The UK Data Protection Act permits businesses to collect and use customer data only for its intended purpose. If an organisation uses that data to test new applications it is breaking the law, according to Ian Clarke, European sales director at software tools company Compuware.
Clarke said that in his experience "businesses take a full copy of customer data and push it into the software testing environment". The result, he said, is that "developers have access to customers' sensitive data".
A survey of 100 IT departments in the UK's top 2,000 companies commissioned by Compuware found the use of live customer data in a test environment was commonplace, with 42% of IT departments questioned owning up to the practice.
Software developers often load development work on to their laptops and take work home. James Mullock, a partner at law firm Osborne Clarke said: "Being able to take data offsite poses a major risk."
Users should assess whether they need to impose tighter levels of data security within their software development operations, Mullock said.