In the rush to adopt new technologies and new ways of working, particularly When an organisation embarks on a change to systems and processes it is often very easy to get caught up in the whirlwind of enthusiasm for the new technology and the promised benefits of new ways of working.
Nearly 2 years ago I wrote a post on this blog about the adoption of US style internet campaigning and the use of Web2.0 in Irish politics from an information quality perspective. The scorecard wasn’t good from a data quality perspective. The strategy seemed to be “If Obama can get elected using this Internet thingy, then we need to copy what he did”. No attention seemed to have been paid to the simple fact that a “cut and paste” adoption of a pre-canned solution from elsewhere would not necessarily work.
2 years on I would have thought that some lessons might have been learned. So when Fine Gael announced they’d “stood down” their finegael.ie website in favour of a more interactive presence in the run up to the election I thought I’d take a quick look. While the Information Quality issues with the form were not too bad, the structure and operation of the site raise a number of concerns from a Data Protection perspective.
Bluntly – when a US election solution provider rolls up in Europe they will find that they literally ain’t in Kansas anymore, particularly with regards to what you must and must not do with regards to the capture and processing of personal data. Political parties buying these services need to be aware that they are Data Controllers and that the solution providers are Data Processors in the context of the Data Protection Acts 1988 and 2003.
Failure to set the “tone at the top” and cascade it through the organisation means that often the important questions are not asked (or the answers are ignored).
Ultimately, in a Data Protection context, you are dealing with issues that can impact on your brand. If you are positioning yourself as being a political party that will “get tough” with vested interests through more effective regulation and enforcement you can’t really start the ball rolling by flouting basic principles of Data Protection law.
Indeed, back as far as 2004 the Data Protection Commissioner wrote:
It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law
In 2009’s annual report the Commissioner also wrote that:
Rapidly changing technology can be both a threat to this right and the means of protecting it. Building data protection safeguards into new technologies and applications of these technologies remains the best approach. This is as much true of data processing in the “cloud” as it is of a routine development of an IT application in an organisation.
So… the issues?
Obscured by Clouds (Personal Data and Cross Border Transfer)
This site appears to be a reskinning of a solution provided by Electionmall.com, a US-based provider of “on demand” web-based campaign tools. So, FG have embraced the Cloud. However, as I’ve repeatedly said through 2010, and as the Irish Data Protection Commissioner also clarified at a number of events in 2010, there are certain due diligence steps that Data Controllers (and FG is a Data Controller) need to perform before embracing cloud.
- Where is the data going? It would seem that the Data Processor in this case (ElectionMall Technologies) is a US based company. Transfer of Personal Data to the US from the EU is permitted where the Data Processor is registered with the Safe Harbor scheme. EMT does not appear to be listed on the Safe Harbor list (feel free to search for yourself – I couldn’t find them). EMT state (in their privacy policy) that the data is processed on their servers in the US, but the way this privacy statement is drafted it seems to be directed at the processing of personal data of their customers (who are the politicians) not necessarily the actual individuals who may submit data. The Data Protection Commissioner has some good advice for organisations considering transferring personal data abroad.
- Is there a contract? The Data Protection Acts require any processing being undertaken by a Data Processor to be done so on foot of a written contract. Given that Enda Kenny famously took out a contract for Ireland in the 2007 General Election, one must assume that there is a clear contract that gives FG assurances re: technical and organisational measures re: security and Data Protection compliance in EMT. This is an issue for any organisation that is outsourcing the processing of personal data to a “Cloud” provider. Where the Data Processor in turn has hosting services provided by another 3rd party, that “chain of contracts” can become important if there is a loss of personal data or an unauthorised disclosure.
Over on my company site I have a tutorial on Data Protection in Cloud Computing.
