By show in how to inte rate testin into an organiz tion’s gov ernance st ucture, th se g id lnes w il help e sur e data protection in sy stem testing b comes secon nature an is r egarde
Trang 3of personal dat a in sy stem test ing
Louise Wiseman
Jenny Gor don
Trang 4by
BSI
3 9 Chisw ick Hig R ad
Lon on W 4 4AL
© British Stan ards Institution 2 0
A ll rig ts reserv ed Ex ce t as p rmit e u der th Co yrig ht, Des ig ns and Pate t
Act 198 8 , no par of this pu lc tion ma b r eprod ce , stored in a ret iev al sy stem
or t ansmit e in any for m or by any means – electr onic, p otocopy in , r ecordin
or oth rw ise – w ithout prior p rmis ion in w ritin fr om th p bl sh r
W hi st ev ery c re has b e tak n in d v eloping and compi n this p blc tion, BSI a ce ts
no l abi ty for any los or damag c use , arisin directly or in irectly in con ection w ith
relance on its conte ts ex ce t to th ex te t that such labi ty ma not b ex clu e in law
T he rig t of L ouise Wiseman an Je ny Gordon to b id ntif d as th
authors of this Work has be n as er e by th m in a cordance w ith
sections 7 an 78 of the Co yrig ht, Desig ns and Pate t Act 198 8
Ty peset in Frutig r by Monolth – ht p:/w w w.monol th.u com
Printe in Great Britain by B r or s Grou w w w.b r or s.com
British Library Catalog uing in P blcation Data
A c talog e r ecord for this bo k is av aiable from th British Library
ISBN 9 8 0 5 0 6 437 3
Trang 5Foreword v
National ide tif rs
18
Trang 6Pr inciple 5 – Rete tion and disposal 21
Pr inciple 6 – Right s of indiv iduals
A ppe dix 1 – F ctors t o consider in approaching a t esting st rate y 39
Trang 7Since th p blc tion of the frst e ition of th se g id l n s, b sin s pra tice an tech ology hav e
contin e on a path of rapid chan e an ex pansion Dev elopme ts in IT hav e made complex ty pes
of data pr oces ing pos ible in response to chan in b sin s n e Mor e p rsonal data than ev er is
b in c ptur ed an use on a dai y basis a ros a w id ran e of in ust ies, for a v ariety of p rposes,
an in geograp ic l loc tions al ov er th w orld
Increase use of data has increase th risk of that data b in lost, damag d, d stroy ed or
cor u te an th real ty of this has b e clearly se n in rece t y ears T he UK alon has se n a
n mber of v ery serious, larg -sc le an hig -profle brea h s of data security that hav e affecte
larg numb rs of in iv id als, as w el th rep tations of th organiz tions responsible Althou h
th se data security brea hes ma not hav e directly resulte from data b in use in sy stem testing,
th y hav e h lp d to brin data security an data protection is u s to the for efront of th p blc
ag n a Heighte e pu lc aw aren s cou le w ith increase v igi ance on th par of reg lators
now mean that organiz tions should tak data protection seriously if th y w ant to maintain
customer con d nce an comp titiv e adv antag
Sy stems that proces p rsonal data must b secure Most organiz tions put a lot of resources into
b y in an d v elopin th ir sy stems an databases, y et giv e su stantialy les at e tion to v ital
sy stem testin T hese g id ln s aim to show th impor ance of plan in an d v otin time an
resour ces to any testing r egime to e sure it is c r ie out in a safe, data protection-compl ant w ay
By show in how to inte rate testin into an organiz tion’s gov ernance st ucture, th se g id lnes
w il help e sur e data protection in sy stem testing b comes secon nature an is r egarde as an
es e tial par of an organiz tion’s a tiv ities rather than an af er hou ht that requir es sp cial effor
In so doing, th se g id lnes ma h lp data controlers turn th n e for greater contr ol ov er
p rsonal data into an op or u ity to driv e improv eme ts in th q alty of testing and th stren th
of gov ernance w ithin their organiz tion
Trang 9Personal data in the e-commerce environment
T he grow th of e-commer ce has se n a rise in th use of p rsonal data a ros an increasin ly
ag r es iv e an g ograp ic ly ex pan in mark tpla e P rsonal data is easier to obtain than ev er
b fore and rapid d v elopme ts in b sin s tech ology constantly op n u n w, ex citin an
complex pos ibi ties for the gath rin an proces in of that data
With increase use, comes incr ease pote tial for misuse an th s the n e for stron er controls
an greater responsibi ty on th par of th data controler Le islation an reg lation hav e
d v elop d in tan em w ith e-commerce to increase th safe uar ds affor de to the priv ac and
free oms of th in iv id al an to control th use of p rsonal data T he at e dant increase in p blc
aw aren s of data pr otection, in par icular th rig ts it affor ds to th in iv id al, means that data
protection complance is ev er more v ital to th contin e suc es of busin s toda
Most companies a ros al b sines sectors, regardles of their size or turnov er, hav e sy stems that
proces some p rsonal data; this raises many is u s ar ou d security and data pr otection Ev en in
th more t aditional b sin s e v ir onme t it is increasin ly hard to av oid th use of automate
proces in , and th simplest of smal-sc le computer sy stems must op rate in ln w ith th DPA in
just th same w ay as larg r, mor e sop istic te op rations
T he Data Protection A ct 1998
1
T he Data Pr otection A ct 19 8 (DPA) giv es effect in th UK to EC Directiv e 9 /46/EC w hich c me
into b in w ith th aim of harmonizing data pr otection le islation thr ou hout the Europ an
Commu ity T he DPA ap l es to ‘p rsonal data’ w hich is data
2
about id ntif d or id ntifable lv in
in iv id als A p rson w ho (eith r alon or jointly or in common w ith oth r p rsons) d termin s the
p rposes for w hich an the man er in w hich any personal data is, or is to be, proces e is k ow n as
a ‘data contr oler’
3
T he id ntif d or id ntifable in iv id al w ho is th su ject of th p rsonal data
is th ‘data su ject’ T hey ne d not b a UK resid nt or a UK citize T hey could b any on w ho is
