[log in to unmask] on Friday, February 20, 2004 at 9:13 AM said:-
> Try P1 - unfair to the data subject, P2 - incompatible with
> the original purpose, P7 - disclosed to individuals who may
> not normally have access to it for their duties.
As well as the dangers mentioned by Ian B, Should a copy of the database be
replicated without being depersonalised for use in training, then all of any
existing security mechanisms for the data can be overturned and lost. Do
people check the audit trails of training databases if complaints are
received, are training databases searched against subject access, is the
same level of security applied to the training database.
I recall being given a demonstration of an application by a software house,
and they were using the 'live data training database' from another
organisation. An interesting situation!
I also recall an in house developer, demonstrating an in house development
at an open public forum, displaying how the system worked by proudly
projecting the display onto a large interior wall and conducting complex
enquiries, whilst using a live sensitive database; And a senior member of
the then ODPR's staff was there. {:-( These things happen too easily where
live databases get used as test data.
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of
> [log in to unmask]
> Sent: Friday, February 20, 2004 9:13 AM
> To: [log in to unmask]
> Subject: Re: Using Live Data in Testing Environment
>
>
> In a message dated 19/02/04 10:57:27 GMT Standard Time,
> [log in to unmask] writes:
>
>
> > Help....I believe we should not be using live data in a test
> > system...........can anyone point me to the relevant piece of DP
> > legislation and why?
>
> ----------
> Try P1 - unfair to the data subject, P2 - incompatible with
> the original purpose, P7 - disclosed to individuals who may
> not normally have access to it for their duties.
>
> Extract from an IC Annual report:
>
> "Unfair Processing & Using Live Data for Demonstration
> Purpose (P1, P2) A data controller was setting up procedures
> for in-house training of its customer-facing staff and needed
> to find an example upon which to base their new procedures.
> The example used was of an existing member of staff who had
> occasion to use the company's facilities as a customer. The
> staff member was unaware that this had taken place, and only
> realised what had happened when other employees began
> referring to his experience. The data subject requested an
> assessment. The ICO assessed that the data controller was
> unlikely to have comp lied with the Act and recommended
> appropriate changes to the procedures involved. The data
> controller removed the individual's data and replaced it with
> a theoretical example not linked to any actual person. They
> also put in place procedures to safeguard future use of
> real-world data in their training."
>
> I also remember a case involving the AA (presumably
> Automobile Association) who required potential recruits to
> use the live system to test their inputting skills. One
> person amended the record of a certain Mr Blair (not Lionel,
> the other one) and put an "aka" after the surname. It was
> spotted just as correspondence was being sent out.
>
> Ian B
>
>
> Ian Buckland
> Managing Director
> Keep IT Legal Ltd
>
> Please Note: The information given above does not replace or
> negate the need for proper legal advice and/or
> representation. It is essential that you do not rely upon any
> advice given without contacting your solicitor. If you need
> further explanation of any points raised please contact Keep
> I.T. Legal Ltd at the address below:
>
> 55 Curbar Curve
> Inkersall, Chesterfield
> Derbyshire S43 3HP
> (Reg 3822335)
> Tel: 01246 473999
> Fax: 01246 470742
> E-mail: [log in to unmask]
> Website: www.keepitlegal.co.uk
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list
> please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|