Skip to content
Sep 30 14

For Feck’s Sake Irish Water, I’ve got a day job…

by Daragh

Stopped to take a breather for lunch. Saw this from TJ McIntyre (a man who knows his onions when it comes to Data Protection and Privacy).

I’ve covered off the issues with the marketing consents for Irish Water on my company site.  The total confusion here effectively makes any implied or explicit consent for marketing open to challenge on the grounds that it was not unambiguous. Irish Water need to step up, stop faffing around, and fix this. It is a total disaster and it is getting in the way of me doing my real job. Also, the consent Irish Water are relying on isn’t Opt-In, its Opt-out.

I’m not against Water Charges, I’m against what I see as an inevitable waste of 10%-35% of turnover in Irish Water due to poor data quality management, leading to manual work arounds and scrap and rework, and I’m against approaches to obtaining and processing personal data that frankly seem to be oblivious to the national and EU legislation that should be governing that processing.

I’m against €82.4 million being spent on consultants who don’t seem to know how to approach this kind of project correctly given the gaping issues that exist in a data management context. And I’m against me having to be the paramilitary wing of the Data Protection Commissioner’s office asking key questions in public the day before it all kicks off that should have been addressed in private months ago during the design phase. And I’m against any absence of accountability or stewardship over critical data. That just irks me.

I’ve got a day job and clients to serve. conferences to prepare keynote presentations and tutorials for, and a conference of my own to run. The mental exercise of analysing Irish Water was fun, but frankly it’s like shooting fish in an over-engineered under-designed barrel at this point.

So, for all the Irish Water people reading this:

  1. Please come to IGQIE2014 in November. You will learn something you really need to know
  2. Ask you boss if you can hire my company to help you figure this stuff out. We’re pretty good at it. And we’ve got friends who are good at the bits we’re not good on. We will be a rounding error on €82.4 million.
  3. Please try to stop screwing up on your data management and data protection issues quite so publicly because when people ask me about a think I’m wired to look at it and figure it out. They find me on twitter and look to me for answers, and I feel obliged to try to help explain because you are doing such a crappy job of it. This stuff made me trend for Ireland. I hate trending for Ireland.
Sep 30 14

A blatant advert for IGQIE2014

by Daragh

Flyer for IGQIE2014I normally try to keep business and personal blogging separate for a variety of reasons *koff* domestic exemption to DPA *koff* but as this site is getting a lot of hits recently about Irish Water stuff, and as the conference my company is running is DIRECTLY RELEVANT to the subject, I thought I’d post a little snippet about it.

IGQIE2014 – (Information Governance and Quality Ireland to give it its full title) is an event Castlebridge Associates is running on the 7th of November in the Marker Hotel in Dublin. The day is aimed at connecting the dots between the legal principles of Data Protection and Privacy in the EU and the coal-face challenges of data modelling, information quality, and data governance necessary to achieve compliance and deliver happy customer outcomes.

In the morning session we have three presentations from:

  • Fergal Crehan – Barrister at Law and expert on EU Data Protection and Privacy law. Fergal has been directly involved in a number of key cases in Ireland and at the CJEU on Data Protection issues.
  • Michael G Morrow: Michael is an expert in Data Modelling. He’s going to be talking about  the need for business engagement in the Data Model design and engineering process.
  • Me – I’m talking Data Governance, Data Protection, Privacy by Design, Privacy Engineering, and Data Engineering. Aim is to link Fergal and Michael’s themes together in something educational.

In the afternoon we have three of the world’s leading experts on Data Governance, Information Quality, and Information Architecture coming to deliver parallel tutorials.

Full details can be found on http://igq.ie 

Early bird ticket deals expire TODAY

Student tickets are available for the Morning only.

A flyer is attached to this post for you to download and share.

igqie2014-flyer

Sep 30 14

Reposted: Irish Water, the letter from the DPC, and what it all means

by Daragh

[On the 24th September I posted this. I've updated it to insert relevant updates in other posts in context]

This evening the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

Dear Deputy Shortall,

I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

[This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water's job to make sure that that clarity is there.

"The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice" basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of "on-going contact" with organisations that have not quite got what is required of them.

If the DPC is in "on-going contact" with you to give "best practice advice" you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

Update: Today I posted this which looked at the apparent lack of a "signed off" movers/leavers process for when people change address and the data protection and operational implications. That is basic utility billing stuff, and is also a basic requirement under the Data Protection Acts - at least to have the mechanism by which changes to data can be made in the course of a customer life cycle.]

The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

[This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

The bit in bold is interesting. The DPC are "giving their views" on the clarity of the Data Protection notice (which is also referred to as a "fair processing notice" in Data Protection-speak) because they are of the view that the notice as published doesn't give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

Again, if the DPC is contacting you to "provide views" on something, you are not compliant. The DPC does not tend to write letters telling you you're brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in "correspondence" - the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

I suspect Irish Water may get a mention but not for the right reasons.

Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It's reassuring to see that the Data Protection Commissioner shares the concerns I raised.

Update: I wrote this this morning following an Irish Times report that Irish Water would use PPSN as part of debt collection. This is not a stated purpose, and is not the "sole purpose" that the DPC had recognised and approved of.  It appears Irish Water are unclear internally about things that the Regulator believes they are clear about]

The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

[Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can't see how that fits with only identifying categories, but would be happy to help figure it out. 

Interestingly, the DPC seems to be going beyond what I'd included in my mockup "alternative universe" version of the Data Protection Notice. I'll be taking note of that and advising clients accordingly.

