JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for DATA-PROTECTION Archives


DATA-PROTECTION Archives

DATA-PROTECTION Archives


data-protection@jiscmail.ac.uk


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

DATA-PROTECTION Home

DATA-PROTECTION Home

DATA-PROTECTION  June 2012

DATA-PROTECTION June 2012

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: Use of Live (personal) data used within training database

From:

Peter Dinsdale <[log in to unmask]>

Reply-To:

Peter Dinsdale <[log in to unmask]>

Date:

Thu, 28 Jun 2012 13:50:40 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (135 lines)

Not exactly the same point, but another demonstration of the dangers of using live data in training environments: http://www.ico.gov.uk/what_we_cover/taking_action/~/media/documents/library/Data_Protection/Notices/durham_university_undertaking.ashx


Peter Dinsdale
Information Security Officer (Compliance)
Tel: 0191 222 6950



-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Simon Howarth
Sent: Thursday 28 June 2012 14:39
To: [log in to unmask]
Subject: Re: [data-protection] Use of Live (personal) data used within training database

Just don't do it.

Whilst there are cases when the use of a copy of live data is a requirement in order to test a system - rare, but they do exist, I can see no justification for using live personal information for training. In my opinion that's a folly.

In testing there are things you can put in place. A big system that I had some IG involvement in contained in excess of 60 million individuals'
records. In order  to ensure that no cross fertilisation of data could occur and that the data could not get "out", it was put in a secure server dedicated to the test with no external access to the outside world. Further, the testers and developers were put in a room that was secure and the printer they had access to was loaded with pink paper, so that any output could be easily identified. It sounds overkill, but the nature of the system demanded it. I spoke at length with the ICO about this and submitted a plan to use the data and justifying its use. 

Training. NO. Never. Ever. 15,000 is not a large database in the big scheme of things so I suggest that data be generated for testing.  You may think that all is well for a while, but it only needs one person to make another copy of the database and use it externally for it all to go wrong.

I remember a company several years ago where this happened. A sales guy copied a database and used the information in a presentation to potential customers. Sod's law came into play and the information that sprang up was that of a person in the audience. Can't remember the finer details....


Simon.

Simon Howarth MBCS CITP
www.informationedge.co.uk




-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Mike Gater
Sent: 28 June 2012 14:22
To: [log in to unmask]
Subject: [data-protection] Use of Live (personal) data used within training database

Dear all,

Our organisation is about to migrate multiple HR systems (Payroll, People data, leave / sickness absence and security screening data) into one "single" system. ~15,000 employee details.

A copy database has been created for future tech support (testing
environment) and it has been proposed that a further copy is created and subsequently used for system administrator training. The issue I have is that both of these instances will have "Live" data (at the time of
migration) but will not be maintained. As you can imagine some of this data will be rather sensitive, but I take comfort that the trainee would only have access to see the same data that they would see within the Production system. That said, if an individual was to move around within the organisation, it is possible the administrator will still be able to see data about that individual (albeit old data), when in production they would no longer have the access/privilege to do so.

As you can see, for every comfort or justification, I find a worry or issue..... Am I over cooking this, or are there more serious implications than I have thought of (I have not listed all my concerns above)? Has anyone had any experience of this scenario?

Any advice / comments would be greatly received.

Kind Regards
Mike
Records & Information Management


"The information contained in this email may be commercially sensitive and/or legally privileged. It is intended solely for the person(s) to whom it is addressed. If you are not a named recipient, you are on notice of its status. Please notify the sender immediately by reply e-mail and then delete this message from your system. You must not disclose it to any other person, copy or distribute it or use it for any purpose.  

Views expressed in this email are not necessarily those of Sellafield Ltd.

Sellafield Ltd, a company owned by Nuclear Management Partners Ltd, is registered in England and Wales, Company number 1002607. The registered office is situated at Booths Park, Chelford Road, Knutsford, Cheshire WA16 8QZ."

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Buckinghamshire County Council
Visit our Web Site : http://www.buckscc.gov.uk
Buckinghamshire County Council Email Disclaimer

This Email, and any attachments, may contain Protected or Restricted information and is intended solely for the individual to whom it is addressed.  It may contain sensitive or protectively marked material and should be handled accordingly.  If this Email has been misdirected, please notify the author or [log in to unmask] immediately.  If you are not the intended recipient you must not disclose, distribute, copy, print or rely on any of the information contained in it or attached, and all copies must be deleted immediately.  Whilst we take reasonable steps to try to identify any software viruses, any attachments to this Email may nevertheless contain viruses which our anti-virus software has failed to identify.  You should therefore carry out your own anti-virus checks before opening any documents.  

Buckinghamshire County Council will not accept any liability for damage caused by computer viruses emanating from any attachment or other document supplied with this email. 

All GCSx traffic may be subject to recording and / or monitoring in accordance with relevant legislation.

The views expressed in this email are not necessarily those of Buckinghamshire County Council unless explicitly stated.

This footnote also confirms that this email has been swept for content and for the presence of computer viruses.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Top of Message | Previous Page | Permalink

JISCMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
2006
2005
2004
2003
2002
2001
2000
1999
1998


WWW.JISCMAIL.AC.UK

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager