26 September 2003
BSI publishes new guidelines document
The new guidelines, for the use of personal data in system testing, will be an essential and practical tool to help organisations avoid potentially embarrassing and costly security breaches when processing computer-based customer data. The publication explains how to test IT systems within the guidelines of the Data Protection Act 1998.
The Financial Services Authority (FSA) has endorsed the project. Mike Frost, the FSA's manager for the information and archive management unit, says:
"This is a practical and very useful work of reference for the cost conscious manager, who understands the benefits both of legal compliance and systems proven to be efficient by valid and credible system testing. At worst, it removes any excuse not to give full consideration to data protection in system testing procedures. It provides a practical methodology that can save considerable time and effort."
Most companies, regardless of their size or turnover, now process personal data via computers. The development of such systems gives rise to many issues around security and data protection. Even in the more traditional business environment, it is increasingly hard to avoid the use of automated processing and simple, small-scale computer systems must operate in line with the Data Protection Act 1998 in just the same way as the larger, more sophisticated operations.
Jenny Gordon, the data protection manager for Egg Plc and the co-author of the guidelines, warns:
"Some believe that system testing poses no real data protection problem, as it takes place all the time with little apparent detriment to individuals. However the following, based on a true complaint received by the Information Commissioner's Office, shows that the use of 'live' data can cause very real problems. 'A pupil was away from home at boarding school. The pupil's parents received a letter from the local hospital informing them that their daughter had been involved in a road accident. In fact, there had been no accident, but the hospital had been using live patient data to test a system for sending out letters to patients'.
"There is a real risk that the malfunctioning of a system that holds records without individuals' permission will lead to a breach of data protection law."
Louise Wiseman, who has worked in the banking sector for ten years, and has specialised in data protection since 1999, adds:
"The rapid growth of e-commerce has seen a rise in the use of personal data across an increasingly aggressive and geographically expanding marketplace. Personal data is easier to obtain than ever before and rapid developments in business technology constantly open up new, exciting and complex possibilities for the gathering and processing of that data.
"Perhaps the main 'risk' that many organisations run, is that of paying too little regard to the data protection issues, including system testing. With the onset of Freedom of Information legislation the risk management equation may change. Nevertheless, the cost of compliance will, for most, need to be apparently recoverable one way or another."
Ian Brewer, of BSI Business Information, says:
"BSI welcomes the support of both the Financial Services Authority and the Information Commissioner's Office in the production of this guide.
"I am confident that this publication will help those responsible for designing and implementing systems to find alternatives to using 'live' personal information for systems testing. It will also help to ensure that testing takes place with the rigour necessary to guarantee that once a system does go live, information about individuals held on it will be properly protected."