Testing 1,2,3: Data Protection in Testing Environments

Data protection in IT testing. Datatilsynet DK weighs in:

Key points:

General:

• Sometimes is necessary to use personal information when developing and testing IT systems. For example: (1) in connection with final tests of integrations with other (external) IT systems; (2) in cases where there is significant difficulty in creating accurate (anonymised) test data, in particular because it can be difficult to reflect all the errors and irregularities that may occur in a production environment; or (3) using a limited amount of personal information in connection with troubleshooting and error correction.
• -The closer you (as a company or as an authority) get to the production phase, the more well-founded it may be that you use (more) production data - including personal information.
• You must, as a starting point, have established the same security measures in the test environment as have been assessed as appropriate in the production environment
• Even though personal data from the production environment is used for testing purposes - and therefore practically acquires test data - it is still a processing of personal data. This means that the processing must take place in accordance with the data protection law rules.

Legal Basis:

• If testing and development of the IT system is necessary for the processing of personal data for the original purpose to take place (eg that you can process orders in a customer / order system or a citizen's case in a case processing system), the basis for processing will typically be the same when you use the personal data for testing and development of the IT system (eg for the fulfillment of a contract or in connection with the exercise of authority).
• If testing and development of the IT systems is not necessary for the processing of personal data for the original purpose, the processing of the data for testing and development will most often be incompatible with the original purpose

Data Minimization:

• Even where it is well-founded and necessary to use personal data in connection with testing IT systems, you must not use more personal data for testing purposes than is necessary to achieve the test purpose.
• It is also important that you do not use personal information to perform tests if the same tests could be performed without the use of (real) personal information

Deletion:

It is important that you have decided when and how the personal data should be deleted or anonymised after you have tested in the IT system. In addition, make sure that the deletion actually takes place.

Security:

• If you use personal data for testing purposes, you must also establish appropriate security measures based on a specific risk-based and documented balance of risks in the processing.
• As a starting point, the same safety measures must be established in the test environment as are appropriate in the later production environment. This will especially apply to access control, logging, secure transfer of data between IT environments as well as security updates of software, servers, etc. (patching).
• It makes a difference which security measures are appropriate, which network the test environment can be accessed from, and whether or not it can be accessed from the Internet.
• Pseudonymisation of personal data is also particularly relevant in development and test environments in particular.

In cases where the test environment (the pre-production test environment) later becomes the production environment, you must also pay special attention to the fact that - before the test environment becomes the production environment - you have deleted all personal information that has only been used for the test purpose.