Fine Gael’s website: some thoughts
It looks like there’s been some rework done on the FG website to address Data Protection concerns.
This good and is to be commended. It is also in line with how the Data Protection Commissioner works with organisations who have compliance issues. However, issues did exist prior to yesterday which will continue to present challenges to FG regarding their compliance with the Data Protection Acts.
Here’s a screen shot I took yesterday
It is a bit small to read in the image, but the tick boxes on the site (after you submit your personal data) have the following text beside them:
- I agree to receive campaign messages on my mobile telephone
- I agree to share my comments on the website.
So, if you posted a comment prior to yesterday, the only communication you could provide any consent to was an SMS. If you found you had been added to a mailing list the data had not been fairly obtained (you didn’t know you were going to be getting emails) and any processing of your personal data to send you an email is technically a breach of S.2 of the Data Protection Acts.
Given that a number of people apparently complained to the Data Protection Commissioner about getting unsolicited emails when they had posted comments the website is changed as of this morning with a very subtle edit to the wording of the text next to the first tick box…
I agree to receive campaign messages from Fine Gael.
… is what your choice is now when you post your comment. That is a broader statement that does now permit FG to email you (and potentially SMS you as well) with their campaign messages if you don’t ensure that you uncheck the box. Please note that this is an OPT OUT of their mailing list, not an OPT IN.
So, one compliance issue addressed. Of course, that leaves the question as to what they will do with the emails they captured prior to yesterday which cannot be used as it is unclear if the person has opted in or out of the use of their email address for campaign mailings. This is one of those areas where Data Protection and Information Quality overlap – where the meaning of a flag in the database changes at a point in time and the interpretation of that flag can have significant regulatory and compliance impacts.
I encountered this when running data migrations in a telco many years ago. The billing system had a flag “Junk Mail”, which allowed a “Yes” or a “No”. The problem was that there was no agreement on whether “Junk Mail =Y” meant people wanted junk mail or “Junk Mail = N” meant people wanted junk mail – the meaning of the value had been lost in the mist of time and the absence of formal documentation about the processes.
Suggestion: FG should use the date stamp (that they hopefully have) in their database to exclude any email address created on their database prior to January 8th from any email messages… just to be on the safe side. And as they don’t have a use for that data (they can’t email people) they would be required under the Data Protection Acts to get rid of it they can’t hold data for longer than they have a legitimate purpose for it.
The Privacy Statement
I’ve written a few times over on the company site about the need for Privacy Statements to actually reflect the reality of what is happening with personal data that you are obtaining and the balance that needs to be struck by Data Controllers.
FG finally got around to putting up a Privacy Statement on their website late in the day yesterday (check the image above… its’ not there in the morning when I took the screen grab). They copied the privacy statement from their old website, which was accessible yesterday (along with all their policies etc.) at http://finegael.org but appears to have gone away as the screenshot from today below shows. Perhaps their web sites have moved (for security reasons, as FG say in today’s Irish Times).
While they have a link and can tick the box about having a Privacy Statement, in my personal view they get 10 out 10 for effort, but fail the test of whether that Privacy Statement actually reflects what they are doing in reality.
The first test is failed in the very first paragraph which says that
Visitors can use most of the site without being personally identified by Fine Gael.
OK. If by “Use” you mean “Sit and Read” then that is a correct statement. But if you want to engage with any of the primary functions of the site (like having your voice heard, telling them your opinions and complaints, all the good and wholesome stuff that Enda is inviting us to do) then you HAVE to provide them with personally identifying information. And in some cases that information can end up being quite granular. For example, if I was to put in my name and village I live in I would be uniquely identifiable as I’m the only person of that name in that village.
The fact that the Privacy Statement doesn’t address many of the specific points that the Data Protection Commissioner and the legislation actually require to be addressed in a Privacy Statement is another key issue.
Given that FG have moved to new servers, with a website with new functionality and new purposes for personal data at the very least they should have reviewed their Privacy Statement to make sure it is still valid.
Indeed, that type of regular review is a recommendation of the Data Protection Commissioner and is a requirement of the BS10012:2009 standard for Personal Information Management Systems.
Suggestion: FG should review their Privacy Statement to make sure it actually matches what is actually going on. This should form part of their regular and on-going governance of data to ensure compliance.
Fine Gael seem to have made significant efforts in the past day or so to address a problem that earlier in the week they didn’t want to engage with. Indeed, up to yesterday morning they were telling TheJournal.ie that they “weren’t interested“. In that context, the steps that they have taken are a laudable effort.
But if they had actually taken the time to plan and build their Data Protection obligations into their new processes and website and ensure that they were demonstrably in compliance with the legislation before launching their site then this story would never have existed for anyone to be interested in at all!
The lesson that needs to be learned from the Fine Gael experience is that it is always far better to design privacy and data protection concerns into systems and processes rather than having to inspect out defects and errors. Just like with any quality process, if you don’t design quality in you will inevitably find yourself having to fire-fight issues in crisis mode, which means that you will almost always miss something else.
Privacy by Design is a key concept in Data Protection circles. The fact that the Data Protection Acts create a Duty of Care, then care should be taken when embarking on the processing of personal data to ensure that you understand that Duty of Care and how to meet the associated Standard of Care.
Not do so means you risk regulatory penalties, litigation (where there is damage suffered as a result of the breach of the Data Protection rules), and damage to your brand and commercial reputation. Regulatory penalties can be paid, court cases can be settled, but the media coverage and comment on your brand, particularly in the age of Twitter, blogging and Google will have a half-life all of its own.
A lawyer friend of mine often tells people:
There’s only one thing worse than being sued and losing, and that’s being sued and winning. Because no one will remember that you won! It’s always better to avoid being sued in the first place.