Wednesday, November 08, 2006
Executive Jailtime: Using Production Data for Test Purposes
According to Techworld (a UK publication) nearly half (44 percent) of companies use live data in test environments, something that the 1998 Data Protection Act warns against explicitly. I wonder why industry analysts aren't doing research to protect consumers against leakage of personally identifiable information?
Test and development teams need to work with databases that are structurally correct functional copies of the live environments. However, they often do not necessarily need to be able to view real confidential personal information. For test and development purposes, as long as the data looks real, the actual record content is usually irrelevant.
De-identifying data is considered a leading practice, and is also legislated in regulations such as HIPAA. Basically, when data is de-identified it covers, removes or alters real or production data so that the data elements cannot be linked to a specific individual. Data that has been de-identified is generally considered acceptable to use in the test environment.
You would think that analysts who are usually all over compliance would not just focus on Sarbanes Oxley and Identity Management and would cover something more practical. I wonder if I could get James Governor of Redmonk to start blogging on this problem space. I will recommend some vendors with solutions in this space contact him...
| | View blog reactionsTest and development teams need to work with databases that are structurally correct functional copies of the live environments. However, they often do not necessarily need to be able to view real confidential personal information. For test and development purposes, as long as the data looks real, the actual record content is usually irrelevant.
De-identifying data is considered a leading practice, and is also legislated in regulations such as HIPAA. Basically, when data is de-identified it covers, removes or alters real or production data so that the data elements cannot be linked to a specific individual. Data that has been de-identified is generally considered acceptable to use in the test environment.
You would think that analysts who are usually all over compliance would not just focus on Sarbanes Oxley and Identity Management and would cover something more practical. I wonder if I could get James Governor of Redmonk to start blogging on this problem space. I will recommend some vendors with solutions in this space contact him...