Also, the requirement to specify "categories" of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

Again, the DPC is "following up with Irish Water on this matter". An organisation that is compliant with the requirements of the Acts does not require the DPC to "follow up", and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identifywhere possible what type of data and for what purpose a transfer would occur.

[This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It's a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

"Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?"

The DPC's request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about "under what controls".

Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the "amicable resolution zone" where the DPC talks gently to you to encourage more compliant behaviours. That's a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

I suspect this particular well has not yet run dry.

Sep 30 14

Accurate and Up-to-date – Irish Water and changing data

by Daragh

So, via Twitter I’ve learned that Irish Water don’t have a process defined yet for people moving house. Well, they have one defined but its “not signed off on yet”. This is a pretty basic process that exists in all utilities, satellite TV companies, and fixed line phone companies. Its the one you rely on to ensure that the bills are correct at the point of hand over.

Given that Irish Water are billing quarterly, that means that people are inevitably moving in or out of a property during a billing period. This will lead to what is known as “broken period billing” in utilities. When I worked in telco, it was the handling of these scenarios that gave rise most often to billing errors, particularly where the broken period for billing crossed a VAT period or where the preparation of a final bill involved the calculation of and application of credits on final bills etc.

This is tricky stuff, which is why it is good they are taking their time about it. However, if true, the absence of such a process or procedure NOW means that:

  1. Irish Water is in breach of the Data Protection Acts which requires Data Controllers to keep data “accurate and up to date” , at least accurate enough and up to date enough for their purposes. Having the wrong name associated as bill payer on a property is inaccurate for their purposes. They don’t need to ensure accuracy per se, but they need to have a defined process where by changes to data can be made. That’s the kernel of the obligation in the DPA and, let’s not forget it, a fundamental right under EU law under Article 8 of the Charter on Fundamental Rights.
  2. Bills will inevitably be sent to the wrong people, potentially in the the wrong amounts, which will potentially affect collections processes.

It looks more and more like the data design here and attention to data changes in customer life cycle is appallingly bad. I do hope that the tweeter got the wrong end of the stick when they were talking to Irish Water, but my optimism is rapidly going down the outflow pipe.

This stuff is really, really basic. However it means having to think about your data as more than just “stuff that lives in the database” and treat it as an asset that is subject to certain fundamental governance requirements.

We’ll be touching on a lot of these topics at IGQIE2014 on the 7th of November, and I’m teaching about it at conferences in Belgium and the UK in the mean time. I was struggling for examples….

Sep 30 14

Irish Water and PPSN data

by Daragh

This morning the Irish Times has a story about Irish Water, landlords, tenants, and PPSNs

The article tells us that:

Bills are to be issued quarterly, but as Irish Water will have the tenant’s PPS number, the utility firm will be able to pursue the tenant for any arrears and even apply any arrears to new accounts, when the tenant moves to a new address.

What this tells me as a data geek is:

  1. Irish Water has a purpose for PPSN data that goes beyond the purpose agreed with the DPC (the validation of allowances)
  2. They are using PPSN as a primary key to identify people linked to properties (which goes beyond the “validation of allowances” purpose agreed with the DPC)
  3. Irish Water have some mechanism to identify tenants versus landlords, otherwise they are retaining ALL PPSN details for a period of at least six years. (It may be the PRTB data they have access to under S26 of the Water Services Act 2013).
  4. The retention period for PPSN is likely to be 6 years from the date of the final bill issued, but only where there are arrears on the account. Therefore, retention will be a rolling period for PPSN as bills are issued. It will only crystallise at 6 years once a final bill issues.
  5. The tenant who fills out the Irish Water application will be responsible for any arrears, even if they only wash every second week while their flatmates operate a water park in the kitchen.
  6. Irish Water haven’t modeled scenarios correctly as not every tenant in a rented property will be registered on the Application form… only one. I refer back to point number 5.

Let’s just remind ourselves of what Irish Water told the Data Protection Commissioner they were going to use PPSN data for. The quote below is from a letter sent by the Acting Data Protection Commissioner to Roisin Shorthall TD that I blogged about last week.

The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

I’ve highlighted the relevant sentence. And the crucial word. So any use of or retention of PPSN for purposes other than validating allowances is potentially a breach of the Data Protection Acts. Full Stop. End of story. Move along.

[It also means that they can't validate the rest of the data - only the entitlement. So they can verify that the PPSN of Joe Blow is valid, and that the PPSN data provided for Joe's 623 children is valid and that those 623 children exist and are resident in the jurisdiction. No more. So they cannot legally "enrich" their data from the DSP's data sets (despite what some people are stating might be the case). Of course, this is a perfect reason why the Water Allowance for Children, which is payable only to children in receipt of Child Benefit, would have been better paid as an allowance from the DSP, as I've blogged about already.]

Are Irish Water making this up as they go along ?  If so, this crisis of communication around a critical issue of Regulatory compliance could be a lot worse under the surface. For example, has Irish Water modeled their data and processes to allow for customer life events (births, deaths, marriages, divorces, people moving in, people moving out)? Not doing that will lead to data quality and data protection headaches down the line. If those scenarios are not catered for in their processes, bills will be wrong. Designing for Privacy means considering data and its processing, which means you being to look at how the organisation knows or can know important facts about things it needs to know. Lurching around like a drunken uncle at a country wedding does not suggest good design for processes, data, or privacy.

At an upcoming conference on the 7th of November I’ll be talking about Data Protection, Data Governance, and Privacy by Design. The other delegates include some of the world’s leading experts on Data Governance, Information Strategy, and Data Quality. It’s a pretty darn good conference.

