Data protection: Guidelines for the use of personal data in system testing Second edition Louise Wiseman Jenny Gordon Data protection: Guidelines for the use of personal data in system testing Second edition Louise Wiseman Jenny G ordon First published in the UK in 009 by BSI 389 C hiswick H igh Road London W4 4AL © British Standards Institution 009 All rights reserved Except as permitted under the Copyright, Designs and Patents Act 1988, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior permission in writing from the publisher Whilst every care has been taken in developing and compiling this publication, BSI accepts no liability for any loss or damage caused, arising directly or indirectly in connection with reliance on its contents except to the extent that such liability may not be excluded in law The right of Louise Wiseman and Jenny Gordon to be identi f ed as the authors of this Work has been asserted by them in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988 Typeset in Frutiger by Monolith – http: //www monolith uk com Printed in G reat Britain by Berforts G roup www berforts com British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library ISBN 978 580 66437 Contents Foreword v Introduction Personal data in the e-commerce environment The Data Protection Act 998 Processing under the DPA The Principles: Key obligations Personal data and sensitive personal data C onditions for processing (Schedule and Schedule 3) The Information C ommissioner Noti f cation Fair collection of data: The privacy notice Rights of individuals The importance of system testing Types of system testing Reasons for undertaking live testing The Information C ommissioner’s view Key risks in system testing A cautionary tale System testing and data protection compliance Principle – Fair and lawful processing 11 System testing – Purpose or subsidiary function? 11 Interpreting fairness 11 Non-obvious purposes 12 Non-obvious purposes: Data from the Electoral Register 12 Alternative test groups 13 Other privacy-related obligations 13 Principle – Processing for speci f ed purposes 15 Noti f cation 15 Lawfulness 15 Data sharing 15 Principle – Adequate, relevant and not excessive 17 M atching and cleansing data 17 National identi f ers 18 Principle – Accuracy 19 Contents Principle – Retention and disposal 21 Principle – Rights of individuals 23 Principle – Security 25 Organizational measures 25 G overnance 25 Accountability and ownership 26 Policy 26 Embedding data protection within the IT structure 27 User Developed Applications (UDAs) 27 Adequacy and audit 27 Privacy Impact Assessments (PIAs) 28 Physical protection of the system 28 Segregation 28 Technical measures: Test environments 29 C hoosing a test environment 29 Testing by data processors 30 BS 27001 31 Remote working 31 The use of dummy or test accounts 31 Limiting the data 32 Business continuity 32 Principle – International transfer 33 Outsourcing: Maintaining control 33 Offshoring: Ensuring compliance 34 Breaches of the DPA: What to if things go wrong 34 Breach noti f cation 35 What to report 36 Sanctions 36 Conclusion Appendix – Factors to consider in approaching a testing strategy Appendix – Risk analysis Appendix – Net and gross risk Appendix – Data classi f cation table Appendix – Data justi f cation table Appendix – Example system testing policy Appendix – Blank form templates 37 39 40 42 43 44 45 47 Foreword Since the publication of the f rst edition of these guidelines, business practice and technology have continued on a path of rapid change and expansion Developments in IT have made complex types of data processing possible in response to changing business need More personal data than ever is being captured and used on a daily basis across a wide range of industries, for a variety of purposes, and in geographical locations all over the world Increased use of data has increased the risk of that data being lost, damaged, destroyed or corrupted and the reality of this has been clearly seen in recent years The UK alone has seen a number of very serious, large-scale and high-pro f le breaches of data security that have affected large numbers of individuals, as well the reputations of the organizations responsible Although these data security breaches may not have directly resulted from data being used in system testing, they have helped to bring data security and data protection issues to the forefront of the public agenda Heightened public awareness coupled with increased vigilance on the part of regulators now mean that organizations should take data protection seriously if they want to maintain customer f dence and competitive advantage Systems that process personal data must be secure Most organizations put a lot of resources into buying and developing their systems and databases, yet give substantially less attention to vital system testing These guidelines aim to show the importance of planning and devoting time and resources to any testing regime to ensure it is carried out in a safe, data protection-compliant way By showing how to integrate