BSI Helps Secure Customer Rights

BSI publishes new guidelines document

The new guidelines, for the use of personal data in system testing, will be an essential and practical tool to help organisations avoid potentially embarrassing and costly security breaches when processing computer-based customer data. The publication explains how to test IT systems within the guidelines of the Data Protection Act 1998.

The Financial Services Authority (FSA) has endorsed the project. Mike Frost, the FSA's manager for the information and archive management unit, says:

"This is a practical and very useful work of reference for the cost conscious manager, who understands the benefits both of legal compliance and systems proven to be efficient by valid and credible system testing. At worst, it removes any excuse not to give full consideration to data protection in system testing procedures. It provides a practical methodology that can save considerable time and effort."

Most companies, regardless of their size or turnover, now process personal data via computers. The development of such systems gives rise to many issues around security and data protection. Even in the more traditional business environment, it is increasingly hard to avoid the use of automated processing and simple, small-scale computer systems must operate in line with the Data Protection Act 1998 in just the same way as the larger, more sophisticated operations.

Jenny Gordon, the data protection manager for Egg Plc and the co-author of the guidelines, warns:

"Some believe that system testing poses no real data protection problem, as it takes place all the time with little apparent detriment to individuals. However the following, based on a true complaint received by the Information Commissioner's Office, shows that the use of 'live' data can cause very real problems. 'A pupil was away from home at boarding school. The pupil's parents received a letter from the local hospital informing them that their daughter had been involved in a road accident. In fact, there had been no accident, but the hospital had been using live patient data to test a system for sending out letters to patients'.

"There is a real risk that the malfunctioning of a system that holds records without individuals' permission will lead to a breach of data protection law."

Louise Wiseman, who has worked in the banking sector for ten years, and has specialised in data protection since 1999, adds:

"The rapid growth of e-commerce has seen a rise in the use of personal data across an increasingly aggressive and geographically expanding marketplace. Personal data is easier to obtain than ever before and rapid developments in business technology constantly open up new, exciting and complex possibilities for the gathering and processing of that data.

"Perhaps the main 'risk' that many organisations run, is that of paying too little regard to the data protection issues, including system testing. With the onset of Freedom of Information legislation the risk management equation may change. Nevertheless, the cost of compliance will, for most, need to be apparently recoverable one way or another."

Ian Brewer, of BSI Business Information, says:

"BSI welcomes the support of both the Financial Services Authority and the Information Commissioner's Office in the production of this guide.

"I am confident that this publication will help those responsible for designing and implementing systems to find alternatives to using 'live' personal information for systems testing. It will also help to ensure that testing takes place with the rigour necessary to guarantee that once a system does go live, information about individuals held on it will be properly protected."

For further information about the guidelines or to buy a copy please contact Customer Service, on 020 8996 9001or go to www.bsi-global.com/dataprotection  

-ENDS-

For more information please contact:

Wilma Tulloch on +44 (0)20 8996 6330 OR
Marc Edney on +44 (0)20 8996 6330

About BSI

• The guide has been endorsed by the Information Commissioner, Mr Richard Thomas.
• Where a system requires testing there must be a risk that it will not work properly.
• This could result in the loss or corruption of personal information.
• The careless use of information about people for system testing can lead to very real distress for the individual. This is why technicians must avoid using information about real individuals for system testing.
• This guide provides an easy reference to the eight principles of the Data Protection Act 1998, set in the context of the use of personal data in system testing.
  
• It also gives a useful 'refresher' on the meaning of such terminology as 'personal data', 'data controllers', 'data subject' and 'data processors'. There is also a pragmatic and informative view from the Information Commissioner's Office.