Irish Water might want to send some people so they can learn from the other delegates and I about Data Protection, Data Modelling, and Data Governance.

[Update: This status update has appeared via the @IrishWater twitter account which seems to suggest the Irish Times had it wrong:

Because Irish Water can't be wrong can they? Left hand needs to communicate with right hand and then talk to their customers!]

Sep 25 14

Irish Water – A Data Architecture thought noodle [Updated]

by Daragh

[preamble: This is a thought noodle. It's not a solution. It just sets out possible options for an alternative approach. I fully expect issues and wrinkles to be pointed out. ]

There has been a lot of discussion about the legality of Irish Water’s use of PPS Numbers. It is correct to say that Irish Water has a legal basis f or requesting PPS Numbers under the Social Welfare & Pensions Act 2014. The Water Services Act 2013 also gives them the power to request data from the Revenue Commissioners and the Department of Social Protection (amongst others).

So, there is a legal basis for obtaining data. However, the Data Protection Acts require that the data being processed by a Data Controller be adequate, relevant and not excessive to the purpose for which it is being obtained.  Article 8 of the EU Charter of Human Rights also requires that processing be proportionate, a point that was stressed by the CJEU in the Digital Rights Ireland Data Retention case.

<update>Also, as Fred Logue points out:

</update>

So… is it proportionate for Irish Water to be processing PPSNs, notwithstanding the legal basis that might exist permitting it? When working with clients designing data processes, I try to encourage avoidance of excessive processing of data by looking at whether existing functions can be repurposed to minimise the number of hands data must flow through. Thinking “lean” is important. Looking at this from a Data Architecture perspective, we must first look at the purposes. There are two.

  1.  To verify entitlement to a household water credit
  2. To verify and validate child water allowances.

Next, we need to see if there are any similar functions currently operating in the State that might provide either a model to replicate or a function that can be extended to deliver these objectives. 

Household Water Credit

Prior to 2012, households were entitled to claim a tax credit for domestic waste services from Revenue. Each household applied and the credit was applied as an income tax benefit. PPSN information was not shared with local authorities or private bin collectors to implement the tax credit. Policing the credit was simply a matter of using existing Revenue powers to seek information into Revenue for audit purposes. While the system was retired in 2012, old code doesn’t die, it just gets commented out. Reintroducing this mechanism for the Household Water Credit likely have been simple and cost effective as the basic structures for implementing it had already been developed and worked. They were just mothballed. Therefore: in determining the proportionality of allowing a private company access to 4 million PPS numbers, did anyone examine the feasibility of reusing an existing system that would not require data to be shared outside of an organisation that already processes PPSNs? Did anyone consider reusing/recycling this processing?

The Children’s Water Allowance

Irish Water tell us that they need to have PPS numbers of children to confirm their eligibility for a water allowance.  There is an allowance. For children. A children’s allowance if you will. A benefit for children. That must only be given to children who are in receipt of Child Benefit…. So why not just either add the allowance for water to the existing Child Benefit payment, or clone the Child Benefit processing in the DSP to deliver the Child Water Allowance? This would have avoided the need to request PPS numbers of children, a sensitive matter for many. No data would be processed outside the existing state agency that deals with Child Benefit and the PPSN data of children. <update>Another tweeter raised the question of non-resident recipients of Child Benefit.

This does not invalidate the approach outlined above. It simply adds a business rule to the data queries necessary to run the process. When working with clients on projects this kind of thing crops up a lot.  It’s one of the many reasons why, after half a life time doing this ‘data thing’ I advocate organisations invest in PLANNING and design for data before jumping into building databases.

Dermot Casey nailed the necessary business rule in “code speak”

Translating that for humans: “IF a child has a PPSN AND is resident in Ireland THEN assign credit ELSE don’t assign credit”.

Of course, this assumes that the DSP has a data field that identifies if the country of residence is Ireland or not (and if they don’t then I would have to ask how any statistics about how many non-resident children are in receipt of Child Benefit are calculated).

</update>

Value For Money?

Given the set up costs of Irish Water, one must ask as well whether reusing/recycling or repurposing existing systems and processes to the objective of having credits and allowances might have resulted in a net saving to the exchequer, particularly in difficult economic conditions.

I cannot answer that and would suggest that is a question the C&AG should consider asking. However, from a Data Protection perspective, it would have resulted in a zero fuss outcome – “State Agencies process data the way they always have to ensure credits and benefits are applied appropriately – SHOCK!!” is not an attention grabbing headline. A private company that is processing PPSN and other personal data but is unable to give clear answers about the nature and scope of that processing IS a headline or dozen.

The Importance of the Information Asset Life Cycle

When I teach Data Governance or Information Quality or when I engage on consulting projects, I always introduce the POSMAD lifecycle of information. POSMAD is a standard model for any asset management consisting of six steps.

  • Plan
  • Obtain
  • Store and Share
  • Maintain
  • Apply
  • Dispose

Part of “Plan” from a Data Protection perspective is asking “Is there a less invasive/less privacy risky way of doing this?”, and from a ‘return on investment’ perspective it requires us to assess if the way we are proposing to do something is the best. Working through this life cycle allows organisations to apply “Privacy by Design” thinking earlier in the lifecycle of the data.

It appears Irish Water jumped straight to the “Obtain” phase because they had legislation that allowed them to do it, but nobody gave consideration to the PLAN stage. This is a function of effective Data Governance in an organisation and I would hope that the Government learns a valuable lesson from this as they formulate their Data Sharing and Governance Bill over the coming months.

