All news
Employers risk breaching Data Protection Act
05 July 2006
Nearly half of IT directors are in breach of the 1998 Data Protection Act (DPA) because they are using live customer data to test their company's IT systems, according to a report by IT services firm Compuware.
In the survey of over 100 senior IT professionals, 44% said they use actual customer data to test applications. There was even more concern that 48% of the IT directors polled said they were only "vaguely familiar" with the Act.
The DPA forbids the use of personal data for purposes other than those for which it was collected, which makes using customer data for system testing illegal.
The report found that 83% of companies used only "minimal measures", such as non-disclosure agreements (NDAs), to control and secure data during system checks. Although this is a legally binding document, companies find it difficult to communicate the legislation to their employees, especially when applications testing is outsourced to firms abroad.
Ian Clarke, the Worldwide Enterprise Solutions Director at Compuware, said of the report's findings:
"Testing environments are inherently insecure places in which to process live customer data, with printouts and test sheets being left next to PCs during trials.
"Although businesses can afford to pay the fines placed on them if customer data is leaked, the cost to company reputation is not as easily recovered."
He added:
"Companies have had plenty of time to understand and implement robust data privacy measures since the Act was introduced eight years ago.
"Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation."
It is recommended in the report that customer data is disguised when it is being used in a test environment. Important information fields, such as credit card numbers and addresses, can be blanked out and altered so they are unrecognisable from the original details but can still be processed in company's system tests.
The Information Commissioner's Office (ICO), which enforces the DPA, said that organisations need to take effective security precautions at all times, including when testing new systems.
In April this year, the ICO published good practice notes for employers on how to comply with the DPA when outsourcing the processing of personal data. The notes cover:
- Selecting a reputable organisation offering suitable guarantees about their ability to ensure the security of personal data
- Making sure the contract with the organisation is enforceable
- Making sure the organisation has appropriate security measures in place
- Making sure that they take steps to ensure the reliability of their staff
- Auditing the other organisation regularly to make sure they are 'up to scratch'
- Requiring the organisation to report any security breaches or other problems
- Having procedures in place that allow appropriate action to be taken when such a report is received.
Datasafe