I have some experience of what you describe. However, it's not about negating audit trails as these will be on a test system and so not live. It's at least in part, about how the data can be transferred and used and the risk mitigation for doing this. This ranges from different server locations though to developers being in a separate locked room with one printer only fed with pink paper so that output can be identified and destroyed after use. It can get complex, and is not a recommended practice, but in the real world...
One other thing I have stumbled upon "Data Protection: Guidelines for the use of personal data in system testing" by Louise Wiseman and Jenny Gordon, pub. 1 July 2009. I have not read it, and probably won't given that it is yet another overpriced tome, but some people may be prepared to pay the exorbitant price....£48.95 (Amazon) Normal price £75!!!!
Simon Howarth.
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of [log in to unmask]
Sent: 13 October 2009 16:19
To: [log in to unmask]
Subject: Re: [data-protection] sharing data with system developers
Is anybody able to provide an example of method(s) which successfully
manage the data security issues created by using live data for test
purposes?
I am thinking here of the complete negation of any existing audit
trails for the data, and hence an inability by those particular means
to factually identify for legal purposes when and if particular data
were viewed.
If risk management is used, the arguments presented would be
interesting.
Ian W
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Tim Trent
Sent: 12 October 2009 18:26
To: [log in to unmask]
Subject: Re: [data-protection] sharing data with system developers
The fact that people have proved that consent is not a legal
requirement is fine. But the issue is by no means only the law, but the
perception of the people whose data is, they will say, being misused by
being deployed for testing purposes.
One can not hide behind legal niceties where exposure of members of
the public's personal data is concerned. Instead one has to deal with
the reality created by perception. And, lawfulness notwithstanding, if
the perception is that the data has been used unlawfully, then nothing
will convince the public otherwise. You might compare that with MPs and
their use of money on expenses. The public has disembowelled them
despite their claims in many cases being lawful.
Perception will always win the day.
So the discussion is about whether one wishes to risk public opinion
being against one's organisation, with all the trauma to careers that
will cause. The ways a silly poem:
"Here lies the body of Billy Wray
Who died defending his right of way"
Of course his name may not have been Billy, nor Wray, and he probably
failed to die, but discretion would have served him better.
I'll stick to advising my clients not to consider testing with live
data, I think. I don't fancy the law suit if I don't give that advice.
Lee Gardiner wrote:
I don't think the other Tim is disputing that, merely that consent is
not
the only means an organisation can use to justify a particular type
of
processing, whatever that processing is.
Whether you, me or anyone else likes it or not you do not need
consent providing you can satisfy a different condition for
processing,
end of story.
Lee Gardiner
--
--------------------------------------------------------------------------------
Tim Trent - Consultant
Tel: +44 (0)7710 126618
web: ComplianceAndPrivacy.com - where busy executives go to find the
news first
personal blog: timtrent.blogspot.com/ - news, views, and opinions
personal website: Tim's Personal Website - more than anyone needs to
know
Important: This message is private and confidential. If you have
received this message in error, please notify us and remove it from
your system. This email and any attachment(s) are believed to be virus-
free, but it is the responsibility of the recipient to make all the
necessary virus checks. This email and any attachments to it are
copyright of Meadowood Associates, owners of Compliance And Privacy,
unless otherwise stated. Their copying, transmission, reproduction in
whole or in part may only be undertaken with the express permission, in
writing, of Meadowood Associates, at Meadowood House, 30 Redditch,
Bracknell, Berkshire, RG12 0TT.
Forget the rest, get the best - http://www.tiscali.co.uk/music
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|