Sep 24 14

Irish Water and the DPC’s letter and what it means

by Daragh

[This is a repost of a post I wrote o the 24th of September. Some people said they had difficulty accessing it so I am reposting it. I've updated it with links to other relevant posts that I've made since then. They are included in-line]

This evening [24th Sept] the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

Dear Deputy Shortall,

I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

[This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water's job to make sure that that clarity is there. "

The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice" basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of "on-going contact" with organisations that have not quite got what is required of them.

If the DPC is in "on-going contact" with you to give "best practice advice" you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

Update: As Irish Water is subject to the Data Protection Acts, the apparent absence of an operational "movers/leavers" policy for people changing address is a problem. I explain why here. The summary being that one of the obligations under the DPA is to keep data accurate and up-to-date, in the context of the purposes for which it is being processed.]

The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

[This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

The bit in bold is interesting. The DPC are "giving their views" on the clarity of the Data Protection notice (which is also referred to as a "fair processing notice" in Data Protection-speak) because they are of the view that the notice as published doesn't give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

Again, if the DPC is contacting you to "provide views" on something, you are not compliant. The DPC does not tend to write letters telling you you're brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in "correspondence" - the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

I suspect Irish Water may get a mention but not for the right reasons.

Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It's reassuring to see that the Data Protection Commissioner shares the concerns I raised.

update: Today, on foot of an Irish Times article, I wrote this post which points out that Irish Water are citing a purpose for retaining PPSNs that give a retention period of at least 6 years. And it is not a purpose that is related to the validation of entitlements to allowances.]

The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

[Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can't see how that fits with only identifying categories, but would be happy to help figure it out. 

Interestingly, the DPC seems to be going beyond what I'd included in my mockup "alternative universe" version of the Data Protection Notice. I'll be taking note of that and advising clients accordingly.

Also, the requirement to specify "categories" of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

Again, the DPC is "following up with Irish Water on this matter". An organisation that is compliant with the requirements of the Acts does not require the DPC to "follow up", and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identify where possible what type of data and for what purpose a transfer would occur.

[This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It's a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

"Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?"

The DPC's request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about "under what controls".

Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the "amicable resolution zone" where the DPC talks gently to you to encourage more compliant behaviours. That's a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

I suspect this particular well has not yet run dry.

Sep 18 14

Irish Water, transfer of data, and WTF

by Daragh

TJ McIntyre was on Morning Ireland this morning talking about Irish Water and their use of PPSN. The Irish Water representative, Elizabeth Arnett was on a few minutes later.

In the course of the Irish Water commentary on their use of data, the question was asked about what would happen to PPSN data if Irish Water was ever sold. The assurance was given that Irish Water cannot be sold under legislation and that the reference to any such sale or transfer in the data protection notice was just the use of “standard clauses”.

And therein lies the nub of (part) of the problem – a Data Protection Notice is supposed to inform people about what YOUR organisation is going to do with the data provided to YOU. Cutting and pasting might give you a template, but you need to invest a little time and effort working through the Information Asset Life Cycle (Plan, Obtain, Store/Share, Maintain, Apply, Dispose) to ask some key questions so you can build a truly accurate and reflective Data Protection statement that is, for want of a better term, TRUE. Plagiarizing some other organisation’s policies is not a recommended practice.

(As an aside, in the day job at Castlebridge Associates I’m fortunate to have hired someone whose previous career involved them checking for academic plagarism, so when we audit data protection policies we can pretty quickly find out where the cut and paste bits were sourced from).

So, today we learned that Irish Water can’t be sold. Which means that all the guff in the Data Protection notice about the transfer of data on the sale of the business or the purchase of another business is utter claptrap.

Unless of course the situation is that Irish Water can’t be sold NOW. I started my career in Data Governance in a semi-state company that we were assured couldn’t be sold and wouldn’t be sold. That company is now heading to its second IPO, having been flipped more times than a pancake on Shrove Tuesday. So perhaps I’m a little cynical about the management of State utility companies.

If Irish Water can’t be sold, that’s great. The Government and Irish Water need to make that explicitly clear and the Data Protection notice should be amended to have a positive declaration that Irish Water will not be sold. However, if there is a possibility that it might be sold then that should be clarified (even if a legislative change would be required for it to be sold) and the Data Protection notice should clarify what data would be transferred (for example, would PPS numbers be transferred, and if so why).

As I said on WLRFM earlier in the week – if a glass of water was put in front of me that was as murky and opaque as the current Data Protection notice from Irish Water I would refuse to drink it.

Sep 10 14

Irish Water Data Protection Notice – An Alternative Version

by Daragh

So, I appear to have caused some consternation with my post over the weekend. To help clarify things, I’ve put together an alternative reality version of the Irish Water Data Protection Notice based on information that has been included in recent media coverage and which is fragmented across a number of documents produced by Irish Water. This is effectively free consultancy for Irish Water and is an incomplete first pass that is intended to illustrate the benefits of layout and structure of Data Protection Notices to improve clarity and communication of purposes for processing of data.

However, the content of this post is (c) 2014 Daragh O Brien and cannot be reused for commercial purposes other than news reporting without prior written permission.

+++++++

Who we are

Irish Water is the new national water utility, which is responsible for providing and managing public water services throughout Ireland. Irish Water is a State-owned company, established under the Water Services Acts 2007–2013.

Irish Water replaces the previous system of 31 Local Authority Water Services departments.

Registered Office

Our registered office is:

 Colvill House,
24-26 Talbot Street,
Dublin 1.

Address for Data Protection Queries

Data Protection queries, such as Subject Access requests or requests for data correction, should be sent to:

Data Protection Officer
P.O. Box 860,
South City Delivery Office,
Cork City,
Cork.