testing into an organization’s governance structure, these guidelines will help ensure data protection in system testing becomes second nature and is regarded as an essential part of an organization’s activities rather than an afterthought that requires special effort In so doing, these guidelines may help data controllers turn the need for greater control over personal data into an opportunity to drive improvements in the quality of testing and the strength of governance within their organization Introduction Personal data in the e-commerce environment The growth of e-commerce has seen a rise in the use of personal data across an increasingly aggressive and geographically expanding marketplace Personal data is easier to obtain than ever before and rapid developments in business technology constantly open up new, exciting and complex possibilities for the gathering and processing of that data With increased use, comes increased potential for misuse and thus the need for stronger controls and greater responsibility on the part of the data controller Legislation and regulation have developed in tandem with e-commerce to increase the safeguards afforded to the privacy and freedoms of the individual and to control the use of personal data The attendant increase in public awareness of data protection, in particular the rights it affords to the individual, means that data protection compliance is ever more vital to the continued success of business today Most companies across all business sectors, regardless of their size or turnover, have systems that process some personal data; this raises many issues around security and data protection Even in the more traditional business environment it is increasingly hard to avoid the use of automated processing, and the simplest of small-scale computer systems must operate in line with the DPA in just the same way as larger, more sophisticated operations The Data Protection Act 998 The Data Protection Act 998 (DPA) gives effect in the UK to EC Directive 95/46/EC which came into being with the aim of harmonizing data protection legislation throughout the European C ommunity The DPA applies to ‘personal data’, which is data about identi f ed or identi f able living individuals A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed is known as a ‘data controller’ The identi f ed or identi f able individual who is the subject of the personal data is the ‘data subject’ They need not be a UK resident or a UK citizen They could be anyone who is anywhere in the world Any person other than an employee of the data controller who processes data on behalf of the data controller is a ‘data processor’ The strength of the DPA lies in placing contractual obligations on data controllers, giving rights to data subjects and empowering an independent commissioner, the Information C ommissioner, to oversee compliance with the law The full text is available online at http: //www legislation hmso gov uk/acts/acts1 998/1 998002 htm For a full de f nition of ‘data’ and guidance as to whether any particular item falls within that category, refer to BS 001 : 009, Data protection: Specifcation for a personal in formation management system De f nitions taken from BS 001 : 009, Data protection: Specifcation for a personal in formation management system G uidelines for the use of personal data in system testing, 2e Introduction Processing under the DPA The DPA refers to the ‘processing’ of personal data ‘Processing’ includes almost anything that can be done with data, from obtaining it through to destroying it and includes everything that comes in between This includes activities such as recording, storing, retrieving, consulting or using, disclosing, sharing, blocking, erasing and transporting the data as well as altering it in any way The Principles: Key obligations Under the DPA, data controllers must: • abide by the eight data protection principles; and • unless exempt, notify the Information C ommissioner of their data processing The eight data protection principles that lie at the heart of the DPA say that data must be: • fairly and lawfully processed; • processed for limited purposes; • adequate, relevant and not excessive; • accurate; • not kept longer than necessary; • processed in accordance with the individual’s rights; • secure; • not transferred to countries without adequate protection Personal data and sensitive personal data Personal data is de f ned by the DPA as data that relates to a living individual who is identi f ed or identi f able from that data or from that data and other information that is in the possession of, or likely to come into the possession of, the data controller In addition to personal data, the DPA creates a category of ‘sensitive personal data’, which requires additional protection and may only be processed in very limited circumstances Sensitive personal data is de f ned in section of the DPA as: • the racial or ethnic origin of the data subject; • their political opinions; • their religious beliefs or other beliefs of a similar nature; • whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (C