System testing with live data may breach Data Protection Act

Most companies, regardless of size or turnover, now process personal data via computers. Even in the more traditional business environment, it is hard to avoid the use of automated processing and simple, small-scale computer systems must operate in line with the Data Protection Act 1998 in just the same way as the larger, more sophisticated operations do.

But many companies do not realise that using customer data while simply testing company processes requires the same degree of compliance as at any other time. As Jenny Gordon, the data protection manager for Egg Plc and co-author of the guidelines, said:

"Some believe that system testing poses no real data protection problem, as it takes place all the time with little apparent detriment to individuals."

But, she warned, "the use of 'live' data can cause very real problems."

She gave the example of a case dealt with by the Information Commissioner in which a pupil was away from home at boarding school. Her parents received a letter from the local hospital informing them that their daughter had been involved in a road accident. In fact, there had been no accident, but the hospital had been using live patient data to test a system for sending out letters to patients.

According to Gordon:

"There is a real risk that the malfunctioning of a system that holds records without individuals' permission will lead to a breach of data protection law."

The guidelines have been endorsed by the Information Commissioner and the Financial Services Authority.

The publication, "BIP0002: 2003 - Guidelines for the use of personal data in system testing" is available for purchase from the BSI for £75.