You can email queries to us care of dataprotection[AT]water[dot]ie  ==>(This email address doesn’t currently exist)

What Data are we processing?

We process a range of data about customers of public water services (Customers) and other users of private water services (Non-Customers).

Data about your property and water services

If your property is connected either a Public water main supply or Public Sewer you are a customer of Irish Water. We will ask you to confirm what kind of water or sewage system you are connected to in order to identify if you are a customer of Irish Water or not.

If you are a customer, we will confirm if you are receiving a bill for a water service from your Local Authority and if the property is used as a private residence or not, and if you are a property owner or a tenant.

We will also seek information about the number of people residing in your property.

Personal Data

The personal data we process about you includes:

  • Names of account holders,
  • PPSN numbers for account holders and any resident children (17 years or under)
  • Customer property address
  • Customer preferred billing address (if different from property address)
  • Home land line telephone number
  • Mobile telephone number
  • email address
  • Billing language preference

We will also record calls between Irish Water customer service staff and customers for purposes including quality assurance and training.

Sensitive Personal Data

Irish Water processes sensitive personal data about customers who indicate they wish to avail of special and/or priority services.

This information may include data relating to physical or mental health. In these circumstances we may also process personal data relating to a nominated carer or other person who will deal with correspondence on your behalf.

Personal Financial Data

We will process bank account details for the purposes of establishing recurring direct debits for the payment of Water Services bills.

Other than data you provide to us, what other data do we process about you?

Under Section 26 of the Water Services Act 2013, Irish Water is empowered to seek data from a number of different bodies. As of September 2014, these bodies include:

  • The Revenue Commissioners
  • The Residential Property Tenancies Board
  • The Property Services Regulatory Authority
  • Local Authorities
  • The Local Government Management Agency
  • Electricity Service providers
  • The Department of Social Protection
  • Gas service providers

Other bodies or data providers may be specified by the Minister after consultation with the Data Protection Commissioner.

Irish Water may make use of data from 3rd party data service providers for some of the purposes set out below.

Why are we processing it?

Irish Water has a number of specific purposes for processing your personal and sensitive personal data, and for seeking data about you from other sources.

Confirming if you are a Customer of Irish Water

We will process information about your household, its water supply and sewage services, and other related household data to confirm if you are a customer of Irish Water.

Confirming eligibility for allowances

  • To apply for the Household Water Services Allowance we process your PPS Number to verify your identity and your entitlement.
  • To apply for the Children’s Water Services Allowance, we process the PPS Numbers of resident children (under the age of 17) to verify the age and identity of the children.

This is a control check process that ensures correct and appropriate allowances are claimed to help ensure accurate application of credits to customer water service bills. For more information on our processing of PPSN please see the relevant section below.

[note: This is the purpose for which PPS Numbers is being obtained. It is good to note that Irish Water are not asking for PPSN for non customers, however that assumes that people won't fill it in in error. I assume Irish Water have a process to purge PPSN details they don't require?]

To generate and distribute customer water service bills and collect monies owed

We will use the name of the registered account holder and the property address, or the alternative billing address, for the purposes of sending Water Service bills to customers.

This data will also be used to support our credit control processes. In the event of non-payment of bills, your data may be passed to debt collection agencies for the purposes of debt recovery, up to and including legal proceedings for non-payment.

Data about language preferences will be used to ensure you receive a bill in the language you select. Sensitive personal data will be processed to allow us to issue braille bills or to arrange for “talking bill” services to be provided to visually impaired customers.

Where a customer availing of special services or priority services has indicated that a carer or other person should receive correspondence on their behalf we will process that person’s data as required.

For Fraud Detection and Prevention and Credit Scoring

Irish Water will use data obtained from various bodies as outlined above to allow us to operate prudent fraud detection and prevention  controls.

We may also use data from data services providers for the purposes of customer credit scoring as part of our prudent management of risk.

Marketing

Subject to specific consents, Irish Water may use contact data provided by customers for the purposes of marketing products and services to customers related to their Water Service. This will be subject to specific consents which will be obtained.

For non-customers, Irish Water may use contact data provided to send information about water service availability and to market relevant products and services. Again, this will be subject to specific consents.

Call Recordings

Calls between Irish Water Customer Service staff and customers will be recorded for quality assurance and training purposes, and to confirm details of the conversation if required.

Maintenance and Construction Activity

Irish Water may process your personal data for the purposes of conducting visits to premises, arranging for required works to be carried out at premises, and other construction and maintenance activities necessary to ensure the delivery of a public water service.

Health and Safety and Risk Assessment

Irish Water may process your personal and sensitive personal data for the purposes of ensuring compliance with Health and Safety obligations, ensuring appropriate water supplies for people with certain medical conditions, and the conducting of risk assessments associated with the management of the public water supply.

Your PPSN – what we will do with it

Irish Water is entitled to request your PPS Number and the PPS Numbers of  under Schedule 5 of the Social Welfare Consolidation Act 2005. PPS Numbers provided will be stored securely by Irish Water.

Your PPS Number will only be used to determine if you are entitled to water services allowances. PPS Numbers will be verified with the Department of Social Protection and a simple confirmation of entitlements will be received from them. No other data will be exchanged or processed for this purpose.

PPS Numbers will be retained by Irish Water for [NEEDS A RETENTION PERIOD AND PURPOSE POST VALIDATION OF DATA AT APPLICATION]

Only customers of Irish Water are required to provide us with their PPSN. Users of private water services should not submit this data to us as we do not have a purpose for processing it.

