By Andy McCue, 3 October 2003 15:16
NEWS New guidelines aimed at preventing embarrassing security breaches have been issued to help firms comply with the Data Protection Act if they use 'live' personal data to test their IT systems. The British Standards Institute (BSI) has drawn up the code with the backing of data protection watchdog the Information Commission to because of the high risk of security breaches when real data is processed in system tests. Jenny Gordon, data protection manager for Egg and co-author of the guidelines, said most firms are unaware of the implications of breaches when 'live data' is used and cited an example reported to the Information Commission. "A pupil was away from home at boarding school. The pupil's parents received a letter from the local hospital informing them that their daughter had been involved in a road accident. In fact, there had been no accident, but the hospital had been using live patient data to test a system for sending out letters to patients," she said in a statement. Gordon said that if an IT system needs testing then there must be a very real risk that it will not work properly, which could result in the corruption or loss of any live personal data used in the tests. "There is a real risk that the malfunctioning of a system that holds records without individuals' permission will lead to a breach of data protection law," she added. Mike Frost, head of the information and archive management unit at City watchdog the Financial Services Authority has also backed the guidelines. "This is a practical and very useful work of reference for the cost conscious manager, who understands the benefits both of legal compliance and systems proven to be efficient by valid and credible system testing. At worst, it removes any excuse not to give full consideration to data protection in system testing procedures. It provides a practical methodology that can save considerable time and effort," he said in a statement. The guide advises IT technicians to avoid using information about real individuals for system testing. Ian Brewer at BSI Business Information said in a statement: "I am confident that this publication will help those responsible for designing and implementing systems to find alternatives to using 'live' personal information for systems testing. It will also help to ensure that testing takes place with the rigour necessary to guarantee that once a system does go live, information about individuals held on it will be properly protected."
Comments
There are 2 comments. Join the discussion
1. David Metcalfe
I think there is a clear distinction between testing on 'live' data as oppose to using a copy of the 'live' data, restored into a carefully controlled and secure test environment, for testing purposes.
I believe the distinction is sometimes misunderstood and somewhat muddied.
2. William E. Rushman
One option I've used is to "greek" the live data to prevent exactly this kind of occurence. A randomization of the various fields can result in data that is from the live system, but utterly unrecognizable. A backup check, of course, is to see if any records remain the same as the original.