onsolidation) Act 992); • their physical or mental health or condition; • their sexual life; • the commission or alleged commission by them of any offence; or • any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings and the sentence of the court in such proceedings De f nitions taken from BS 001 : 009, Data protection: Specifcation for a personal in formation management system Guidelines for the use of personal data in system testing, e 42 Appendix – Net and gross risk Figure shows an alternative way of representing the key risks involved in a testing strategy, using the same sample information as in Appendix The position of items shown in bold type and in boxes with solid lines shows gross risk (risk before any mitigating strategies are put in place) and the position of items in standard type and in boxes with dashed lines shows net risk (risk once mitigating strategies are in place) I M PACT S u b sta n ti a l damage and HIGH Substantial damage and distress claims d i stre ss cl a i m s Co m p ro m i se o f so u rce H a cki n g syste m d a ta Guidelines for the use of personal data in system testing, 2e I n te n ti o n a l co rru p ti o n o f d a ta Hacking Compromise Intentional corruption of source of data system data Reputational Unauthorized Unauthorized damage to disclosure of access to data organization data U n a u th o ri se d a cce ss to d a ta Re p u ta ti o n a l d a m a g e to U n i n te n ti o n a l Unintentional corruption of data o rg a n i z a ti o n co rru p ti o n o f d a ta U se o f i n a d e q u a te d a ta M EDI U M Use of inadequate data U n a u th o ri z e d d i scl o su re o f d a ta Objections from customers O b j e cti o n s fro m LO W cu sto m e rs LI KE LI H O O D LO W M EDI U M Figure – Net and gross risk HIGH DATA ITEM CLASSIFICATION OF DATA ITEM* S u rn a m e D a te o f b i rth ✓ ✓ N a ti o n a l I n su n ce n u m b e r ✓ ✓ Pre fe rre d sa l u ta ti o n I n co m e ✓ F i n a l l e n d i n g d e ci si o n ✓ Offence proceedings Offences Sexual life Physical or mental condition ✓ ✓ ✓ ✓ N u m b e r o f d ri vi n g co n vi cti o n s Lo a n a p p l i ca ti o n d a te Trade union membership Religious beliefs Political aff liation or beliefs Racial or ethnic origin Intent Sensitive Personal Opinion Personal Personal factual, not identifying data subject Directly identi f es the individual Identi f es the individual only when taken with other data Non-personal Non-personal Guidelines for the use of personal data in system testing, 2e Appendix – Data classi f cation table ✓ ✓ ✓ * Data could also usefully be categorized as ‘non-personal and f dential’ and/or ‘personal and f dential’ Table – Data classi f cation 43 Table shows sample data items that could be held on a banking system and the way they could be classi f ed Note that in deciding whether data are personal, much depends on context Data that is on its own non-personal, such as application date, will be personal where it indicates an identi f able customer’s application, while data such as name will be non-personal if it does not indicate a particular individual with that name Some items are given both classi f cations in the above table to illustrate this point, but these should be classi f ed as appropriate in the context in which they occur 44 Appendix – Data justi f cation table Where data items are required for use in system testing, they should f rst be classi f ed as shown in Appendix Their use in testing should then be justi f ed Table is an example of how this could be approached, using the data classi f ed as personal and sensitive personal in Appendix As in Appendix 4, note that in deciding whether data are personal or non-personal, much depends on context Data that would alone be considered non-personal, such as loan application date, may be personal if they identify a customer Data normally considered personal, such as name, will be non-personal if they not indicate a particular individual with that name The classi f cation given in a particular context will therefore affect the justi f cation and approval of that data Data Item Classi f cation* Justi f cation for use in testing Approved for use in testing?** Su rn a m e N on -person a l To i d en ti fy correct cu stom er record Yes Notes Ai d s com pl i a n ce wi th Pri n ci pl e DPA by Guidelines for the use of personal data in system testing, 2e en su ri n g a d eq u a te d a ta u sed to i d en ti fy correct cu stom er record Da te of bi rth Person a l To i d en ti fy correct cu stom er record Yes As a bove N u m ber of d ri vi n g Sen si ti ve To test th e a bi l i ty of th e system to No Th i s fu n cti on a l i ty ca n be a d eq u a tel y vi cti on s Person a l sort record s by sel ected cri teri a tested u si n g i tem s of d a ta th a t a re n ot sen si ti ve person a l d a ta Fi n a l l en d i n g d eci si on Person a l f To provi d e su f ci en t d a ta to be No m a tch ed wi th cu stom er record Th i s fu n cti on a l i ty ca n be a d eq u a tel y tested u si n g oth er d a ta Pri n ci pl e DPA sta tes th a t d a