any w her e in th w orld Any p rson other than an employ ee of th data control er w ho proces es
data on b half of the data control er is a ‘data proces or’
T he stren th of th DPA les in pla ing cont a tual oblgations on data contr ol ers, giv in rights to
data su jects and empow erin an in e e d nt commis ion r, th Information Commis ion r, to
ov erse compl ance w ith th law
1
T he ful tex t is av aiable onln at htp:/w w w.egislation.hmso.g v.u /a ts/a ts 9 8/19 8 029.htm
2
For a ful de nition of ‘data’ a d guida c as to w heth r a y paric lar item fals w ithinth t c teg ry, refer to
BS 10 12:20 9, Data protectio : S ecifc tio for a p rsonal informatio manag eme t system
3
De nitions ta e fr omBS 10 12:20 9, Data protectio : S ecifc tio for a p rsonal informatio manag eme t sys tem
Trang 10Proces ing under the DPA
T he DPA refers to the ‘pr oces ing’ of p rsonal data ‘Proces in ’ inclu es almost any thin that
c n b don w ith data, from obtainin it throug to destr oy in it and inclu es ev ery thing that
comes in b tw ee T his includ s a tiv ities such as r ecordin , storin , ret iev ing, consultin or usin ,
disclosing, sharin , blockin , erasin an t anspor in the data as w el as alterin it in any w ay
T he Principles: K ey obl gations
Un er th DPA, data contr olers must:
• abid by th eig t data pr otection principles; an
• u les ex empt, notify th Information Commis ioner of th ir data proces ing
T he eig t data protection principles that l e at th h ar of th DPA sa that data must b :
• fairly and law fuly proces e ;
• pr oces e for l mite p rposes;
• ad q ate, relev ant an not ex ces iv e;
• a curate;
• not k pt lon er than neces ary ;
• pr oces e in a cor dance w ith th in iv id al’s rig ts;
• secure;
• not t ansferred to cou t ies w ithout ade uate pr otection
Personal data and sensitiv e personal data
4
P rsonal data is d f e by the DPA as data that relates to a lv in indiv idual w ho is ide tif d or
id ntifable from that data or from that data an oth r information that is in th pos es ion of,
or lk ly to come into th pos es ion of, th data controler In ad ition to personal data, th DPA
creates a c te ory of ‘se sitiv e p rsonal data’ w hich req ires ad itional protection an ma only b
pr oces e in v ery l mite circumstances Se sitiv e personal data is d fn d in section 2 of th DPA as:
• the ra ial or eth ic origin of th data su ject;
• their poltic l opinions;
• their relgious b lefs or oth r belefs of a simiar natur e;
• w heth r th y are a memb r of a t ad u ion (w ithin th meanin of th Trade Union an L bour
Relations (Consoldation) Act 19 2);
• their phy sic l or me tal h alth or con ition;
• their sex ual lfe;
• the commis ion or al e e commis ion by th m of any offe ce; or
• any proce din s for any offe ce commit e or ale e to hav e b e commit e by th m, the
disposal of such proce din s and th se te ce of th cour in such proce din s
4
De nitions ta e f r om BS 10 12:20 9, Data protectio : S ecifc tio for a p rsonal informatio manag eme t system
Trang 11S h d le 2 of th DPA sets out six conditions for proces in p rsonal data, an al pr oces in
must satisfy at least on of th se criteria In ad ition to one of th con itions in S h dule 2,
any proces in of se sitiv e p rsonal data must me t on of sev eral sp cifc con itions set out in
S h d le 3 of th DPA
Conditions f or proces ing ( Schedule 2 and Schedule 3)
As w el as b in fair an law ful, w he proces in any p rsonal data th data controler must be
able to satisfy at least on of the folow in six con itions as set out in S h d le 2 of th DPA:
• T he proces in tak s pla e w ith the conse t of th data su ject
• T he proces in is in th contex t of a cont a t or pre-contr actual ne otiations w ith th data su ject
• T he proces in is n ces ar y for th data controler to comply w ith a le al oblgation
• T he proces in is n ces ar y to protect th v ital interests of th data su ject
• T he proces in is n ces ar y for th administ ation of justice, the ex ercise of a f unction u der an
e a tme t, th exercise of a f unction of th Crow n, a minister of h Crow n or a gov ernme t
d par tme t or th ex ercise of a p blc f unction in th pu lc interest
• T he proces in is n ces ar y for th p r pose of le itimate interests p rsu d by th data controler
or a third par y to w hom th data is disclose , ex ce t w here the proces in is u w ar r ante
b c use it w ould preju ice th r i hts an f ree oms of th data su ject
W here th data to b proces e fals into th c te ory of ‘se sitiv e p rsonal data’ th data
contr oler must also fulfl on of th folow in criteria as laid out in S he ule 3:
• T he pr oces in tak s pla e w ith th ex pl cit conse t of th data su ject
• T he pr oces in is n ces ary for p r ormin any rig t or oblgation impose by employ me t law
• T he pr oces in is n ces ary to protect the v ital interests of th data su ject or anoth r p rson an
conse t c n ot b giv en or c n ot r easonably b sou ht
• T he pr oces in is c r ie out in th course of the le itimate a tiv ities of a non-proft makin
organiz tion w hich:
– ex ists for poltic l, p iosop ic l, r elgious or t ade u ion p rposes;
– proces es p rsonal data in a w ay that safe uards th rig ts and fr ee oms of data su jects;
– does not disclose p rsonal data to thir d par ies w ithout th data su ject’s conse t
• T he information has d lb rately be n mad p blc by th data su ject
• Su ject to any ad itional con itions set by th Secretary of State (non at th prese t), th
proces in is n ces ary :
– for th p rpose of, or in con ection w ith, le al pr oce din s;
– for th p rpose of obtainin le al adv ice; or
– for th p rposes of establ shin , ex ercisin or d fe din le al rights
• T he pr oces in is n ces ary for:
– th administ ation of justice;
– th ex ercise of a fu ction u d r e a tme t;
– th ex ercise of a fu ction of th Cr ow n, a minister of th Cr ow n or a gov ernme t d par me t
Trang 12• T he proces in is n ces ary for me ic l p rposes, proces e by a health profes ional or someon
