Data Protection Act & Data Recovery – Is your data being exported abroad?
Data Protection & Data Recovery in Ireland – It has come to our attention from new customers that some IT service providers offering Data Recovery services proposed sending drives outside of Ireland for recovery. Although we believe in healthy competition and routinely benchmark our pricing and technical expertise against the professional service providers abroad, we believe you – the customer – should be aware of the possibility of your drive being exported for recovery.
Data Protection legislation within Ireland allows transfer of data to countries within the EEA but requires consent for other countries – known as third countries.
Section 11 of the Data Protection Acts 1988 & 2003 state:
Organisations that transfer personal data from Ireland to third countries – i.e. places outside of the European Economic Area (EEA) – will need to ensure that the country in question provides an adequate level of data protection. Some third countries have been approved for this purpose by the EU Commission.
Aside from the legislative provisions, the real question is….are you happy for your data to leave the jurisdiction?
If you are a business or corporate user, then your IT security policy may prohibit such action. If you are, will the data be encrypted? What happens if it goes missing in transit? Do you hold customer data on the drive that should not be exported? Have you considered that you must disclose such a breach to the Data Protection Commissioner?
We advise that you check to see if your service provider is registered with the Office of the Data Protection Commissioner – You can check the register at http://dataprotection.ie/ViewDoc.asp?fn=/documents/register/default.asp