Fair Use/Fair Obtaining
S2 of the Data Protection Acts deals with the whole area of fair obtaining and fair use of personal data, including Sensitive Personal Data. There is a requirement for websites which are capturing personal data (and which fall within the remit of the Acts) to have a Privacy Statement. The Commissioner is quite clear about this. If data has not been obtained fairly it cannot be processed. I’ve looked all over finegael2011.com and cannot find a link to any Privacy Statement. (Unfortunately this is all too true for a number of other commercial and political websites from Ireland that I’ve looked at recently). The Commissioner provides some basic guidelines as to what should be in a Privacy Statement, including the need to take cross border data transfers into account when including information in the Privacy Statement and the importance of having contracts with Data Processors.
Examples of Political Party privacy statements include: Fianna Fail, the UK Labour Party , UK Conservatives.
Ultimately, the test of a Privacy Statement is whether something happens with personal data provided which a reasonable person reading the statement wouldn’t have expected to happen. For example, if you have to provide an email address to make a comment on a site but you find you’ve been added to a mailing list as a result then that would need to have been made clear in the Privacy Statement.
Likewise, if your personal data is being transferred outside of the EU to a Data Processor then that too would have to be made clear in the Privacy Statement, along with the grounds on which that transfer was legitimate (e.g. the Data Processor is Safe Harbor registered).
While political parties, politicians, and candidates for elected office enjoy certain exemptions under the Data Protection Acts they do not have immunity from the Acts. This case study from the Data Protection Commissioner’s website outlines the nature of those exemptions quite well. The exemptions extend to the processing of and disclosure of data, in particular Sensitive personal data (which includes statements of political opinion or belief). A key element of these exemptions in the context of an Election campaign would be S2B(1)(ix) which allows sensitive personal data to be processed by political parties without consent “in the course of electoral activities for the purpose of compiling data on people’s political opinions”.
They do not absolve politicians and political parties from the need to comply with the rest of their duties as Data Controllers under the Acts.
Wrap up
“Privacy by Design” is becoming the mantra of Data Protection enforcement world wide. Simply cutting and pasting a solution from another jurisdiction into an Irish or EU context invites breaches of legislation and failures of the required governance and controls. This is not just a technology issue.
Given that politicians are asking us to trust them, they should ensure that they take the necessary steps to earn that trust. Just like any other organisation embracing new technologies, they must ensure that the necessary due diligence and governance structures are in place to ensure that they are acting in compliance with long established legislation. If they are promoting a “tough on regulation” policy platform, then they must lead with a clear “tone from the top” of Compliance and good Governance.
In short they must Lead.
Excellent post and a lot of the points you raise are very valid and unfortunately all too common a problem on many sites that I have examined for clients. Hopefully, organisations will begin to realise that they have certain responsibilities for the data entrusted to them by individuals.
Daragh,
Thanks for doing all this hard work.
This is likely to become one of those case studies in ‘what goes wrong when you don’t do what’s right’.
Also, why does it feel like there something uniquely FG about buying a two used websites in a row? Didn’t the last one have bits of source code from the BBC still hanging around?
That’s a great post Daragh.
I actually wrote about this myself following receiving unsolicited email from Fine Gaelf
after I ‘joined the conversation’. I was not at all impressed to get an email the following day starting ‘Dear Member’. How very dare they! Like you I looked all over for a privacy policy and sadly lacking. Not surprising as so often lacking on Websites. However, not good enough.
There’s a discussion going on about this on the Irish Internet Associations group on LinkedIn.
I too received an unsolicited email and also wrote to the
Data Protection Commissioner along the same lines. I see they have
added an opt-out now as well as the privacy statement. Live and
learn eh!
Pingback: Fine Gael's new website appears to have been hacked - Page 4
Pingback: A very bad week for Fine Gael
Pingback: Fine Gael website defaced by Anonymous ‘hacktivists’ | Race to the Dail
Pingback: Security Watch » Blog Archive » Lessons Learnt From Fine Gael Website Security Issues
Pingback: 2,000 users’ details taken in Fine Gael website breach | Race to the Dail
Pingback: The curious case of Enda and the Technology | The DOBlog
Pingback: Household Charge–A Data Protection kerfuffle in the making? | The DOBlog
Pingback: It was 12 months ago today… | The DOBlog