Afternoon all - hopefully an easy Friday afternoon question.
I am new to practicing Data Protection, whilst I am comfortable with current DP legislation I would be interested in hearing the views of experienced DPO's.
As a Local Authority we have a legal obligation to carry out a Boundary Review and we have an issue. We 'want/have to' to use live data in the test system. I have been told that there it can't be anonymised nor can we obtain dummy data. The system is over 20 years and we do have a project underway to replace it. They system is Acolaid in case you've heard of it and is used by Planning, Building Control, Environmental Health and Land Charges.
I am aware of a recent discussion regarding the use of 'live' data in a training situation and someone mentioned a BSI document dating back to 2009, it was on the use of live data in a test environment which I found very useful, particularly when my opposers are saying this is new under GDPR and I have been saying this was the case under DPA98. However I have been asked to reach out to DPO colleagues for their input and experience as we have 2 schools of thought:-
To cover off this particular request we are carrying out a DPIA which will detail why it really has to be live data, why dummy or anonymised data cannot be used. So we will be doing it by exception. However as I said above I have been asked to get feedback from experienced DPO's on what has been the norm to date.
Thank you everyone
Have a lovely weekend...