[note: I've flagged this already, but an exception handling process to ensure ppsn is not processed for non-customers by mistake would be a good control here.]

Sharing Data/Disclosure of Data

Irish Water may share data with companies who provide services to Irish Water for the purpose of carrying out our business functions as outlined above. Companies providing data processing services to Irish Water do so under a formal contract and are required to process data only for the purposes specified by Irish Water and must ensure they have appropriate organisational and technical measures to prevent unauthorised access to, alteration of, or disclosure of your data.

Irish Water may disclose or transfer data to a third party in the event of the business being purchased in part or entirely by that third party.

Irish Water may also disclose data if required to do so  in order to comply with a legal obligation, or to protect the rights, property, or safety of Irish Water, its customers, or other relevant third parties, or if required to do so on foot of a search warrant, court order, or where required under a Statutory duty.

Irish Water may share data with third parties for the purposes of fraud detection and prevention and as part of credit risk reduction.

Transfer of Data Outside the European Economic Area

Personal Data held by Irish Water may be transferred to or accessed from countries outside the European Economic Area. The reasons for data to be transferred may include, but are not limited to:

  • Outsource Customer Support services
  • IT Technical support services
  • Software development and support
  • Data hosting and back up services
  • Fraud Detection, Prevention, and Credit risk management

Transfers to countries outside the European Economic Area will be carried out subject to specific contract terms and other relevant controls, such as transfer to appropriate countries on the European Commission Safe Countries List or alternative  appropriate mechanism under the Data Protection Acts.

[note: The original Irish Water Data Protection notice forces consent to this EEA transfer provision. The Data Protection Commissioner is clear that relying on consent in this case requires the consent to be unambiguous and freely given. In the original form, the consent was not unambiguous as it didn't specify any purpose or what data. Also, given that Irish Water is a monopoly and we have no option but to fill out the registration form, the consent being sought was not freely given].

Data Retention

Irish Water has a defined Data Retention Policy.

[note: I assume they have a defined retention policy. What I would suggest here is that for each key purpose a time period be established]

 

Exercising your Data Protection Rights

Under the Data Protection Acts you have the right to:

  1. Request a copy of personal data held about you by Irish Water (Subject Access Request)
  2. Request Irish Water correct or delete incorrect or inaccurate data about you
  3. Request Irish Water cease processing your data for specific purposes, such as Direct Marketing

Subject Access Requests

To request a copy of your data you should send a request in writing to:

Data Protection Officer
PO Box 860
South Delivery Office
Cork City
Cork

Irish Water may request additional proof of identity from applicants for the purposes of verification to ensure data is disclosed only to the relevant individual.

Irish Water may charge a fee of up to €6.35 for Subject Access requests.

Change Direct Marketing Preferences

To change your Direct Marketing preferences you should send your request to:

FREEPOST,
Irish Water,
Data Protection Opt-out,
PO Box 860,
South City Delivery Office,
Cork City

Alternatively you can phone Irish Water on 1890 278 278 to update your marketing communications preferences.

Other Requests

Other requests should be sent to:

Data Protection Officer
PO Box 860
South Delivery Office
Cork City
Cork

Marketing Consents & Permissions

  • email:             I would like to receive marketing communications by email (YES/NO) [this is an opt-in consent]
  • SMS:               I would like to receive marketing communications by Text message (YES/NO) [this is an opt-in consent]
  • Mobile Call: I would like to receive marketing calls on my mobile phone (YES/NO) [needs to default to NO as this is an opt-in consent]
  • Landline:      I would like to receive marketing calls on my land line phone (YES/NO) [this can be an opt-opt consent]
  • Postal Mail: I would like to receive marketing material by post (YES/NO) [this can be an opt-out consent]

[note: The Article 29 Working group and the DPC have indicated that preticked boxes on web forms are not valid consent as the consent is not freely given. Including them here is possibly not ideal given that the form isn't online. 

The application form contains only one single Opt-out tick box for both electronic and postal marketing. This does not meet the requirements of SI336. As I haven't received my pack yet I can't comment on the on-line application process and whether it has better compliance with the ePrivacy regulations requirements (SI336)

Also it is important to note that the application form for Irish Water does not capture any electronic contact data for non-customers, therefore non-customers will be marketable to only via postal mail at this point on an opt-out basis]

Sep 6 14

Irish Water Data Protection Notice: A review…

by Daragh

circle of trustIrish Water have published their Data Protection notice on their website. This document is a key element in any organisation’s data protection compliance. It is the way in which the organisation demonstrates “fair obtaining” of personal data and sets out the specific lawful purposes for which they are processing data.  It is essential that these documents are as clear as possible, particularly for audiences who may have literacy difficulties. This is why I strongly recommend to clients that they do not let their legal team write these. Ultimately, data protection compliance is about ensuring you don’t have a surprised customer. It’s also about ensuring you establish and maintain a “Circle of Trust” about why you are asking for data and how you will process it.
In this post I’ll go through the Irish Water Data Protection notice and parse each paragraph and explain what it means and, where necessary, point you to the relevant legal justification for the processing that is taking place.

Irish Water Data Protection Notice

(sourced from https://www.water.ie/data-protection-notice/ 05/09/2014)

Irish Water may share the Customer’s data with agents or third parties who act on behalf of Irish Water in connection with the activities referred to above. Such agents or third parties are only permitted to use the Customer’s data as instructed by Irish Water. They are also required to keep the Customer’s data safe and secure. The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). In the event that the data is stored outside of the EEA, Irish Water shall procure that all relevant laws are complied with to secure the data. It may also be processed by staff operating outside the EEA who works for us or for one of our suppliers. Such staff maybe engaged in, among other things, the processing of your request for information and the provision of support services. By submitting data to Irish Water, the Customer agrees to this transfer, storing or processing. Irish Water will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Clause 19.

