System tests routinely break privacy law, says report

Out-Law News | 05 Jul 2006 | 8:30 am | 1 min. read

IT staff conducting database tests are putting their firms at risk of prosecution under the Data Protection Act, an IT systems company has warned. Compuware claims that 44% of the companies it surveyed were at risk.

The breaches of the Act happen when IT staff use actual customer data in database testing. That practice exposes data to a risk of exposure, particularly when some work is outsourced abroad, said the company's report.

The Act forbids the use of data for any purpose other than that for which it was collected, which makes the act of using it for testing systems illegal. IT staff often use real data because it gives a better indication of how a system will perform in the live environment.

"Testing environments are inherently insecure places in which to process live customer data, with printouts and test sheets being left next to PCs during trials," said Ian Clarke, enterprise solutions director at Compuware. "Although businesses can afford to pay the fines placed on them if customer data is leaked, the cost to company reputation is not as easily recovered."

"Companies have had plenty of time to understand and implement robust data privacy measures since the Act was introduced eight years ago," said Clarke. "Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation, and ultimately affect the bottom line."

The problem is made worse when companies outsource work, said the report. The survey found that 83% of those who outsourced sent live data and protected it only with a non disclosure agreement (NDA). This is not adequate protection, said Compuware.

"Many organisations have taken what they think is the simplest way to comply with the Act and put in place NDAs," said Clarke. "The truth is that most customers would not consider this adequate protection, therefore companies must reconsider the actions they are taking to protect customer data from being leaked in the application testing environment."

Compuware advises that companies disguise the data when used in testing by altering some of the values so that it is unrecognisable from the original. "This process can be done automatically, removing the human risk element entirely," said a company statement.