w ho, in th circumstances, ow es a d ty of con d nce e uiv ale t to that w hich w ould b ow ed if
they w ere a h alth pr ofes ional
• Su ject to any ad itional conditions set by th Secretary of State, th proces in relates to ra ial
or eth ic origin and is to id ntify or r ev iew e ual op or u ities polcies in order to promote or
maintain such oppor u ities an th proces in is c r ie out w ith ap ropriate safe uards for th
r i hts an free oms of data su jects
T he Inf ormation Commis ioner
5
T he DPA create a p blc offcial k ow n as the Information Commis ion r T he Information
Commis ion r’s duties ar e to:
• interpret an e for ce th data protection principles;
• maintain a register of data controlers;
• pr osecute of fe d rs;
• pr omote go d pra tice on mat ers of data protection
T he Information Commis ion r’s Offce (ICO) offers a tele hon h lplne for q eries from data
controlers an th p blc T he UK Information Commis ion r also e forces th Free om of
Information Act althou h th re is a se arate Information Commis ion r for S otlan w ho is
r esponsible for th Free om of Information Act (S otlan ) b t not for data protection le islation
Notifcation
In order to proces p rsonal data, al data control ers must b pr op rly register ed w ith th
Information Commis ion r, ex ce t w her e th y are able to claim a v ald ex emption T he proces
of registerin w ith th Information Commis ion r is k ow n as ‘notifc tion’ an requires th data
controler to prov id cer ain d tai s about th proces in th y inte d to u d r ak T he Information
Commis ion r maintains a p blc register of these d tais
Notifc tion must b r enew ed ea h y ear an up ate w ith any chan e in proces in T he DPA
introd ces a n mb r of sp cifc criminal offe ces relate to notifc tion inclu in faiure to notify,
faiure to k e a notifc tion u to date an proces in cont ary to notifc tion
Fair col ection of data: T he privacy notice
F irn s to data su jects l es at the h ar of th DPA In or der for pr oces ing to b fair, th data
controler must, su ject to lmite ex emptions, prov id th in iv id al w ith cer ain information w he
col ectin p rsonal data T his should b pr ov id d by means of a priv ac notice (commonly k ow n
as a ‘fair proces in notice’ or ‘fair col ection notice’) d tai n th inte de uses of th data T his
notice must b v ery c refuly draf e as future pr oces in w il b lmite by its conte t
5
S e th InformationCommis ion r’s w ebsite htp:/w w w.co.g v.u , for guida c on impleme tationof th DPA
Trang 13A s a minimum, th priv ac notice must state th id ntity of th data controler, the p rposes for
w hich th data controler w il proces data an any other information n ces ary in th circumstances
to mak the proces in fair T his means any u ex pecte or u usual uses of the data must b clearly
state In d ciding w hat to inclu e in the notice, the data controler should consid r th pos ible
conse u nces of th proces in for th data subject T he notice should b ex pres e in terms that
data su jects are lk ly to u d rstan an it should b display ed w ith suffcie t promin nce: it must
not be hid e aw ay in ‘th smal print’
T he ICO’s Priv ac Notices Cod of Pra tice,
6
emphasizes th impor ance of clarity an simpl city in
th draf in of priv ac notices an stres es that th y should b use to inform in iv id als an not
simply as a means of pr otectin the organiz tion from labi ty T ch ic l jargon should b av oid d
an th notice should b w or de in clear, simple lan uag that p ople c n easi y u d rstan
T he Priv ac Notices Cod of Pra tice stres es that organiz tions must not mislead the p blc or of fer
choices th y c n ot u d rstan or that w il not b honoured, an that any u usual or u ex pecte
uses of data should b clearly ex plain d On the oth r han , it states that there is no n e for an
organiz tion to go to great le gths to ex plain a p rpose that is obv ious to ev ery on
T he Priv ac Notices Cod of Pra tice recomme ds a ‘lay ered’ ap roa h to th draf in of priv ac
notices, w her eby th v ital ‘h adln s’ are position d u fr ont w here th y are obv ious to th data
su ject, w hie other les impor ant d tai is pla e elsew her e Data su jects c n th n easi y pick
out th information th y n e to un erstan how th ir p rsonal data is to be use , w ithout b in
dist a te by ex ces iv e d tai
A lthou h it does not man ate any par icular w or din , th guidance in th Priv ac Notices Cod
of Pra tice is clear an easy to apply T he ICO w il use it to inform th ir ap roa h to e forceme t
w her e th y receiv e a complaint that p rsonal information has b e colecte u fairly
Rights of individuals
Just as th data controler has responsibi ties u d r th DPA, so th data su ject has rig ts T hese
are summarize b low :
• Su ject a ces : th r i ht t o hav e a copy of any dat a b in proces e that relat es t o th data su ject
• T he right to prev ent proces ing of th data subject’s p rsonal data in circumstances w here it is
l k ly to c use u w ar ante su stantial damag or distres
• T he right to prev ent proces ing of th data subject’s p rsonal data for th purpose of dir ect
mark ting
• T he right, in cer ain cir cumstances, to r eq ire that no d cision that sig ifc ntly affects th data
su ject is solely base on automate proces in
• T he right to comp nsation: in some cir cumstances the data su ject ma b e title to redr es
from th data controler for damag or distres c use by a cont av ention of th DPA
• Rig t s t o rect i c t ion, block in , er asure or d st r uct ion of p r sonal dat a u d r cer t ain circumst ances
6
Av aiable fr om th ICO w ebsite: w w w.co.g v.u
Trang 14T he impor ance of sy stem testing
A ll automate sy stems an proces es req ire thorou h testin to maximize their b n fts w hie
minimizin th pote tial for damag to, or los or d str uction of, p r sonal data It is v ital to e sure
