S 2.509 Data protection approval

Initiation responsibility: Data Protection Officer, Top Management

Implementation responsibility: Top Management

Software and IT procedures must be tested with the help of systematically developed case constellations (test data, no real personal data) according to a test plan containing the desired result (see also S 2.83 Testing standard software). Mass tests may be performed with anonymised original data, if required, with the consent and according to the specifications of the technically responsible office. The consent regarding the anonymisation of original data of the office technically responsible and all test results must be documented in an audit-proof manner.

Tests using a copy of the required, non-anonymised original data (real personal data) are only admissible if

• this is expressly admitted by a different statutory regulation or
• an error from production operations cannot be determined in exceptional cases despite reproduction in the test area, but only using original data, or if the procedural security cannot be guaranteed otherwise,
• this is not prohibited explicitly by an area-specific statutory regulation,
• the original data could only be anonymised for the designed test constellation with an unreasonably high amount of time and expenditure,
• the technically responsible office approved the approach in writing,
• the concerns of the persons concerned worthy of protection and information security have been taken into consideration appropriately during test implementation and analysis,
• it is ensured that the data can only be used by the persons required for troubleshooting and test implementation, and
• access to this data is only granted to persons subject to the respectively decisive confidentiality principles and particularly to data protection provisions.

The Data Protection Officer of the government agency and/or company and/or a different responsible office must be informed in due time prior to the performance of planned tests using original data.

Copy access to the original data must be logged. Upon completion of the tests, the copy used of the original data must be deleted from the test area and/or anonymised in the test area immediately. The use of original data copies must be documented, including the occasion, the reason, the extent, the duration, the security safeguards taken, as well as the previous tests with test data in an audit-proof manner.

It must be defined how IT procedures may be accepted, approved, installed, and/or used. Safeguards S 2.62 Software acceptance and approval procedure and/or module S 1.10 Standard software are referred to.

The approval of IT procedures for processing personal data assumes an inspection from a data protection point of view as well. The prior involvement of the State Commissioner for Data Protection is mandatory in some state data protection laws.

Review questions:

• Is the Data Protection Officer informed prior to the software tests using data with possible personal reference?
• Is a data protection-related inspection performed before approving IT procedures which process personal data?