What does ‘beyond use’ imply?
To further help businesses understand what it means by “beyond use”, the UK ICO directs audiences to its guidance under the old UK Data Protection Act (1998), which the GDPR has now superseded. At the time of writing, the ICO acknowledges that these guidelines have not been updated to specifically acknowledge the GDPR.
“The following information has not been updated since the Data Protection Act 2018 became law. Although there may be some subtle differences between the guidance in this document and guidance reflecting the new law – we still consider the information useful to those in the media. This guidance will be updated soon to reflect the changes.”
Although one might think that in directing audiences to its earlier advice, the ICO is signalling it would exercise similar judgement today, I think this is something worth checking with your legal team as there is currently no guarantee that this would be true in every present circumstance - e.g. “this will be context specific”.
But in its guidance for the 1998 Act, the ICO said:
“will be satisfied that information has been ‘put beyond use’, if not actually deleted, provided that the data controller holding it: is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way; does not give any other organisation access to the personal data; surrounds the personal data with appropriate technical and organisational security; and commits to permanent deletion of the information if, or when, this becomes possible.”
Provided that these four safeguards are in place, the ICO was previously satisfied data would be ‘beyond use’. An encrypted LTO Ultrium tape, held securely in a backup vault with limited and strict access controls does appear to fit the criteria of not needing to be immediately overwritten following a right to be forgotten request under Article 17.
But as I quoted earlier, the ICO still assumes erasure will occur at some point because this ‘beyond use’ exemption requires:
“that the backup is simply held on your systems until it is replaced in line with an established schedule.”
This seems to imply that the data would need to erased eventually, even if this wasn’t to occur in the first 30 days. Whether or not the status of ‘beyond use’ has an expiry date or can be regarded more as ‘for as long as may be necessary’ is not clear.
And in my opinion, the ICO has not yet fully addressed the question of archives because the purpose of an archive, as opposed to a backup, is to retain a primary copy of data for compliance or other commercial requirements. An archive is a collection of records that are kept for long-term retention and used for future reference. Tape is an ideal storage medium for this purpose because magnetic tape is very durable and doesn’t need additional power and cooling to be maintained in an offline state. Typically, information in an archive will be the only copy of that data. So with an archive, you typically would not have an established schedule for overwriting data as the records are intended to be preserved without frequent access or modification.