cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DHerrmann
Contributor II

Backups and "The Right to be Forgotten?

One of the more curious things I've wondered about is how the Right to be Forgotten impacts backups.

 

Obviously, you can't go to a backup (tape) and erase a particular record - at least easily.

 

How are people addressing this right with backups?

8 Replies
emb021
Advocate I

The only thing that would work would be some kind of "register" of those forgotten to ensure you're not pulling out their data when you do a restore or the like.

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
rslade
Influencer II

> DHerrmann (Newcomer III) posted a new topic in GDPR on 02-14-2019 04:18 PM

 

> One of the more curious things I've wondered about is how the Right to be
> Forgotten impacts backups.

 

Great question, really.

 

First off, the "Right to Be Forgotten" (aka RTBF) is hardly a recognized human right. It's a modern construct of the EU legal system (if, indeed, they actually have one) and, therefore, still a work in progress. (Or regress.)

 

Most of what has been written, argued, and opined about RTBF has to do with search engines. Most of the decisions are slaps and fines against Google for allowing decisions and events to be searchable. (As such, there is a strong case for those who say that RTBF is not actually a right, but a cash cow.) Actual stories don't have to be taken down, just the Google links to them.

 

If RTBF was actually useful, it would require chasing down, for example, cyberbullying via posting of naked selfies as revenge pr0n. So far I've never seen a case that involves such a thing, so RTBF is still a cash cow for the EU and not a useful tool or concept.

 

By extension, therefore, backups are not subject to RTBF. As soon as someone or some corporation finds a way to make huge amounts of money charging people for cloud backups, then the EU will extend RTBF to ensure that they can fine the heck of that corporation for keeping backups.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
DHerrmann
Contributor II

My DPO told me he reads the GDPR regs to require erasing a subject's data from backup media.    He's a privacy attorney, and a very good DPO.

 

Let's assume that his interpretation is correct.   How exactly are companies supposed to do this?

ed_williams
Newcomer II

A good question. I can't speak for all backup platforms but in Tivoli Storage Manager IBM TSM) a database tracks each file and file version held (including archives). Using SQL it is possible to identify individual file-sets for example those associated with a particular user or some other unique identifier (take some of this with a pinch of salt) and specifically drop that data from existing backups and archives. In disk based retention media these files can be purged. In tape volumes reclamation processes will effectively see files deleted and for off-site volumes the recovery of these dropped files becomes impossible (impractical) because you don't know where to look on the tape volumes (assuming you can even identify the individual tape). Did I mention the tapes are also encrypted. Practically this means data can be selectively "deleted" across the backup sets. Now, that's not the whole story and it is theoretically possible to get those files back assuming no reclamation processes have been run on the tape volumes ... but that task would certainly not be trivial. Apologies if I've got any of the tech details wrong, it's been a while since I was a TSM Admin, but I think this is generally correct. I think NetBackup has something similar. Note: I once took part in an exercise for an ISP to drop all historic DHCP data backups because law enforcement could request that data for various purposes, if it was held. This represented a very significant possible cost and it was circumvented by dropping those file-sets so they could not be recovered. Morality not withstanding, it's a nifty capability to have.
DHerrmann
Contributor II

Thanks for the replies. For what it's worth, this sure seems like a very challenging activity, especially if we have to recall an (encrypted, of course) tape from Iron Mountain. Deencrypt it, process it, re-encrypt, write to tape, and ship back.

Granted, I'm hyping the effects, but in no way is this going to be easily done across the industry.
AlecTrevelyan
Community Champion

Here's some useful guidance on this from the Information Commissioner's Office, the public body responsible for upholding information rights in the UK:

 

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-r...

 

"Do we have to erase personal data from backup systems?


If a valid erasure request is received and no exemption applies then you will have to take steps to ensure erasure from backup systems as well as live systems. Those steps will depend on your particular circumstances, your retention schedule (particularly in the context of its backups), and the technical mechanisms that are available to you.

 

You must be absolutely clear with individuals as to what will happen to their data when their erasure request is fulfilled, including in respect of backup systems.

 

It may be that the erasure request can be instantly fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten.

 

The key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten. You must ensure that you do not use the data within the backup for any other purpose, ie that the backup is simply held on your systems until it is replaced in line with an established schedule. Provided this is the case it may be unlikely that the retention of personal data within the backup would pose a significant risk, although this will be context specific. For more information on what we mean by ‘putting data beyond use’ see our old guidance under the 1998 Act on deleting personal data (this will be updated in due course)."

 

RRehm
Newcomer II

Well, as far as I am concerned and I applied the right for deletion of PII, I created and maintain a DB that holds all requests for deletion and in case a run a restore of my backups, all deletion requests will be re-run against the restored data so as with beginning of usage of the "restored-DB" none of the users who requested the deletion of their data, are not in DB.

Is inline with ICOs interpretation of "prevent possible use of data to be deleted"
DHerrmann
Contributor II

@RRehm  - that's probably exactly what will be required.   But can you imagine running such a process at 2am after a disaster requires backup from tape?   You're rushing to get your system back up and running, but you need to wait to discover "forgotten people" and remove them all.

 

It's definitely a new paradigm, isn't it!