Skip to main content
Data Privacy

Quickly learn about Data Privacy and potential threats

Nikola Jonic avatar
Written by Nikola Jonic
Updated over 4 months ago

🔒🛡️ The Importance of Data Security

Throughout your daily internet routine, you can face different kinds of cybersecurity risks—threats that can compromise the integrity, confidentiality, and availability of the data and systems within an organization. Everyone at Test IO must learn to recognize these threats to protect themselves and the organization from possible attacks.

🌐⚠️External Threats

External threats generally relate to potential risks and vulnerabilities that originate outside the organization. When connected to the internet, all computers and networks—including Test IO's network—are susceptible to external attacks and unauthorized use or access by intruders (hackers). They aim to steal, corrupt, or disrupt our resources, often using techniques like phishing, malware, ransomware, SQL injection and distributed denial of service (DDoS) attacks.

One compromised computer can affect every other computer on the network.

👤⚠️Insider Threats

Insider threats typically refer to potential risks and vulnerabilities that originate within the organization:

  • Inadvertent mistakes by personnel

  • Intentional misuse (e.g., access by a malicious employee outside the scope of their duties)

  • Bugs in automated test scripts where the test data is a copy of production data
    These can come from employees, contractors, or anyone with internal access to the system or data. These threats, whether made intentionally or unintentionally, can lead to unauthorized access, data leakage, misuse of data, alteration, or even deletion of data.

📂🗂️Data categories and classes

Data categories by origin:

  • Personal data—Data relating to living individuals who can be identified from that data, or from that data and other information, that is in possession of or is likely to come into the possession of the data controller

  • Customer data—Data belonging to the customer

  • Project/program/account data—Information created during the project/program/account lifecycle

  • Company data—Information owned by Test IO

Using and sharing the mentioned data is strictly forbidden.

Confidentiality classes:

  • Public—Freely shared information

  • Confidential—Any nonpublic and non-strictly confidential data that, if leaked, lost, or damaged, can cause harm to the data originator, owner, company, or customer. This class includes most of the information at Test IO.

  • Strictly confidential—Any data that, if leaked, lost, or damaged, can cause significant harm to the data originator, owner, company, or customer. This class of information must be protected and accessed with utmost care.

📁🔒Personal Data

The fundamental principle of data privacy is safeguarding personal information from unauthorized or unlawful access and misuse.
So, understanding what constitutes personal information helps you better recognize it and apply appropriate safeguards when handling such data, ensuring it is stored, used, and shared securely and in compliance with relevant privacy laws and company policies.

At Test IO, personal data, also called personally identifiable information (PII), is any data that could potentially identify a specific individual. It is any information that can be used to distinguish one person from another and can be used to de-anonymize anonymous data.

At Test IO, PII is divided into two different levels, with different internal processes and controls regarding their usage.

Confidential personal data

Is any personal data not covered by strictly confidential personal data.

Confidential personal data includes:

  • Name

  • Email address

  • Personal address

  • Location information

  • Performance appraisal

  • Date of birth

  • Marital status

  • Photograph

  • Any other type of personal data that is not strictly confidential

Strictly confidential personal data

Under any data privacy law, strictly confidential personal data (strictly confidential PII, sensitive PII) requires even higher security standards; if such data is lost, compromised, or disclosed without authorization, it could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

Strictly confidential personal data includes:

  • Race or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade union membership

  • Biometric data

  • Genetic data

  • Sexual activity or sexual orientation

  • Health (medical information)

  • Administrative or criminal proceedings and sanctions

  • Financial data

  • Payment/financial instrument details

  • Credentials

  • Personality profiles

  • Government ID

  • Social Security measures

🔒🚫 Strictly Confidential Information

Special categories of data, such as personal health information (PHI), payment card information (PCI), and customer intellectual property, involve highly sensitive information that, if lost, compromised, or disclosed without authorization, could cause significant harm.


Due to the sensitive nature of this data, it is subject to specific legal and regulatory protections. Improper handling can lead to significant penalties and reputational damage for the company. Therefore, these categories of data are usually classified as strictly confidential and require high levels of protection from all parties involved.

Personal health information (PHI)

Includes any information that was created and used in connection with:

  • The past, present, or future physical or mental health or condition of an individual

  • Provision and payment information for the provision of health care to the individual regarding diagnosis, treatment, or service, including personal information that identifies the individual or can be a reasonable basis to believe the information can be used to identify the individual

Information about an individual's health status and related healthcare payments is sensitive data that can be linked to a specific person and can cause them harm if misused. This is why it is so important to safeguard PHI. Furthermore, non-compliance with regulations governing the proper handling of PHI may have financial consequences.

Personal Card Information (PCI)

While providing software development and support services to customers, Test IO's developers connect to customer systems that may contain and handle cardholder data (CHD).

Customers require Test IO to perform development and remote support activities in a PCI DSS–compliant manner.

Developers can access customers' cardholder data environment remotely via a VPN connection based on the rights granted by the customer. In such cases, rigorous controls are specified in the contract.

Test IO does not store, process, or transmit cardholder data and does not intend to move data from customers' systems to Test IO's systems.

Customer Intellectual Property

Refers to the following:

  • Financial information (e.g., business plans, accounting, debt settlement, investors, assets, pricing, tender offers)

  • Legal information (e.g., contracts, litigations, negotiations, intellectual property, internal organization)

  • Industrial information (e.g., technological processes, technical solutions, manufacturing processes, logistical methods)

  • Software technologies and methodologies (including but not limited to third-party software object code, whether in the scope of the project or not; source code; configuration files and technical and user manuals; alpha and beta versions of the customer's or third parties' software products; programming methodology; design techniques; software optimization methodologies)

  • Patented and patent-pending inventions, copyrights, and written materials

  • Marketing information (e.g., clients' information, strategies, advertising plans)

  • Other types of information that are considered the client's intellectual property

  • Photographs may contain strictly confidential (sensitive) information, particularly by revealing a person's medical state/condition or racial/ethnic origin, while certain situations merely increase the likelihood of such associations.

    • For example, a picture showing someone sitting in a wheelchair could be treated as strictly confidential since it might reveal the individual's health status. The sensitivity of such information is obvious if the photo is accompanied by other personal data such as their name, etc.

To prevent misinterpretation or security breaches, Test IO treat photographs as strictly confidential personal information.

📊🔍 How Personal Data Can Be Collected

The interaction below is an example of how personal data can be collected. If you are not sure how to handle a particular type of data, seek advice from those responsible for security and privacy at the project level (Community Manager, Community Project Coordinator and CSM) for clarification.

Did this answer your question?