[comment:

This clause should have a "data sharing" heading. It repeats a bit of what was in the previous section. "Such agents or third parties are only permitted to use the Customer's data as instructed by Irish Water" is a reasonable sentence. Of course, it must be assumed that those agents and third parties have contracts with Irish Water that specify the purposes and controls for processing. 

This section also tells us that data "may be transferred to, and stored at, a destination outside the European Economic Area". This suggests use of outsourced data centres or data processors that are outside the EEA. There is nothing wrong with this in and of itself, but the problem comes with the next statement: "Irish Water shall procure that all relevant laws are complied with to secure the data". This is problematic, apart from the awkward use of the word "procure". Cross border data transfer outside the EEA requires either that the destination country is either a Safe Country , be covered by Safe Harbor (i.e. the US), or be undertaken using model contracts.

Why is our data being transferred? Staff outside the EEA working for Irish Water or a supplier will be processing data if we request information or to provide support services. This sounds like either IT support services being provided outside of the EEA or direct customer support call-centre type services being provided outside of the EEA. Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?

Apparently, by submitting data to Irish Water we will have agreed to the transfer. This is probably not valid consent under EU Data Protection law. While it is specific and informed, it is not freely given. Individuals have to provide data to Irish Water. While I am heartened to see that Irish Water will take all steps reasonably necessary to ensure data is treated securely, I'm bloody confused where "Clause 19" comes from (I suspect this Data Protection notice is an extract from a longer T&Cs document). Unfortunately, Irish Water are not required to take all "reasonably necessary steps". They  are required to ensure appropriate organisational and technical controls.

And as for processing "in accordance with this Clause 19"? Well, without knowing what that Clause 19 actually is (it might be this paragraph *shudder* or it could be something else) I can't add anything about the impact or meaning of that sentence.]

Irish Water may disclose the Customer’s data to third parties in the event that it sells or buys any business or assets, in which case it may disclose Customer data to the prospective seller or buyer or such business or assets; if Irish Water or substantially all of its assets are acquired by a third party, in which case Customer data held by it about its Customer will be one of the transferred assets. Irish Water may also disclose Customer data if it is under a duty to disclose or share Customer data in order to comply with any legal obligation, or in order to protect the rights, property, or safety of Irish Water, its customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. Irish Water will also disclose Customer data if it believes in good faith that it is required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order, or other valid legal process.

[comment: 

The inclusion of a disclosure purpose covering sale or transfer of assets is normal and common sense for any business. The biggest asset in most businesses now is its customer data. Disclosure of data when buying an asset is a question mark purpose, but one scenario might be due diligence when buying another water services business serving the Irish market to validate the size of the additional customer base being acquired. I'd question the legitimacy of disclosing data when buying a non-water sector business however. 

This clause also says that Irish Water will disclose data if required to do so under any legal obligation or to protect rights, property, or safety of Irish Water, its customers, or others. This is allowable under the Data Protection Acts, but should not be read as a blanket provision allowing any kind of disclosure. Appropriate governance controls would need to be in place to ensure that the "legal obligation" is valid and to ensure that the decision about protecting rights, property, and safety is taken under appropriate guidelines and controls.  Of course, we can't ignore the last sentence here which basically restates in a different way the kinds of legal obligation under which data might be disclosed. The "believes in good faith" clause suggests to me that IW will not contest any order requiring disclosure of data. My reading: If you are drinking tea while engaged in illegal downloading, IW will tell IRMO if asked.

This paragraph reiterates the exchange of and disclosure of data to third parties for fraud prevention and credit control. I've already raised an eyebrow about that earlier.]

From time to time the Customer may speak to employees of Irish Water (or agents acting on its behalf) by telephone. To ensure that Irish Water provides a quality service, the telephone conversations may be recorded. Irish Water will treat the recorded information as confidential and will only use it for staff training/quality control purposes, confirming details of the conversations with Irish Water or any other purposes mentioned in this Clause 19.

[comment: 

This actually a reasonably good provision, at least in part. It provides for the recording of calls with their employees or sub-contractors (i.e. customer service staff in call centres - see my question re: where those call centres might be in the future earlier).

The problems with this clause are that it starts with specific statements of purpose ("staff training/quality control") and then degenerates quickly into catch-all vagueness ("or any other purposes mentioned in this Clause 19"). Firstly: Clause 19 is not numbered or identified in this document. Secondly, I'm a Data Protection professional and I can't say that, even after a number of readings, I could list what specific purposes are mentioned in this document. There are a lot of "reasonable", "as necessary", and "because we're worth it" type phrases. I can't scan quickly and directly to a single section that says: "These are the purposes for which we are processing information".]

The Customer has a right to ask for a copy of the Customer’s data (Irish Water is entitled to charge a nominal administration fee for this) which is held by Irish Water about the Customer. If the Customer wishes to avail of this right, a request must be submitted in writing to: Irish Water, Data Protection Officer, PO Box 860, South City Delivery Office, Cork City. In order to protect the Customer’s privacy, the Customer may also be asked to provide suitable proof of identification. If any of the Customer’s details are incorrect the Customer is entitled to notify Irish Water to amend such details. Where the Customer has any queries in respect of Customer data it should contact Irish Water using the details provided in Clause 20.2.