ta m u st n ot be excessi ve Loa n a ppl i ca ti on d a te N on -person a l To test wh eth er d a ta i n f el d m a ps Yes over from on e system to a n oth er Req u i red to en a bl e fu n cti on a l i ty to be a d eq u a tel y tested * As per data classi f cation table in Appendix above ** Please note that this table relates to a f ctitious, generic testing regime therefore the justi f cations, approval and notes are intended to be general These factors will vary depending on the testing being carried out, the data used and the type of business Table – Data justi f cation Appendix – Example system testing policy 23 In order to comply with the DPA and with internal policy, live personal data must not normally be used in system testing In exceptional cases where there is no alternative, it may become necessary to use live personal data in this way Live data may be used for system testing only in the following circumstances: • Where all alternatives have been explored and there is a solid justi f cation for using live data; • Where a full risk assessment and data classi f cation/justi f cation have been completed and documented; • Where there are adequate controls in place to mitigate any risks identi f ed; • Where an approval form has been completed in full and signed by In formation Security Offcer and the Data Protection Offcer] [the relevant data owner, the This policy and procedure apply in all instances where live data is to be used in system testing, including where the data is to be scrambled or anonymized It is the responsibility of [The Project Manager] to ensure adherence to this policy and the process detailed below Failure to follow the approval process may constitute misconduct and could result in disciplinary action Approval process The process for requesting approval for the use of live data in system testing is as follows: [The Project Manager] must ensure that a full risk assessment and data classi f cation/justi f cation exercise are carried out and documented An approval form must be completed in full and supporting documentation attached The completed approval form must be submitted for approval by [the Data Owner, The Data Protection Offcer and the In formation Security Offcer] It is not valid until such approvals have been provided Approval via e-mail is acceptable, subject to evidence being retained The form must be submitted for approval not less than [fve working days] before any scheduled testing date Once approval is obtained, [the In formation Security Offcer] will complete the system testing log and allocate a unique reference number If any security issues or data protection breaches occur during testing, [the Project Manager] must complete an issue tracker giving full details and stating the remedial actions being taken The issue tracker must be circulated to In formation Security Offcer] [the data owner, the data protection offcer and the 23 Wording in italics should be customized to suit each individual organization 24 The approval process should re f ect the roles and structure of an individual organization In small f rms, the speci f c roles mentioned in this example may not exist, or may be carried out by the same person G uidelines for the use of personal data in system testing, 2e 45 Appendix – Example system testing policy The issue must be recorded in the system testing log, which must be updated once the issue is closed Approval forms and issue trackers must be retained by [the In formation Security Offcer] for [2 years from the end of the testing or resolution of any issues] 1 The system testing log and supporting evidence will be regularly reviewed by [the Compliance team] to ensure adherence to this policy 46 Guidelines for the use of personal data in system testing, 2e Guidelines for the use of personal data in system testing, 2e Appendix – Blank form templates Risk analysis table Risk Level of Impact (High, medium, low) Likelihood (High, medium, low) Potential impact/ Consequences Accept/Mitigate Handling strategy 47 Appendix – Blank form templates 48 Net and gross risk [Gross = risk before any mitigating strategies are put in place Net = risk once mitigating strategies are in place] I M PACT HIGH Guidelines for the use of personal data in system testing, 2e M EDI U M LO W LI KE LI H O O D LO W M EDI U M HIGH Guidelines for the use of personal data in system testing, 2e 49 Intent Political aff liation or beliefs Religious beliefs Trade union membership Physical or mental condition Sexual life Offences Offence proceedings Sensitive Personal Racial or ethnic origin CLASSIFICATION OF DATA ITEM Opinion Data classi f cation table DATA ITEM Personal Personal factual, not identifying data subject Directly identi f es the individual Identi f es the individual only when taken with other data Non-personal Non-personal Appendix – Blank form templates Data Item Classi f cation Justi f cation for use in testing Approved for use in testing? Notes Appendix – Blank form templates 50 Data justi f cation table Guidelines for the use of personal data in system testing, 2e Guidelines