<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="country-region"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>The UK Data Protection Law is just one of
many different data protection laws. The <st1:place w:st="on"><st1:country-region
w:st="on">UK</st1:country-region></st1:place> was required to locally
implement the EU Data Protection Directive and did so with their passage of the
UK Data Protection Act.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>To see which countries have laws
regulating the use and protection of data, visit <a
href="http://www.privacyknowledgebase.com/document.jsp?docid=REFDP000">http://www.privacyknowledgebase.com/document.jsp?docid=REFDP000</a><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Saundra Kae Rubel, CIPP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
dataloss-bounces@attrition.org [mailto:dataloss-bounces@attrition.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Al Mac<br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, July 08, 2006 4:48
PM<br>
<b><span style='font-weight:bold'>To:</span></b> dataloss@attrition.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Dataloss] Firms play
Data Protection roulette</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Until this link, I had never heard of the Data Protection Act.<br>
<br>
I have been employed as a computer professional for over 40 years.<br>
<br>
Since I am a software developer for a privately owned manufacturer (not yet
subject to SOX and many well known other regulations, but we are under UL ISO
ROHS and some others), in which I vigorously test all my work using subsets of
the live data, where I had always thought the security issues were who can
access what data for what purposes, not whether it is in a live or test
condition, I went looking for the particulars of this law.<br>
<br>
It is a British law, perhaps European.<br>
<a href="http://en.wikipedia.org/wiki/Data_Protection_Act_1998" eudora=autourl>http://en.wikipedia.org/wiki/Data_Protection_Act_1998</a><br>
<br>
The Wikipedia article is a small beginning.<br>
It does not communicate what constitutes private data under this law.<br>
For example, some <st1:country-region w:st="on"><st1:place w:st="on">US</st1:place></st1:country-region>
law says e-mail addresses are included as private data. There's a lot in
US laws about parts of social security #s and bank account numbers.<br>
The Wikipedia article does not say anything about restricting testing of
software development.<br>
<br>
Here is another explanation<br>
I carefully read through this and saw nothing about any rules saying that we
cannot use live data when doing testing.<br>
Of course this link might not be as official as the NetworkWorld article.<br>
<a href="http://www.dataprotectionact.org/" eudora=autourl>http://www.dataprotectionact.org/</a><br>
<br>
I am in general agreement with the 8 principles, except there can be great
ambiguity about how long certain types of data ought to be kept. If we get
audited by the taxing authorities, we had better have all the payroll data on
our people from several years ago, available for their access. If a
question comes up about the safety of any product we have manufactured, we had
better have full records on where all the components came from and other
details, such as identities of people who inspected and certified product
perfection. There is no statute of limitations on product safety in the <st1:country-region
w:st="on"><st1:place w:st="on">USA</st1:place></st1:country-region>. We
have to store that kind of data to infinity.<br>
<br>
Since some data must be stored for a long long time, there is an issue not just
of security to block inappropriate access, but also what kind of media it
should be stored on. Today CDs or DVDs make sense, but some data was on
various shapes of diskettes when we first got that data, and magnetic media is
known to only hold the data reliably for like 10 years in climate controlled
conditions,. This varies with quality of diskette or tape manufacturer,
and some media is particularly prone to getting messed up so we can't read it,
like a tangled tape, or diskette out of registration with the device that reads
it Even then, I like to have more than one set of backups.<br>
<br>
There is a link in turn to<br>
<a href="http://www.dca.gov.uk/foi/datprot.htm" eudora=autourl>www.dca.gov.uk/foi/datprot.htm</a>
and <a href="http://www.dca.gov.uk/ccpd/about.htm#4" eudora=autourl>http://www.dca.gov.uk/ccpd/about.htm#4</a><br>
<br>
My interpretation of this is that the act does not ban core business
activities, I consider the testing of software changes to be a core business
activity, and I see no place here where the act disagrees with me, although I
have not read all of the content here.<br>
<br>
<br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><a
href="http://www.networkworld.com/news/2006/070506-firms-play-data-protection.html?nlhtsec=070306securityalert3"
eudora=autourl>http://www.networkworld.com/news/2006/070506-firms-play-data-protection.html?nlhtsec=070306securityalert3</a>
<br>
<br>
By Radhika Praveen, TechWorld, 07/05/06<br>
<br>
Large numbers of companies are taking risks with data protection, because <br>
they are not aware of the requirements of the law.<br>
<br>
Nearly half (44%) of companies use live data in test environments -- <br>
something the 1998 Data Protection Act warns against explicitly, according <br>
to a recent survey of IT directors by Compuware.<br>
<br>
Half the directors (48%) were only 'vaguely familiar' with the Act itself, <br>
according to the research, which highlights the importance of <br>
understanding the demands and keeping track of how customer data is <br>
treated.<br>
<br>
A further "83% used only minimal measures such as using non disclosure <br>
agreements (NDA) to control data when outsourcing," said Ian Clarke, world
<br>
wide enterprise solutions director at Compuware.<br>
<br>
NDAs are all very well, but companies find it difficult to communicate the <br>
complex legal terms to their employees or to outsourcing partners, said <br>
the survey report. "Unless they have rigorous procedures in place, they <br>
run the risk of live data being leaked to third parties. This can have <br>
severe repercussions on customer confidence and company reputation, and <br>
ultimately affect the bottom line," Clarke added.<br>
<br>
An NDA doesn't mean a lot when an employee in an outsourcing company in <br>
<st1:country-region w:st="on"><st1:place w:st="on">India</st1:place></st1:country-region>
for example who earns $100-a-day can earn much more by selling <br>
confidential data, he said.<br>
<br>
[...]<br>
<br>
_______________________________________________<br>
Dataloss Mailing List (dataloss@attrition.org)<br>
<a href="http://attrition.org/errata/dataloss/" eudora=autourl>http://attrition.org/errata/dataloss/</a><o:p></o:p></span></font></p>
<p></x-sigsep><font size=3 face="Times New Roman"><span style='font-size:12.0pt'><x-sigsep>-<br>
Al Macintyre<br>
<a href="http://en.wikipedia.org/wiki/User:AlMac" eudora=autourl>http://en.wikipedia.org/wiki/User:AlMac<br>
</a><u><font color=blue><span style='color:blue'><a
href="http://www.ryze.com/go/Al9Mac" eudora=autourl>http://www.ryze.com/go/Al9Mac<br>
</a></span></font></u>BPCS/400 Computer Janitor ... see<br>
<a
href="http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html"
eudora=autourl>http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html<br>
</a><o:p></o:p></span></font></p>
</div>
</body>
</html>