that al sy stems are rob st an secure From th point of v iew of th data su ject, secu ty of
p rsonal data is par amou t an many w ould ex pect, an in e d as ume, that ev er y pos ible means
of protection f or that data is employ ed – inclu in f ul sy stem testin From th organiz tion’s point
of v iew, any f aiure to protect p rsonal data c r r ies a pote tial f ancial cost by w ay of comp nsation
an f es an a les tan ible b t of te more serious cost in ter ms of lost consumer conf e ce an
bad pres
Sy stem testin is th most rel able w ay of as es in th t u security and r obustn s of a sy stem
an the data it proces es, an it should th r efor e b a mat er that af fects any organiz tion that
proces es p rsonal data electronic l y It is a k y fa tor in a hiev ing complance w ith Principle 7 of
th DPA as w el as su por in compl ance w ith th oth r sev en principles of the DPA by h lping to
id ntify any areas of concern at an early stage in dev elopme t
T his pr ese ts organiz tions w ith a diemma On th on han , th q al ty of test data use w il
directly af fect the relabi ty of th sy stem testin c r ie out an therefor e th ef fectiv en s of the
sy stem or proces being teste On th oth r han , th use of lv e p rsonal data raises is u s of
security an data protection complance Squarin these tw o se min ly op ose is u s c n of e
se m an insurmou table problem
Ty pes of sy stem testing
Sy stem testin ma tak on of th folow in forms:
• ‘Dummy ’ data in a test e v ironme t;
• ‘Dummy ’ data in a lv e e v ironme t;
• S ramble or anony mize data in a test e v ir onme t;
• S ramble or anony mize data in a lv e e v ironme t;
• Liv e data in a test e v ir onme t;
• Liv e data in a l v e e v ironme t
T he ty pe of sy stem testin that is p r orme w il d p n on the fu ction of th sy stem or proces
b in teste W here it is pos ible to c r y out sy stem testin usin fctitious information or r eal data
that has b e scramble or anony mize , this w il alw ay s b th safest course of a tion Eith r of
th se options poses l t le thr eat to th inte rity of lv e p rsonal data prov id d prec utions are tak n
to e sur e th test data remains se arate fr om any lv e data so th tw o c n ot a cid ntal y become
merge W her ev er pos ible, th n, th use of fctitious, scramble or anony mize information should
b th frst pr eference in any sy stem testin regime
T his ty pe of testin , how ev er, is not alw ay s suffcie t for effectiv e an thorou h sy stem testin
T here w il b situations in w hich it is es e tial to use lv e p rsonal data eith r in a test e v ironme t
or a lv e e v ir onme t (both situations are cov ered by th term ‘l v e testin ’ thr ou hout this
docume t.) T hese g id l n s se k to ex amine th is u s arou d lv e testin , rath r than testin
w hich uses fctitious, scramble or anony mize data
Trang 15T he fow char in Ap e dix 1 giv es a v ery high-lev el v iew of th proces of d terminin w hich
testin st ate y is ap lc ble in a par icular situation, an th k y fa tors to consid r
Reasons f or under ak ing l ve testing
T hese inclu e th reasons giv en b low :
• T he par icular ty pe of data to b proces e or th fu ction of th sy stem ma r eq ire the use of
l v e data in or der to ad q ately test out its c pabi ties
• T st e v ironme ts ma not be as fuly b i t as lv e e v ironme ts so cer ain compon nts of a
sy stem ma only b ad q ately teste in a lv e e v ironme t
• It ma not b pos ible to repl c te a par icularly sp cial ze proces w ithin th test e v ironme t
d e to l mitations on th proces itself or th data it requires
• T st e v ironme ts ma not be size in propor ion to the size of l v e databases, th refore lv e
testin ma b n ces ary to as es th sc labi ty of a sy stem
• T here ma be con g ration chan es to th l v e e v ironme t that c n ot be teste in any oth r
w ay d e to the l mitations of th test e v ir onme t
• Project conficts ma mean that a test e v ironme t is only able to su por a curate load testin
for on project at a time, th s it ma b come es e tial to use a lv e e v ironme t Plan in a
testin sch dule w el ah ad and e surin it is par of th organiz tion’s sof w are d v elopme t lfe
cy cle or project l fe cy cle w il av oid such con icts an help to mak lv e testin les of a n ces ity
• Pra tic l r easons: time, tester resource an cost
T he Inf ormation Commis ioner’s view
T he ICO adv ises that th use of p rsonal data for sy stem testin should be av oid d W her e th r e is
no pra tic l alternativ e to usin lv e data for this purpose, sy stems administ ators should d v elop
alternativ e methods of sy stem testing Should th Information Commis ion r receiv e a complaint
about the use of personal data for sy stem testin , their frst qu stion to th data controler w ould
b to ask w hy no alternativ e to th use of l v e data had b e fou d
K ey risk s in sy stem testing
T here are a number of g n ral risks that ex ist w he ev er sy stem testin is u d r ak n usin lv e data
an /or a lv e e v ironme t T hese are:
• u authorize a ces to data;
• u authorize disclosure of data;
• inte tional cor u tion of data;
• u inte tional cor u tion of data;
• compr omise of sour ce sy stem data;
• los of data;
• inade ua y of data;
• objections fr om customers
Trang 16A ny of t he abov e r isk s c n also lead t o f ancial los t o t he dat a cont roler an /or t he data su ject , and
t o re ut at ional damag t o t he or ganiz t ion concern d There wil of cour se also b sectorsp cifc r isk s
f ace by ea h in ivid al b sin s , ea h t y pe of b sin s an ea h syst em
B f or e comme cin any sy stem testing, it is adv isable for th data contr oler to u d r ak a
Priv ac Impa t As es me t (PIA) T his pr oces , w hich is stron ly e dorse by the ICO,
7
h lps an
organiz tion as es priv ac risks in order to brin about pote tial solutions It c n b a v ery useful
manageme t tool if c r ie out at an early stag in a project Althou h d sig e to aid complance