for the use of personal data in system testing, 2e System testing log Project Approved date Unique reference number Date testing completed Breaches or issues identi f ed during testing? Data owner signature Issue tracker number Date resolved Appendix – Blank form templates 51 Appendix – Blank form templates System testing approval form Testing requirements Re q u e sto r’s n a m e Ro l e Pro j e ct n a m e Pro j e ct M a n a g e r n a m e D a te o f re q u e st D a te o f p l a n n e d te sti n g H a ve yo u re a d a n d u n d e rsto o d th e te sti n g p o l i cy? Wh y i s th i s te sti n g re q u i re d ? J u sti f ca ti o n fo r u si n g l i ve d a ta Source data H i g h e st l e ve l o f cl a ssi f ca ti o n o f so u rce d a ta D e scri b e i n d e ta i l th e d a ta i te m s th a t wi l l b e u se d (Atta ch d o cu m e n ta ti o n i f a p p ro p ri a te ) Vo l u m e o f d a ta to b e u se d D a ta o wn e r Systems S o u rce S yste m N a m e S o u rce S yste m Lo ca ti o n S yste m O wn e r Te st syste m n a m e Te st syste m l o ca ti o n S yste m o wn e r I s ta rg e t a p ro d u cti o n syste m o r a te st syste m ? D e scri b e ri sk m i ti g a ti o n m e a su re s i n ta rg e t syste m H o w wi l l d a ta b e tra n sfe rre d to th e ta rg e t syste m ? 52 Guidelines for the use of personal data in system testing, 2e Appendix – Blank form templates Risk mitigation H a s a PI A a n d /o r fu l l ri sk a sse ssm e n t b e e n ca rri e d o u t? (Atta ch re p o rt/sh e e t i f a p p l i ca b l e ) H a s a d a ta cl a ssi j u sti f f ca ti o n a n d ca ti o n b e e n ca rri e d o u t? (Atta ch sh e e t i f a p p l i ca b l e ) D e scri b e co n tro l s i n p l a ce to p re ve n t co n ta m i n a ti o n o f l i ve d a ta I s d a ta b e i n g scra m b l e d ? I f ye s, d e scri b e th e a p p ro a ch a n d to o l s u se d I f n o , p ro vi d e a j u sti f ca ti o n I f n o t scra m b l e d , h o w wi l l th e d a ta b e d e stro ye d wh e n te sti n g i s co m p l e te d ? Risk Acceptance: Approvals S yste m O wn e r D a te o f a p p ro va l Co n ta ct d e ta i l s D a ta O wn e r D a te o f a p p ro va l Co n ta ct d e ta i l s I n fo rm a ti o n S e cu ri ty O f f ce r D a te o f a p p ro va l Co n ta ct d e ta i l s D a ta Pro te cti o n O f f ce r D a te o f a p p ro va l Co n ta ct d e ta i l s U n i q u e re fe re n ce n u m b e r Guidelines for the use of personal data in system testing, 2e 53 Appendix – Blank form templates Issue tracker form The Testing Name Rol e Proj ect Proj ect M a n a g er n a m e Da te of testi n g U n i q u e Referen ce n u m ber Issue identi f ed Deta i l s of th e i ssu e th a t h a s occu rred Da te i ssu e occu rred Da ta a ffected N u m ber of i n d i vi d u a l s a ffected Ca u se Poten ti a l ri sks Corrective action Deta i l s of correcti ve a cti on s bei n g ta ken Acti on own er M ea su res to be ta ken to preven t recu rren ce Acti on own er Da ta own er n oti f ed ? f Da ta Protecti on Of cer n oti f ed ? f Secu ri ty Of cer n oti f ed ? Sen i or m a n a g em en t n oti f ed ? Issue Tracker number Date closed Closed by 54 Guidelines for the use of personal data in system testing, 2e edition is timely - there have been a number of high-profile data security n Data protection: Specification for a personal information t system, which has sections such as governance and audit sued by the Information Commissioner's O quarters k High Road 4AL Data protection: Guidelines for the use of personal data in system testing Second edition Louise Wiseman Jenny Gordon This second edition is timely - there have been a number of high-profile data security breaches over the last few years which, although they not relate to testing, have shown how vital it is to keep data protection at the top of the business agenda It shows the importance of integrating testing guidelines into an organization organization’s overall ‘governance’ structure, so it is embedded in day-to-day business practice rather than something that takes special effort when testing needs to be carried out This makes data protection compliance easier to achieve and monitor, and it ties in with the new standard, BS 001 Data protection: Specification for a personal information management system, which has sections such as governance and audit Office (ICO) is referenced on a Guidance issued by the Information Commissioner's O number of issues (including the reporting/handling of data protection breaches), as well as helping companies to see how testing might fit with the Personal Information Management System (PIMS) as it is proposed in the new BS The authors have included templates that can be used straight off the page, making it easy to apply the guidance in practise Additionally, there are more template-style examples, such as an example of a testing policy and of a testing approval form It is also timeless - the basic guidance will remain solid and relevant even as technology and business practice move on BSI order ref: BIP 0002 BSI Group Headquarters 389 Chiswick High Road London W4 4AL ww www.bsigroup.com