The key elements from my perspective:
Treat the test system with the same formal change control and protections as the Live system. This may have implications with regard to technical staff having access to highly sensitive data. Where this may occur, we generally have departmental specific systems teams to manage this, and full auditing functions etc are in place for the duration of the testing.
Undertake testing (where necessary with Live data) initially using a small number of records ) to prove the process.
Document these controls and have them agreed with the Information Asset Owner.
Undertake further testing using a copy of the larger Live data set.
Securely remove the copy of the Live data at the end of the process.
Finally the test system containing live data, must not be considered as a hot standby for the Live system.
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Owen Thomas
Sent: 10 October 2018 17:39
To: [log in to unmask]
Subject: Re: [data-protection] Live Data / Test System
I think the issue here is probably one of terminology - we're referring to 'live' data without pinning down what we mean by the term.
A database comprising current, up to date customer data is just a load of data until you feed it into a service delivery system. If that system delivers an actual service / outcome to (or directly involving / affecting) the customer, it's a Live (capital L) system and - by extension, the data in it is also Live.
However, if you take an exact duplicate of the original database and feed it into a service delivery system that delivers a modelled / notional service / outcome that's just to see what happens, and doesn't come close to involving / affecting the original database subjects - then it can't really be said to be 'live' in any real-world affecting way.
It's still using personal data, so we still need to ensure it's not misused, abused and cast aside unsafely, but I don't see an automatic block on using in it in a decidedly non-Live simulation / system solely for research purposes.
Owen Thomas
Deputy Data Protection Officer
Data Protection Office
Strategy, Performance and Transformation Directorate
Sunderland City Council
0191 5611263
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_lists_data-2Dprotection.html&d=DwIFaQ&c=1vnCWTgU_iH2bgveKnHUZ8hJXVq2EkkiN8FwZDwwznM&r=m1xinYypeext7y2YWPTc0yCdm-v32r0yUk183r3RK2c&m=sQZ13QXrn6NFkNq5br_THxgXbOuTPIkjYN5K533Vn8w&s=BFoN9k_gH_BmcsWQU325cPx1xQ0sn0nIhWMYIG-8yl8&e=
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.jiscmail.ac.uk_help_subscribers_subscribercommands.html&d=DwIFaQ&c=1vnCWTgU_iH2bgveKnHUZ8hJXVq2EkkiN8FwZDwwznM&r=m1xinYypeext7y2YWPTc0yCdm-v32r0yUk183r3RK2c&m=sQZ13QXrn6NFkNq5br_THxgXbOuTPIkjYN5K533Vn8w&s=B3WuFtsoi7z75T88Xn0GPBCUEB5Z0BZWzXu6XgITPic&e=
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
______________________________________________________________________
Council services: http://www.bristol.gov.uk/service
Latest council news: http://www.bristol.gov.uk/ournews
Consultations: http://www.bristol.gov.uk/consult
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|