IT and the Data Protection Act How does the Data Protection Act affect your business?

The Problem for Developers

The Data Protection Act covers all data held by companies by which individuals may be identified. This includes simple data types such as names, addresses, telephone numbers - as well as more sensitive types such as personal, health or financial information.

A recent report indicated that over 40% of IT departments in UK companies are using live customer data as their test data. Under the Data Protection Act, a company ‘can only use data for the purpose for which it was collected’. This does not include testing.

More especially, if there is even the slightest risk of the data held by a company getting out into the public domain, the company is greatly exposed. For example, there may be many instances where test data is taken off site, or printed out (e.g. onto invoices) as part of the test process. If this happens, even with a high level of corporate security, there remains a risk of accidental – but prosecutable - leakage.

Your Options

However, you can cover your organization against this type of exposure by de-identifying any data that is used for testing. In order to do this, you must either scramble live data in a way that cannot be deciphered, or create fictitious data.

Fictitious or manually-scrambled data will take many hours to create, and it must be relevant to the application under test, to ensure that the tests will be valid. Furthermore, once the data has been created, it has to be maintained and occasionally refreshed. This is time-consuming, tedious – and hardly a guarantee of security.

The Solution

Fortunately, for iSeries users, there is a simple alternative. Extractor Compliance Edition, Original Software’s market-leading test data creation solution, contains automated data extraction and data scrambling technology that enables fresh, relevant data to be taken from your live database – complete with referential integrity – and then scrambled unidentifiably. That way, you end up with data that remains true to the application, but consists of entirely disjointed and unrecognizable name, address and other personal details. It may not appear as real data any more, but it behaves in exactly the same way, and satisfies the requirements of the Data Protection Act.