In a message dated 01/10/2002 16:21:33 GMT Daylight Time,
[log in to unmask] writes:
<< If you look at the compliance audit checklists on the OIC's website, you
will find the question, "Do you permit live data to be used for testing
purposes?" Then, "If so, what procedures are used to protect the personal
data during and after testing?" This implies that it *is* permissible. There
obviously have to be appropriate controls in place, just as with any other
variety of processing. >>
---------------------
The safeguards are imperative and in some cases this means you would not do
it. It depends on the circumstances. Remember the AA case (presumably the
motoring organisation, not the alcoholics one) where potential recruits were
given access to live data to test their inputting skills? One young man
added aliases to the record of a Mr Blair, suggesting he was a dictator and a
despot. Fortunately they spotted the words "aka Saddam Hussein" before any
correspondence went out - but as systems are fairly automatic these days it
was more by luck than design that it was seen.
If you are going to use live data the following would need to be taken into
account:
Have you established that live data is strictly necessary and dummy data will
not suffice?
Are the people seeing it likely to have access to it anyway?
Are the people seeing it covered by contract in relation to their use of it?
Is it actually live data or a copy of real data that wil be deleted after the
test?
Are you using real data to demonstrate a system rather than test it? In this
case I think you'd have problems with the law.
Ian B
Ian Buckland
Managing Director
Keep IT Legal Ltd
Please Note: The information contained in this document does not replace or
negate the need for proper legal advice and/or representation. It is
essential that you do not rely upon any advice given without contacting your
solicitor. If you need further explanation of any points raised please
contact Keep I.T. Legal Ltd at the address below:
55 Curbar Curve
Inkersall, Chesterfield
Derbyshire S43 3HP
(Reg 3822335)
Tel: 01246 473999
Fax: 01246 470742
E-mail: [log in to unmask]
Website: www.keepitlegal.co.uk
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|