/processor is taking steps to recover from such actions. In general, back-ups are most useful in a disaster recovery situation, where there has been a catastrophic system failure resulting in a large scale, if not total loss or corruption of data.


For how long should back-up data be held?


This depends on how long after an event is it likely to be discovered that data have been lost, destroyed or damaged. This time period will depend both on the nature of the data and the nature of the organisation processing the data. For most situations, it would not be reasonable to keep more than a small number (ten or less) back-up tapes. On a daily back-up regime, this would allow for two working weeks in which to discover that data were lost, destroyed or deleted.


Security Guidelines


The Data Protection Acts, 1988 and 2003 do not detail specific security measures that a Data Controller or Data Processor must have in place. Rather section 2(1)(d) of the 1988 Act places an obligation on persons to have appropriate measures in place to prevent "unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction."


SI 626 of 2001, and later the Data Protection (Amendment) Act, 2003, introduced a new section 2C into the 1988 Act. This section helps interpret the nature of security measures required to demonstrate compliance with 2(1)(d). When determining measures, a number of factors need be taken into account:


  • The state of technological development;
  • The cost of implementing measures;
  • The harm that might result from unauthorised of unlawful processing;
  • The nature of the data concerned;


A further development introduced by the 2003 Act is the obligation on data controllers and data processors to ensure that their staff are aware of security measures and comply with them. This guidance is purely intended as an indication of issues which data controllers and data processors may wish to consider when developing security policies.


Access Control


The obligation to prevent unauthorised access to data can, at the simplest level, be met by placing a password onto a computer. This would certainly be the minimum measure acceptable. However, it is only effective if staff keep the password secure, and is reviewed and changed if necessary. A password is one, simple, form of authentication. A more advanced form is the use of a token (such as a smart card), or the use of biometrics (such as an iris scan or a finger print scan). Where all three are used in combination, this would offer a high level of authentication.


Network administrators can add a level of security beyond mere authentication. Users tend to develop unique profiles, depending on what they normally do on their computers. This can be a combination of the time and frequency of access; location; nature of data accessed. Where a user seeks to access data in an unusual manner, which conflicts with an established profile, a challenge response question can be asked by the system. This type of authentication prevents a person who has found a password from accessing the system.


In conjunction with authentication, the nature of access allowed to an individual user should be set and reviewed on a regular basis. Ideally, users should only have access to data which they require in order to perform their duties. Regular reviews are necessary in order to increase if necessary as well as to restrict previous access where a user role changes.


A logging and reporting system can be a valuable tool in assisting the network administrator in identifying abuses and developing appropriate responses.




There are a variety of tools available with which to encrypt data. These can be useful in closed systems, where all users can have access to the key with which to decrypt data. Providing such a key is held securely, encryption offers a high degree of protection against external attack.


Where encryption currently does not work satisfactorily is in sending data to the outside world. Use of a Public Key Infrastructure (PKI) requires that both sender and recipient use the same encryption system. Until such time as a market leader or industry standard exists, such PKI's will be slow to develop.



Office Premises
Synergy House
10, Oakview Drive
Dublin 15

Contact Info

Tel: +353 (0)1 8215189
Mobile: +353 (0)87 2326927
Email: info@synergy.ie

Find Us