In the rush to adopt new technologies and new ways of working, particularly When an organisation embarks on a change to systems and processes it is often very easy to get caught up in the whirlwind of enthusiasm for the new technology and the promised benefits of new ways of working.
Nearly 2 years ago I wrote a post on this blog about the adoption of US style internet campaigning and the use of Web2.0 in Irish politics from an information quality perspective. The scorecard wasn’t good from a data quality perspective. The strategy seemed to be “If Obama can get elected using this Internet thingy, then we need to copy what he did”. No attention seemed to have been paid to the simple fact that a “cut and paste” adoption of a pre-canned solution from elsewhere would not necessarily work.
2 years on I would have thought that some lessons might have been learned. So when Fine Gael announced they’d “stood down” their finegael.ie website in favour of a more interactive presence in the run up to the election I thought I’d take a quick look. While the Information Quality issues with the form were not too bad, the structure and operation of the site raise a number of concerns from a Data Protection perspective.
Bluntly â€“ when a US election solution provider rolls up in Europe they will find that they literally ain’t in Kansas anymore, particularly with regards to what you must and must not do with regards to the capture and processing of personal data. Political parties buying these services need to be aware that they are Data Controllers and that the solution providers are Data Processors in the context of the Data Protection Acts 1988 and 2003.
Failure to set the “tone at the top” and cascade it through the organisation means that often the important questions are not asked (or the answers are ignored).
Ultimately, in a Data Protection context, you are dealing with issues that can impact on your brand. If you are positioning yourself as being a political party that will “get tough” with vested interests through more effective regulation and enforcement you can’t really start the ball rolling by flouting basic principles of Data Protection law.
Indeed, back as far as 2004 the Data Protection Commissioner wrote:
It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law
In 2009’s annual report the Commissioner also wrote that:
Rapidly changing technology can be both a threat to this right and the means of protecting it. Building data protection safeguards into new technologies and applications of these technologies remains the best approach. This is as much true of data processing in the “cloud” as it is of a routine development of an IT application in an organisation.
Soâ€¦ the issues?
Obscured by Clouds (Personal Data and Cross Border Transfer)
This site appears to be a reskinning of a solution provided by Electionmall.com, a US-based provider of “on demand” web-based campaign tools. So, FG have embraced the Cloud. However, as I’ve repeatedly said through 2010, and as the Irish Data Protection Commissioner also clarified at a number of events in 2010, there are certain due diligence steps that Data Controllers (and FG is a Data Controller) need to perform before embracing cloud.
- Is there a contract? The Data Protection Acts require any processing being undertaken by a Data Processor to be done so on foot of a written contract. Given that Enda Kenny famously took out a contract for Ireland in the 2007 General Election, one must assume that there is a clear contract that gives FG assurances re: technical and organisational measures re: security and Data Protection compliance in EMT. This is an issue for any organisation that is outsourcing the processing of personal data to a “Cloud” provider. Where the Data Processor in turn has hosting services provided by another 3rd party, that “chain of contracts” can become important if there is a loss of personal data or an unauthorised disclosure.
Over on my company site I have a tutorial on Data Protection in Cloud Computing.
Fair Use/Fair Obtaining
S2 of the Data Protection Acts deals with the whole area of fair obtaining and fair use of personal data, including Sensitive Personal Data. There is a requirement for websites which are capturing personal data (and which fall within the remit of the Acts) to have a Privacy Statement. The Commissioner is quite clear about this. If data has not been obtained fairly it cannot be processed. I’ve looked all over finegael2011.com and cannot find a link to any Privacy Statement. (Unfortunately this is all too true for a number of other commercial and political websites from Ireland that I’ve looked at recently). The Commissioner provides some basic guidelines as to what should be in a Privacy Statement, including the need to take cross border data transfers into account when including information in the Privacy Statement and the importance of having contracts with Data Processors.
Ultimately, the test of a Privacy Statement is whether something happens with personal data provided which a reasonable person reading the statement wouldn’t have expected to happen. For example, if you have to provide an email address to make a comment on a site but you find you’ve been added to a mailing list as a result then that would need to have been made clear in the Privacy Statement.
Likewise, if your personal data is being transferred outside of the EU to a Data Processor then that too would have to be made clear in the Privacy Statement, along with the grounds on which that transfer was legitimate (e.g. the Data Processor is Safe Harbor registered).
While political parties, politicians, and candidates for elected office enjoy certain exemptions under the Data Protection Acts they do not have immunity from the Acts. This case study from the Data Protection Commissioner’s website outlines the nature of those exemptions quite well. The exemptions extend to the processing of and disclosure of data, in particular Sensitive personal data (which includes statements of political opinion or belief). A key element of these exemptions in the context of an Election campaign would be S2B(1)(ix) which allows sensitive personal data to be processed by political parties without consent “in the course of electoral activities for the purpose of compiling data on people’s political opinions”.
They do not absolve politicians and political parties from the need to comply with the rest of their duties as Data Controllers under the Acts.
“Privacy by Design” is becoming the mantra of Data Protection enforcement world wide. Simply cutting and pasting a solution from another jurisdiction into an Irish or EU context invites breaches of legislation and failures of the required governance and controls. This is not just a technology issue.
Given that politicians are asking us to trust them, they should ensure that they take the necessary steps to earn that trust. Just like any other organisation embracing new technologies, they must ensure that the necessary due diligence and governance structures are in place to ensure that they are acting in compliance with long established legislation. If they are promoting a “tough on regulation” policy platform, then they must lead with a clear “tone from the top” of Compliance and good Governance.
In short they must Lead.