Under the Data Protection Acts 1988 and 2003, a data controller must take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of personal data kept by him or her. Moreover, such data may not be retained for longer than is necessary for any specific and legitimate purpose for which they were collected or processed. The Office of the Data Protection Commissioner has, therefore, advised that where computer equipment containing personal data has been seized by the Revenue Sheriff, such personal data should be returned under secure conditions to the person from whom the equipment was seized unless there is a legitimate reason for non-return of the data.