w ith th w hole ran e of priv ac le islation, inclu ing th DPA, th PIA is not sp cifc ly focuse on
th DPA itself De e din on th sc le of th testin , or of th ov eral project (w here the testin is
u der ak n as par of a w id r project), an organiz tion ma f d it useful to sup leme t its PIA w ith
a risk as es me t specifc to data protection risk an lmite to the data that is to b use in testin
Ex amples of how this mig t b don in a w ay that e ables id ntifc tion of data protection risks,
th ir pos ible impa t an plan e handln st ate ies, is giv en in Ap e dix 2 (Risk Analy sis Table)
and Ap e dix 3 (Net an Gros Risk) Blan v ersions of both forms are giv en in App n ix 7
T here is no statutory r eq ireme t to u d r ak a PIA , b t ce t al gov ernme t d par me ts ar e now
r eq ir ed by th Cabin t Offce to do so
A cautionary tale
T he v iew is sometimes ex pres e that sy stem testing poses no real data protection problem as it
tak s pla e al the time w ith l t le ap ar ent d t ime t to in iv id als T he fol ow in c se stu y, w hich
is base on a t ue complaint receiv ed by th ICO show s that th use of lv e data to test sy stems c n
in e d c use v ery real problems for in iv id als
A p pi was away from home at b arding scho l Th p pi’s pare t re eiv d a leter
from th local hospital informing them that th ir daug hter had be n in olv d in a road
ac ide t In f ct, th re had be n no ac ide t, b t th hos pital had be n using lv
patie t data to tes t a s ys tem for s ending out leter to patie ts
It is sometimes hard to se in pr actic l t er ms that sy stem t estin c n hav e eff ects that are d tr ime t al
to an or ganiz tion A f ur th r example, again base on a tr ue sit uat ion, i ustr at es the pote tial f or eal
f ancial damag to an or ganiz tion
A cre dit card provide r carie d o t te sting of a ne w proce ss within it cus ome r ap lcation
proce dure using a smal amount of lv cus ome r data Se ve ral days late r, a cusome r
notife d th org anization that the y had re ce ive d 17 cre dit cards in the ir name , e ac with
a su s antial cre dit lmit, e ve n tho g h the y had not ap le d for a card
7
Refer to th ICO w ebsite, w w w.co.g v.u , for f urh r guida c a d th PIA h nd o k
Trang 19Pers onal data shal be proc s s ed f irly and lawfuly and, in paricular, shal not be
proc s sed unles s –
a) At leas t one of th conditions in Sc edule 2 is met, and
b) In th case of s ens itiv personal data, at leas t on ofth conditions in Sc edule 3
is also met
8
Sy stem testing – Purpose or subsidiary f unction?
Sy stem testing clear ly fals w ithin th DPA d f ition of ‘proces in ’ In order to as es complance
w ith th req ireme ts of h DPA , th data controler must fr st d cid w heth r sy stem testin is th
a tual objectiv e of th proces in or simply on f unction of a w id r objectiv e On th w hole, sy stem
testin w il not itself b a ‘sp cif d p rpose’ in terms of th DPA b t w il r ath r su por th p rposes
of proces in For ex ample, w here th sp cif d p r pose is administr ation of customer a cou ts, it
w il b su por te by a n mber of su sidiar y f unctions, on of w hich w il b sy stem testin
W here this is th c se, it is th larg r, ov eral p rpose itself that must satisfy th fairn s and
law fulnes criteria d mand d by Principle 1 It is not n ces ary to justify in iv id aly ea h su sidiary
eleme t of that p rpose by r eference to those criteria or to S h d le 2 and S h d le 3 If th
n ces ary S h d le 2 an /or S he ule 3 conditions ar e met for th larg r p rpose, they w il usualy
cov er al th constitu nt eleme ts of that p rpose
T here w il b situations w here sy stem testing is th p rpose of pr oces in For ex ample an
organiz tion that desig s an d v elops IT sy stems is lk ly to u der ak a sig ifc nt amou t of
sy stem testin on a suffcie tly reg lar basis to rend r sy stem testin on of its primary purposes
As umin personal data is use for th testin , th organiz tion’s notifc tion to the ICO w ould
n e to state sy stem testin as on of its p rposes T hat sy stem testin w ould the n e to me t
th criteria for proces in laid dow n in Principle 1
Data contr olers should b ar in min that th total ty of their proces in must satisfy Principle 1
Any u fair eleme t in th sy stem testin proces , or in e d in any oth r proces , w il mean that
Principle 1 is br ea he regardles of w heth r th ov eral p rpose is es e tialy fair
Interpreting f airnes
S h d le 1, Par 2 of th DPA prov id s g idance on interpretin Principle 1 and states th n e
to consid r th w ay in w hich p rsonal data is obtain d In par icular th r e is a n e to consid r
w heth r th p rson from w hom it is obtain d has b e d ceiv ed or misle about th r easons for
proces in th data
8
Data Pr ote tion A ct 19 8, S h dule 1, P r 1
Trang 20T he data controler must consid r w heth r suffcie tly d tai e information about those reasons
has b e pr ov id d to the data su ject If sy stem testin constitutes a major use of th data su ject’s
data an th y hav e be n told lt le or nothin of this, th proces in c nnot b consid red to b
fair W here th data subject has giv en conse t to pr oces in , it is u lk ly that th ir conse t is ful y
informe (and freely giv en) u les sy stem testin has b e specif d as a purpose an ex plain d to
th m or u les th data su ject c n b reasonably ex pecte to anticipate that sy stem testin w il b
c r ie out In makin this as es me t of fairn s , th data controler n e s to consider th lk ly
p rce tion of th data su ject, par icularly w here proces ing is le itimize by conse t T his ma
d p n on th cros -section of data subjects w hose data is bein use A customer base made u
of IT pr ofes ionals is lk ly to b more aw ar e of th routine natur e of sy stem testing than an av erag
cros -section of the g n ral p bl c Society is chan in , how ev er Chi dr en gr ow u usin IT in th
clas room an at home an th majority of p ople are a custome to usin comp ters at w ork,
at home an ev en on the mov e Arg ably, th n, th av erag ad lt toda is reasonably aw are of
