<html>
<body>
Until this link, I had never heard of the Data Protection Act.<br><br>
I have been employed as a computer professional for over 40
years.<br><br>
Since I am a software developer for a privately owned manufacturer (not
yet subject to SOX and many well known other regulations, but we are
under UL ISO ROHS and some others), in which I vigorously test all my
work using subsets of the live data, where I had always thought the
security issues were who can access what data for what purposes, not
whether it is in a live or test condition, I went looking for the
particulars of this law.<br><br>
It is a British law, perhaps European.<br>
<a href="http://en.wikipedia.org/wiki/Data_Protection_Act_1998" eudora="autourl">
http://en.wikipedia.org/wiki/Data_Protection_Act_1998</a><br><br>
The Wikipedia article is a small beginning.<br>
It does not communicate what constitutes private data under this
law.<br>
For example, some US law says e-mail addresses are included as private
data. There's a lot in US laws about parts of social security #s
and bank account numbers.<br>
The Wikipedia article does not say anything about restricting testing of
software development.<br><br>
Here is another explanation<br>
I carefully read through this and saw nothing about any rules saying that
we cannot use live data when doing testing.<br>
Of course this link might not be as official as the NetworkWorld
article.<br>
<a href="http://www.dataprotectionact.org/" eudora="autourl">
http://www.dataprotectionact.org/</a><br><br>
I am in general agreement with the 8 principles, except there can be
great ambiguity about how long certain types of data ought to be
kept. If we get audited by the taxing authorities, we had better
have all the payroll data on our people from several years ago, available
for their access. If a question comes up about the safety of any
product we have manufactured, we had better have full records on where
all the components came from and other details, such as identities of
people who inspected and certified product perfection. There is no
statute of limitations on product safety in the USA. We have to
store that kind of data to infinity.<br><br>
Since some data must be stored for a long long time, there is an issue
not just of security to block inappropriate access, but also what kind of
media it should be stored on. Today CDs or DVDs make sense, but
some data was on various shapes of diskettes when we first got that data,
and magnetic media is known to only hold the data reliably for like 10
years in climate controlled conditions,. This varies with quality
of diskette or tape manufacturer, and some media is particularly prone to
getting messed up so we can't read it, like a tangled tape, or diskette
out of registration with the device that reads it Even then, I like
to have more than one set of backups.<br><br>
There is a link in turn to<br>
<a href="http://www.dca.gov.uk/foi/datprot.htm" eudora="autourl">
www.dca.gov.uk/foi/datprot.htm</a> and
<a href="http://www.dca.gov.uk/ccpd/about.htm#4" eudora="autourl">
http://www.dca.gov.uk/ccpd/about.htm#4</a><br><br>
My interpretation of this is that the act does not ban core business
activities, I consider the testing of software changes to be a core
business activity, and I see no place here where the act disagrees with
me, although I have not read all of the content here.<br><br>
<br>
<blockquote type=cite class=cite cite="">
<a href="http://www.networkworld.com/news/2006/070506-firms-play-data-protection.html?nlhtsec=070306securityalert3" eudora="autourl">
http://www.networkworld.com/news/2006/070506-firms-play-data-protection.html?nlhtsec=070306securityalert3</a>
<br><br>
By Radhika Praveen, TechWorld, 07/05/06<br><br>
Large numbers of companies are taking risks with data protection, because
<br>
they are not aware of the requirements of the law.<br><br>
Nearly half (44%) of companies use live data in test environments --
<br>
something the 1998 Data Protection Act warns against explicitly,
according <br>
to a recent survey of IT directors by Compuware.<br><br>
Half the directors (48%) were only 'vaguely familiar' with the Act
itself, <br>
according to the research, which highlights the importance of <br>
understanding the demands and keeping track of how customer data is <br>
treated.<br><br>
A further "83% used only minimal measures such as using non
disclosure <br>
agreements (NDA) to control data when outsourcing," said Ian Clarke,
world <br>
wide enterprise solutions director at Compuware.<br><br>
NDAs are all very well, but companies find it difficult to communicate
the <br>
complex legal terms to their employees or to outsourcing partners, said
<br>
the survey report. "Unless they have rigorous procedures in place,
they <br>
run the risk of live data being leaked to third parties. This can have
<br>
severe repercussions on customer confidence and company reputation, and
<br>
ultimately affect the bottom line," Clarke added.<br><br>
An NDA doesn't mean a lot when an employee in an outsourcing company in
<br>
India for example who earns $100-a-day can earn much more by selling
<br>
confidential data, he said.<br><br>
[...]<br><br>
_______________________________________________<br>
Dataloss Mailing List (dataloss@attrition.org)<br>
<a href="http://attrition.org/errata/dataloss/" eudora="autourl">
http://attrition.org/errata/dataloss/</a></blockquote>
<x-sigsep><p></x-sigsep>
-<br>
Al Macintyre<br>
<a href="http://en.wikipedia.org/wiki/User:AlMac" eudora="autourl">
http://en.wikipedia.org/wiki/User:AlMac<br>
</a><font color="#0000FF"><u>
<a href="http://www.ryze.com/go/Al9Mac" eudora="autourl">
http://www.ryze.com/go/Al9Mac<br>
</a></u></font>BPCS/400 Computer Janitor ... see<br>
<a href="http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html" eudora="autourl">
http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html<br>
</a></body>
</html>