Almost half of IT departments are failing to comply with the Data Protection Act (DPA) because they use live customer data to test applications without customers’ permission, according to research published today.

A survey of 100 senior IT decision makers by IT management software vendor Compuware found 44 percent were guilty of this practice, putting them at risk of prosecution under the DPA. Forty-eight percent said they were only “vaguely familiar” with this law.

Ian Clarke, global sales director for enterprise solutions at Compuware, said that using live customer data for testing in this way is not only illegal but also increases the risk of security breaches. “Testing environments tend to be insecure, with data often printed out and moved around,” he said. “The fines for breaching the DPA may be relatively small but the real risk is the damage to reputation following data breaches.”

The survey also indicates that firms that send application testing offshore are not doing enough to protect customer data. Eighty-three percent said the only step they took to secure data when outsourcing it to third parties was to set up non-disclosure agreements.

Clarke said companies should employ software testing tools that automatically replace live customer data with dummy data to reduce the risk of security breaches and ensure compliance with the DPA.

Anne Crofts, a partner at law firm Beachcroft, said it is rare for customers to complain about their data being used for testing, but added that companies risk legal problems and bad publicity if they continue the habit. “I’m not surprised many firms are still doing this, but it is a thoughtless practice,” she said. “It can’t be that difficult to use dummy data.”

The findings will increase pressure on European regulators to introduce US-style legislation to force firms to inform customers when their personal data has been compromised, according to Clarke. “I absolutely think Europe will move towards this model,” he said.

In related news, last week the US Federal Trade Commission, the body responsible for tackling data theft and fraud, reportedly informed 110 people that two of its laptops containing their personal details had been stolen.