comp ter tech ology an th w ay s in w hich it is use
W her e data su jects are u lk ly to anticipate that th ir data ma b use in sy stem testing, it ma
b n ces ary – or at least pru e t – to inform th m Althoug data su jects do not n e to b
notife of ea h an ev ery eleme t of th pr oces in p r orme on their p rsonal data, th y must
b notif d of any un sual p rposes T he ICO’s g idance is that in as es in fairn s th paramou t
consid ration must b th conse ue ces of th proces ing to th interests of th data subject
It is cerainly in th inter ests of data su jects that th ir data should b proces e on sy stems that
ar e robust an secur e Since sy stem testin is an in v itable prer eq isite for this, it is u lk ly to b
cont ary to th interests of th data subject
E rler guidance prov ide un er th prev ious Data Protection A ct of 1984, as ap l e in th
In ov ations Mai Or der c se of Se temb r 19 3, also states that ‘p rsonal information w il not b
fairly obtain d u les th in iv id al has b e informe of the non-obv ious p rpose or p rposes of
th pr oces in ’
In d ciding w heth r sy stem testing is a ‘non-obv ious’ use of data, it is impor ant to lo k at the
contex t in w hich it tak s pla e an th p rposes w hich hav e b e notif d by th organiz tion
Again, it ma also d p n on th lk ly p rce tion of th data subject T here is nothin to b gain d
by informin the data su ject of a p rpose that should be obv ious to him in th contex t in w hich
h prov ides his p rsonal data For ex ample, an onl n r etaier n e not inform customers that th ir
name an ad r es w il b use for th p rpose of proces in an d spatching th ir order, since that
is clearly an obv ious p rpose
Non-obvious purposes: Data f rom the Electoral Register
In cer ain sectors, companies ma draw data from th electoral register for use in testin A lthou h
th data contain d in the electoral register is p bl sh d information in th pu lc domain, this ma
count as a non-obv ious use of data if th data su ject w ould not b lk ly to ex pect it
Trang 21Since th introd ction of th Re r ese tation of th P ople (Ame dme t) Re ulations 2 0 , th re
hav e b e tw o v ersions of the electoral register, a ful v ersion an an e ite v ersion Ev ery on
w ho prov id s th ir d tais in th electoral c nv as is includ d in th ful r egister, w hich is av ai able
only for cer ain statutory p rposes an to cr edit reference ag ncies T he electoral c nv as offers
in iv id als the choice of optin out of ap earin on th e ite register, w hich is av ai able for
g n ral sale an is of e su ple to mark ting organiz tions Sy stem testin usin data fr om th
ful electoral r egister w il b a ce table only in ex treme an v ery lmite circumstances an w he it
oc urs it must b in su por of a p rpose that is ‘le itimate’ u d r th Re r ese tation of th P ople
(Ame dme t) Re ulations 2 0 , such as credit r eferencin or the prev ention of mon y lau d rin
If testin is in su por of a mark tin -relate p rpose, it must use only data obtain d from th
‘e ite ’ register lst Ev en th n, th data contr oler must giv e c reful consid ration to w heth r that
testin is lk ly to b ‘obv ious’ or ‘non-obv ious’ to th data su ject
A lternative test groups
On pos ible w ay arou d th is u s of aw aren s , conse t an fairn s in testin is to consid r
usin th data of a f ite gr ou of customers, w ith their conse t W hie this ma b pra tic l w here
testin is oc asional or for a sp cial on -off set of tests, it ma not b a suitable ap roa h for
ongoin , reg lar testin Note that if th se in iv id als ar e to be ask d to conse t th y must sti b
prov id d w ith suffcie t information to e able th ir conse t to b fuly informe an freely giv en
T hey must also b able to w ith raw th ir conse t at any time
Anoth r alternativ e is to use data r elatin to memb rs of th organiz tion’s ow n staff, w ith their
fuly informe conse t Staf f must not b pr es urize , eith r ex plcitly or impl citly, into giv in
conse t T he id a of conse t in th employ er–w ork r relationship is a diffcult one w ith d res
consid red by many to b u av oidable Any organiz tion planning to use data r elating to its
w ork rs should th refore tak ex tra c r e to e sure fairn s at ev ery ste in th pr oces
Work rs, an c refuly selecte grou s of conse tin customers, are data su jects lk any oth r
an retain th same rig ts an protections u d r th DPA Any proces in usin th ir data must sti
ad er e to al the principles an prov isions of th DPA
Other privacy -related obl gations
In ad ition to th DPA, there ma b oth r g id l n s or codes of pra tice specifc to par icular
sectors or in ust ies, such as th NHS Cod of Pra tice on Con d ntialty It is impor ant that any
use of personal data in sy stem testing tak s a cou t of al ap ropriate rules an guidance to e sure
fairnes an law fuln s in the contex t in w hich it tak s pla e
Trang 23Pers onal data shal be o tained only for on or more spe ifed and lawful p rp ses ,
and s hal not be furh r proc ss ed in an mann r in ompatible with that purp s e or
those p rposes
9
W here sy stem testin is d eme a p r pose in itself , it must be inclu e in th or ganiz tion’s
notifc tion to th ICO, b t in th more usual situation w here it is just on asp ct of an or ganiz tion’s
proces in , th ICO g n r aly tak s th v iew that it is a su sidiar y p r pose and th ref ore n e not b
inclu e in th notifc tion or brou ht to th at e tion of th data su ject In e d, to inclu e on
su -f unction of proces in in a notifc tion ma raise th q estion of w hy al oth r sub-f unctions
hav e b e omite
Ev en w here sy stem testin is not an organiz tion’s main p rpose for proces in p rsonal data, if it is
c r rie out regularly or on a larg sc le, the organiz tion ma cho se to inclu e it in notifc tion as a
mat er of go d pra tice If it is notif d to th ICO, consiste c an fairn s req ire that it must also
