[Dataloss] Firms play Data Protection roulette

Saundra Kae Rubel privacylaws at sbcglobal.net
Sat Jul 8 23:10:08 EDT 2006 

The UK Data Protection Law is just one of many different data protection
laws.  The UK was required to locally implement the EU Data Protection
Directive and did so with their passage of the UK Data Protection Act.

 

To see which countries have laws regulating the use and protection of data,
visit http://www.privacyknowledgebase.com/document.jsp?docid=REFDP000

 

 

Saundra Kae Rubel, CIPP

 

  _____  

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Al Mac
Sent: Saturday, July 08, 2006 4:48 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] Firms play Data Protection roulette

 

Until this link, I had never heard of the Data Protection Act.

I have been employed as a computer professional for over 40 years.

Since I am a software developer for a privately owned manufacturer (not yet
subject to SOX and many well known other regulations, but we are under UL
ISO ROHS and some others), in which I vigorously test all my work using
subsets of the live data, where I had always thought the security issues
were who can access what data for what purposes, not whether it is in a live
or test condition, I went looking for the particulars of this law.

It is a British law, perhaps European.
http://en.wikipedia.org/wiki/Data_Protection_Act_1998

The Wikipedia article is a small beginning.
It does not communicate what constitutes private data under this law.
For example, some US law says e-mail addresses are included as private data.
There's a lot in US laws about parts of social security #s and bank account
numbers.
The Wikipedia article does not say anything about restricting testing of
software development.

Here is another explanation
I carefully read through this and saw nothing about any rules saying that we
cannot use live data when doing testing.
Of course this link might not be as official as the NetworkWorld article.
http://www.dataprotectionact.org/

I am in general agreement with the 8 principles, except there can be great
ambiguity about how long certain types of data ought to be kept.  If we get
audited by the taxing authorities, we had better have all the payroll data
on our people from several years ago, available for their access.  If a
question comes up about the safety of any product we have manufactured, we
had better have full records on where all the components came from and other
details, such as identities of people who inspected and certified product
perfection.  There is no statute of limitations on product safety in the
USA.  We have to store that kind of data to infinity.

Since some data must be stored for a long long time, there is an issue not
just of security to block inappropriate access, but also what kind of media
it should be stored on.  Today CDs or DVDs make sense, but some data was on
various shapes of diskettes when we first got that data, and magnetic media
is known to only hold the data reliably for like 10 years in climate
controlled conditions,.  This varies with quality of diskette or tape
manufacturer, and some media is particularly prone to getting messed up so
we can't read it, like a tangled tape, or diskette out of registration with
the device that reads it  Even then, I like to have more than one set of
backups.

There is a link in turn to
www.dca.gov.uk/foi/datprot.htm  and http://www.dca.gov.uk/ccpd/about.htm#4

My interpretation of this is that the act does not ban core business
activities, I consider the testing of software changes to be a core business
activity, and I see no place here where the act disagrees with me, although
I have not read all of the content here.





http://www.networkworld.com/news/2006/070506-firms-play-data-protection.html
?nlhtsec=070306securityalert3 

By Radhika Praveen, TechWorld, 07/05/06

Large numbers of companies are taking risks with data protection, because 
they are not aware of the requirements of the law.

Nearly half (44%) of companies use live data in test environments -- 
something the 1998 Data Protection Act warns against explicitly, according 
to a recent survey of IT directors by Compuware.

Half the directors (48%) were only 'vaguely familiar' with the Act itself, 
according to the research, which highlights the importance of 
understanding the demands and keeping track of how customer data is 
treated.

A further "83% used only minimal measures such as using non disclosure 
agreements (NDA) to control data when outsourcing," said Ian Clarke, world 
wide enterprise solutions director at Compuware.

NDAs are all very well, but companies find it difficult to communicate the 
complex legal terms to their employees or to outsourcing partners, said 
the survey report. "Unless they have rigorous procedures in place, they 
run the risk of live data being leaked to third parties. This can have 
severe repercussions on customer confidence and company reputation, and 
ultimately affect the bottom line," Clarke added.

An NDA doesn't mean a lot when an employee in an outsourcing company in 
India for example who earns $100-a-day can earn much more by selling 
confidential data, he said.

[...]

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/errata/dataloss/

-
Al Macintyre
http://en.wikipedia.org/wiki/User:AlMac
http://www.ryze.com/go/Al9Mac
BPCS/400 Computer Janitor ... see
http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20060708/70902151/attachment-0001.html

More information about the Dataloss mailing list