UK firms falling into data protection pitfalls

IT directors risk breaching the UK's data protection legislation if they use live customer data in application testing, with offshoring bringing extra challenges

Nearly half of UK companies could be breaching the Data Protection Act (DPA) through the misuse of customer data, according to research published on Monday.

The study involved 100 UK IT directors, and found that 44 percent were using genuine customer data when developing and testing applications. This is a breach of the second principle of the DPA, which states data should not be used for purposes other than that for which it was collected.

"It’s amazing so many UK companies are still using live customer data in test environments where the risk of its malicious use is so much greater," said Ian Clarke, global sales director for Compuware Enterprise Solutions, which commissioned the report.

The research, conducted by Vanson Bourne, also found 48 percent were only "vaguely familiar" with the detail of the Act itself.

"Lots of companies have taken stringent measures around the protection of customer data in the live production environment," Clarke told ZDNet UK. "But the numbers of people with no security clearance who can be exposed to that data can quadruple in the test environment."

Compuware said it was also concerned that 86 percent of those surveyed admitted sending live customer data offshore, often for development and test purposes, with nothing more than a non-disclosure agreement (NDA).

The DPA is enforced by the Information Commissioner, which warned that organisations need to take effective security precautions at all times, including when testing new systems.

"The use of live customer data for test purposes runs the real risk that personal details can be corrupted or fall into the wrong hands. Organisations are well advised to avoid using live customer details for test purposes to help ensure that they treat people's personal details properly and in compliance with the DPA," said a spokeswoman for the Office of the Information Commissioner.

Clarke said that problems often arise with artificial data because "masking out parts of the data means you can’t test some fields". This means many companies have resorted to using live data samples to make sure the test environment will mirror the processes that will inevitably link the live environment with other mission-critical applications.

Mike Thompson, principal research analyst for Butler Group, said that Compuware's findings weren’t unreasonable, but said he doubted that companies would have to make major investments to address the issue.

"Purely using data to test throughput is alright. It’s the ability to identify the customer from the data used for testing that’s the problem," Thompson said.

"There are tools out there that are valid for randomising the data so it doesn’t refer back to customers’ details, but using a simple SQL statement to achieve this should equally solve any issue."

Thompson added that: "There is greater risk from offshoring, simply because you lose any internal controls you may have in place. There was a case only recently in the US where credit card details were stolen from a live environment."

Both Clarke and Thompson advised companies who send data offshore to ensure that both they and their partners enforce strict controls.