Live Data Testing is Illegal
“But it can't be. And anyway, we have rigorous security in place”. Regrettably that is the attitude of many hard pressed CIOs today. The business pressures speedy delivery of tested software, and live data tends to be the data with the “best” hidden gotchas, or so CIOs have always believed. But that doesn't make it lawful.
Starting with the stringent Data Protection regulations in the European Community, and spreading worldwide, the law says, very simply, that the individual whose data record is processed must know the purpose of the processing. And it goes on to say that you may not process that data for any additional purpose without the individual's consent.
- As a CIO, does your registration with your data protection authority cover testing with live data?
- As a CMO, when you collect data for marketing purposes, do you also ask if the CIO may use it for testing purposes?
- Do your staff give permission for their HR records to be used by the CIO for testing purposes?
We suggest a resounding “NO!” to all of these. And so does Compuware's survey of 100 senior IT decision makers. It says that 44% were guilty of testing with live data, and 48% were only “vaguely familiar with the law”. 83% of those who send data offshore for testing purposes only set up non disclosure agreements, not even Data Processor contracts – the minimum contract required when outsourcing offshore.
But we have to use live data
This is unlikely. In general this is an excuse to avoid developing randomised test data – a task that is not hard to do, because the live data can be rendered wholly anonymous with very simple database techniques and retain its “liveness”.
Footnote: By ‘data' we mean ‘data that can of itself, or with other data in the possession of or likely to come into the possession of the Data Controller, identify a living person'.
Discuss This Article
Download the report courtesy of Compuware