b notif d to customers w hich means it should the b inclu e in th or ganiz tion’s priv ac notice
T he notifc tion proces req ir es th data contr oler to mak a brief security stateme t, in ic tin
w heth r suitable measures hav e b e tak n to e sure the security of p rsonal data Complance
w ith Principle 7 in sy stem testin , and th abi ty to prov id ev id nce of that compl ance, b comes
ev er mor e impor ant w her e th testin has b e inclu e in th ICO notifc tion T he company ma
b ask d to prod ce docume te ev id nce of complance w ith its state security measures Any
organiz tion u able to do so instantly ap ears, w heth r correctly or incorrectly, to b in br ea h of
Principle 7 an is also proces in data cont ary to its notifc tion
L awf ulnes
Re ar d must also b had to th law fuln s of proces in , not only of th sp cif d p rposes of
proces in b t of th methods employ ed in su - u ctions such as testin In g n ral, as lon as
th ov eral p rpose is law ful so w il b th subsidiary eleme ts; how ev er, th testin itself must sti
comply w ith al ap lc ble le islation, regulation an cod s of pra tice
Data contr olers must r ememb r that th ir obl gations in resp ct of fairn s an p rposes do not
n ces ariy e d w he data is pas e to an ex ternal body T he data control er remains responsible for
any pr oces in c r ie out on its b half by a data proces or an must th refore e sure that th data
w il only b proces e in w ay s compatible w ith its ow n state p rposes T his should b stip late
9
Data Pr ote tion A ct 19 8, S h dule 1, P r 1
Trang 24in th cont a tual agreeme ts gov ernin th r elationship betw ee th data control er an data
proces or, and r einfor ce by appropriate au itin or ch ckin throu hout th b sin s relationship
W her e the data is pas e to a third par y that w il a t as a data controler, it is sti impor ant to
e sure that th frst data contr oler’s state p rposes alow it to pas data a r os to that par y for
th p rposes it w il u d r ak If th data is to b pas e ov er to an organiz tion that w il use it for
sy stem testing, th original data contr oler must notify the ICO and its customers a cordin ly, as this
w il not normal y hav e b e obv ious to th m w he initialy giv in th ir p rsonal data
Trang 25Pers onal data shal be adequate, rele ant and not e c ss iv in relation to th p rpose or
p rp s es for whic th y are proc s sed
10
As w el as su por in complance w ith Principle 3 by helpin to e sur e that th data pr oces e
in sy stems is ad q ate, relev ant an not ex ces iv e, testin must in itself abide by Principle 3 T his
means that th data use in testin must itself b ad q ate, relev ant an not ex ces iv e Ev en w here
it is not a specif d p rpose of th proces in , it is useful to treat testin in progres as a p rpose in
itself, against w hich th Principle 3 criteria c n th n b as es e
Al data use in testing must b st ictly relev ant to th p rpose of testin In d cidin relev ance in
any contex t it is a go d discipln to e courag th id ntifc tion an justifc tion of ev ery in iv id al
data item to b h ld or use in a sy stem; this is esp cial y useful w he c r ie out w ith test data
Althou h data clas ifc tion c n b a le gthy ex er cise, it y ields interestin an useful results
In iv id al data items should b lste an id ntife as non-p rsonal, p rsonal or se sitiv e p rsonal
Once th data has b e clas if d, reasons for inclusion in th testin should b pr ov id d W her e
a reason for inclusion c n ot b foun , th data must not b use for that fu ction Ex ample
clas ifc tion an justifc tion tables are inclu e in App n ix 4 and A ppe dix 5 resp ctiv ely an
blan copies ar e prov id d in Ap e dix 7
T his is a measur e stipulate in BS 10 12, w hich r eq ir es an organiz tion, as par of its ov eral
P rsonal Information Manageme t Sy stem (PIMS), to maintain an inv entory of th c te ories of
p rsonal information it proces es an th p rposes for w hich it uses th m, as w el as docume tin
w her e that p rsonal information fow s thr ou h its proces es
W here se sitiv e p rsonal data is use in sy stem testin , ev en gr eater c re than usual must b
tak n to e sur e its security an consid ration giv en to the pos ible n e for le itimiz tion u der
S h d le 3 of th DPA T he same ma be t u of any data clas ife as con d ntial, w her e a duty or
ex pectation of con d nce op rates, althou h S h d le 3 criteria w il not b r elev ant
Matching and cleansing data
P nciple 3 cr ite a are par ticular ly impor tant w here th testin is of a sy stem or proces that p r f or ms
matchin or cleansin of data A de ua y of data is impor tant, that is it must b suf fcie t to av oid
th r isk of incor rect matchin or cleansin , par ticular ly w here th re is any lk el ho d at al that th test
dat a ma b come combin d w ith lv e data or w here th testin is c r r ie out in a lv e e v ironme t
No ad it ional dat a should b use in test i g apar t f rom that w hich is st r ictly relev ant W here extr a
dat a is n e e to re lc t e t he v olumes of a lv e e v ironme t, d mmy data should b use an should
b clear ly id ntif d as such wit h ste s t ak en t o e sure it c n ot b come mer ge wit h lv e data
10
Data Pr ote tion A ct 19 8, S h dule 1, P r 1
Trang 26National identifers
Care must b ex ercise in th use of g neral id ntif rs, such as National Insurance or P pi
Id ntifc tion n mb rs T he DPA alow s th Secretary of State to pla e r est ictions on proces in by
means of such id ntif rs T heir proces in is prohibite ex ce t w here it is p rmit e by order of th
Secretary of State For ex ample, only th Inlan Rev en e and th Be e ts Ag nc are permit e to
use National Insurance n mb rs P rmit e bodies ma clearly n e to inclu e id ntif rs in testin ,
b t this should oc ur only w her e it is absolutely es e tial, is in su por of a law ful an sp cife
p rpose and is secur ed by al pos ible safe uar ds
Trang 27Pers onal data shal be ac urate and, wh re ne ess ary, kept u to date.
1
As w ith Principle 3, testin c n b se n as sup or in ov eral complance w ith Principle 4 by h lpin
to e sure sy stems pr oces data that are a curate and u to date T his is par icularly impor ant in
testin any sy stem that match s, cleanses or in any w ay chan es data
On th oth r hand, it is es e tial that any sy stem testin r egime maintains an au it t ai w hich
hig l g ts errors that oc ur durin th testin proces and al ow s th m to b corr ecte pr omptly
an fuly Ch cks should b c r ie out on th a cura y of th data bein fe into a test sy stem; an
this is par icularly impor ant w here th re is any pos ibi ty of that data b in merg d w ith other data
or fe ba k into sour ce sy stems
1
Data Pr ote tion A ct 19 8, S h dule 1, P r 1
Trang 29Pers onal data proc s s ed for an p rp s e or p rp s es shal not be kept for long er than is
n c ss ary for that p rpos e or thos e p rp ses
12
T he k ey to this p nciple is w heth r estin is d eme to b a sp cif d pur pose or simply a su por tin
f unction of a sp cif d pur pose of proces in W here it is a sp cif d p r pose, it w il b es e tial
to hav e mechanisms in pla e to e sure that test data is retain d f or no long r han is n ces ar y f or
that p r pose an to f ulfl any le al, reg lator y or b sin s req ireme ts T st data must b inclu e
in data rete tion polcies, w ith clear guidance on timesc les, clas ifc tion, stor ag an retr i v al
methods an secure d st r uction P r sonal data w hich has b e scr amble or anony mize an is no
lon er p r sonaly id ntifable ma , of cour se, b d lete imme iately af ter estin bec use it is lon er
‘p r sonal data’ P r sonal data that is e cr y pte is sti p r sonal data and must contin e to b han le
in a cordance w ith th DPA
W here test data is retain d af er testing is complete and sti constitutes p rsonal data, it ma n e
to b pr ov id d as par of th response to a su ject a ces requ st and this n e s to b considered
w he draw ing u rete tion plans
The f olowin f act or s should also b consid re whe d cidin suit able ret en on p r iods f or t est dat a
• Method of storage, in terms of security, au it t ai an a ces ibi ty
• A r chiv in c pabi ties an fa i ties
• Method an ease of retiev al
• Deletion criteria an method
• If it is pos ible that th data w il n e to b pr ov id d in response to a su ject a ces req est, it
must be pos ible to do so in an intel gible format T his means it must be pos ible to reproduce
it on pap r, chan e code into lan uag , ex plain terms an p rhaps prov id some form of data
dictionary to aid interpretation
• T here ma be cir cumstances w here th re is a le al or r eg latory obl gation to pr ov id data to a
third par y, for ex ample in response to a cour order or pol ce w ar ant, an sp cifc req ir eme ts
as to me ium an timesc le
Rete tion arr an eme ts ma dif er f or v arious kin s of p r sonal data d pe din on th w ay in w hich
th y hav e b e clas if d: p r sonal, se sitiv e p rsonal, conf e tial, etc an the lev el of security an
a ces to b ap le to ea h T he is u of rete tion c n theref ore useful y b ad res e d r i g th
data justifc tion ex ercise d scr i e earl er an c rr i d out b f ore th sy stem testin tak s pla e
12
Data Pr ote tion A ct 19 8, S h dule 1, P r 1
Trang 31Pers onal data shal be proc s s ed in ac ordan e with th rig ht ofdata subje t under
this Act
13
T he DPA giv es data su jects a n mber of rig ts inclu in those lste b low :
• To hav e a ces to a copy of the data
• To req est that th ir data is block d from cer ain kin s of proces in
• To se k comp nsation w here proces in has c use or is lk ly to c use damage or distres
• To receiv e an ex planation, and a man al r ev iew, of any fuly automate pr oces in
A req est f or su ject a ces ma req ire th or ganiz tion to prov id t est dat a if it has b e retain d in
t he f or mat of p r sonal dat a an w here t his is th c se, it must b pos ible to provid it in intel gible
f or mat within 40 c le dar day s of eceipt of t he req est
In some circumstances an in iv id al ma b able to ex ercise th rig t to stop p rsonal data b in
use for testing p rposes T he DPA’s section 14 prov isions c n b inv ok d w her e th re is ina cura y
an /or a tual or lk ly su stantial damag an distres Althoug both damag an distres ar e
usual y interpr ete in a v ery narrow se se by th cour s, it is conceiv able that an error in sy stem
testin could lead to both Pr ev ention is, of course, b t er than cur e and any test sy stem or testin
regime must hav e th fa i ty to corr ect errors promptly A lthou h not a le al r equireme t u d r th
DPA, good pra tice req ires that data controlers resp ct th w ish s of any in iv id al w ho objects to
th use of th ir data in sy stems testin It is, of course, u lk ly that any objections w il b receiv ed
u les th data su ject has b e mad aw ar e of th testin an this is unlk ly w here it is not a
sp cif d p rpose
Simiarly, th data su ject’s rights in relation to automate d cision takin should not ap ly in a
secur e sy stem testin regime T hese rig ts ap ly only w her e a d cision sig ifc ntly affects th data
su ject: c reful, secur e an correct testin should hav e no dir ect effect on th in iv id al w hose data
is b in use
W here th re is any l k lho d of test data e tering lv e sy stems, th re is th pos ibi ty of los ,
damag or cor u tion w hich ma lead to claims of su stantial damag an distres u d r section
10 of the DPA T his section al ow s th in iv id al to req ire th data control er to cease proces ing
p rsonal data w here that pr oces in is c usin , or is lk ly to c use, su stantial damage or distres
If th re is any lk lhood of this or any oth r asp ct of testin giv in rise to section 10 claims, this
should be id ntif d b for e testin comme ces and an alternativ e method of testin fou d w hich
does not inv olv e usin lv e data Pote tial is ues of this kin w il b hig l g te in a thoroug risk
as es me t of th kin i ust ate at Ap e dix 2
13
Data Pr ote tion A ct 19 8, S h dule 1, P r 1