IT directors could be in breach of the Data Protection
Act (DPA) because they are using live customer data to test their
applications.
In a study of IT directors, 44% said they are still using live
customer data to test applications. The DPA forbids the use of data
for purposes other than those for which it was collected.
Richard Hodkinson IT and operations director at solicitors Irwin
Mitchell said, “It is ill advised to use live data [for application
testing], and a subset of data should be taken. I feel that to err
on the side of caution and generate a fictitious set of data for
testing would be route one.”
Dharmish Mistry, chief operating and technology officer at IT
services firm Edge IPK, recommended that organisations
depersonalise their data, by changing characters in a name or
address. But they should ensure that information cannot be used to
decipher the customer’s identity. Automated tools exist to do
this.
Secondly, the end-users should be involved in the application
tests where possible, because they are authorised to use the live
customer data.
Thirdly, audit and access trails are essential, said Mistry, to
track the individuals involved with the live data. This is
particularly useful with outsourced tests.
The survey of 100 senior IT professionals was carried out by
Vanson Bourne for IT services firm Compuware.
Ian Clarke, world wide enterprise solutions director at
Compuware, said, “Testing environments are inherently insecure
places in which to process live customer data, with printouts and
test sheets being left next to PCs during trials.”
He added, “Although businesses can afford to pay the fines
placed on them if customer data is leaked, the cost to company
reputation is not as easily recovered.”
The information commissioner, which enforces the DPA, said that
organisations need to take effective security precautions at all
times, including when testing new systems.