[comment:

This paragraph tells us we have a right to ask for a copy of our data and we have to submit the request in writing. Correct thus far, this is as required under Section 4 DPA). They say they are entitle to charge an administration fee. This is correct. It’s €6.35 maximum. They don’t tell us how to pay that (postal orders, 10 €0.65 stamps, 635 1-cent coins…). They provide a postal address to send our requests to. It’s worth bearing  in mind that the Data Protection Acts only require that the request is in writing and organisations are not actually allowed to prescribe a standard form or mechanism for sending in Subject Access Requests. Personally, I’d have used an email address for this in addition to the postal address to ensure capture of SARs early in the process. I also hope their processes for handling requests that come in are better defined and resourced than this classic example.

That Irish Water are telling us they may ask for proof of identification for a Section 4 request is not a bad thing. It is good practice to verify the identity of a requester and is a basic organisational control practice to prevent unauthorised disclosure. Of course, once identification information is provided (e.g. passport copy) and the identification process has been met, the data should not be retained. The DPC looked at this in Case Study 16 of this year’s Annual Report.

This paragraph also requires us to address any queries in respect of data to a different address. We’re told the contact details are in Clause 20.2. Out of context, that is utterly meaningless – they might as well have asked us to send our requests attached to an Owl care of Hogwarts. It is important to note that queries in respect of customer data are most likely Section 3 requests – requests to confirm if data is being processed, and why, or requests to have data rectified or erased under Section 6 of the DPA. The use of two different addresses for Data Protection related processes strikes me as potentially inefficient and an inevitable cause for confusion. I always recommend to clients that they have a single “Data Protection request” funnel and have well defined back-office processes to sort the requests and process them effectively and efficiently.

If the Customer signs up for any of the Irish Water online services and Irish Water communicate with the Customer by email, the Customer is solely responsible for the security and integrity of the Customer’s own email account. The Customer accepts that electronic mail passing over the Internet may not be free from interference by third parties. Consequently, while Irish Water will take all reasonable security measures, Irish Water cannot guarantee the privacy or confidentiality of information relating to the Customer when passing over the Internet. Unfortunately, the transmission of information via the internet is not completely secure. Although Irish Water will do its best to protect Customer data, it cannot guarantee the security of Customer data transmitted via the internet; any transmission is entirely at the Customer’s own risk.

[comment: Summary of this is that Irish Water accept no responsiblity for the security of email communications. This is true. They can’t be responsible for external malicious attacks on your email account. This is a limitation of liability clause. It is not unreasonable. Of course, IW could give the option of using encrypted email communication…

Marketing [note: this is where some fun starts]

Irish Water and/or authorised agents acting on behalf of Irish Water, may wish to contact the Customer by text message, email, post, landline or in person about water related with products or services which may be of interest to the Customer (“Marketing Purpose”).

[Comment: 

This paragraph does not meet the requirements of SI336.

  1. Marketing by SMS requires opt-in consent under Section 13(1) of SI336. Given there is no alternative water service provider, any implied consent that might be argued would likely be invalid on grounds of it not being freely given. This basically amounts to a pre-ticked box on a web-form, which the Article 29 Working Party has already said doesn’t meet the requirement for informed opt-in consent.
  2. The same goes for marketing by email.. (SI336 lumps email and SMS messages in under the same term – electronic message).
  3. Post is OK for an opt-out mechanism under SI336
  4. Landline calls are also OK for an opt-out mechanism under SI336 (Section 13(5))

The “in person” provision is door to door selling. 

The catch all “related with products or services which may be of interest to the Customer” clause here is very wide. The service being offered does not have to be related to your water service – This is sufficiently broad that Irish Water could call you to sell Andalusian Time Share units if they so desired.

I note that their consent landgrab does not extend to mobile phones. If I was mischievious, I’d suggest that people enter their mobile phone number as a contact number as SI336 requires prior, explicit, opt-in consent for calls to mobile numbers (SI336, Section 6). 

If the Customer does not wish to be contacted for Marketing Purposes as set out above, the Customer may exercise a right of opt-out by either writing to Irish Water at FREEPOST, Irish Water, Data Protection Opt-out, PO Box 860, South City Delivery Office, Cork City or by calling Irish Water on 1890 278 278.

[comment: You can send your opt-out requests by a freepost letter or by ringing their call centre. Another address, another set of processes. It is clear that there is a strong presumption that opt-out is a sufficient mechanism for their marketing. This is incorrect.]

Conclusion

There are some good things about this Data Protection notice. However, they are outweighed by:

  1. Poor structure and layout that makes it very difficult to find relevant information and understand what is being done with data
  2. Some extremely vague and non-specific provisions, as well as some “kitchen sink” “just-in-casery” in terms of what is being addressed
  3. Some simply unsupportable approaches to obtaining consent
  4. An appearance of a fragmented and not properly thought through approach to governance of Data and management of Data Protection obligations.

The upshot:

  • Tinfoil hat brigade will have wriggle room to misunderstand potentially valid and allowable processing purposes, which will lead to more nonsense and noise.
  • The rest of us will find our data being processed in a range of vague and unspecified ways to which we will be told “you consented”, which we actually didn’t as consent needs to be freely given and meaningful and it is difficult to see how one can consent to take -it-or -leave-it provisions in the terms and conditions of a monopoly organisation.
  • Irish Water will wind up dealing with Data Protection complaints, some groundless but many with a strong basis.
  • Irish Water will engage in activities that will actually breach Data Protection rules when they engage in marketing, and will attempt to argue that customers consented. This will result in investigations by the DPC, and avoidable legal costs in defending prosecutions.

My rating: 5/10 – close, but no cigar.

%d bloggers like this: