Thank you for asking this question in the support community. Based on the configuration you submitted, it appears you will need a route-map to force data traffic over the backup connection. In the current configuration, traffic is following the default route, and since the policy-class "Private-Data" has a egress policy assigned to the NAT statement of "Public2" it means it will only route this traffic out an interface with "Public2" assigned to it. In your case, the default-route is not going out the interface with "Public2" assigned to it, and therefore this traffic is discarded.
You will need to create an access-list that matches the data subnet, and then reference that in a route-map. Here is an example configuration:
ip access-list standard PRIVATE-DATA
permit 192.168.2.0 0.0.0.255
route-map PBR-DATA permit 10
match ip address PRIVATE-DATA
set ip next-hop <gateway IP address>
interface vlan 1
ip address 192.168.2.1 255.255.255.0
ip policy route-map PBR-DATA
ip access-policy Private-Data
no ip route-cache express
I hope that makes sense. Here is the Configuring Policy Based Routing in AOS guide. Please, let me know if you have additional questions. I'll be happy to help in any way I can.