Household Charge–A Data Protection kerfuffle in the making?

It’s time for my annual “roll a data protection hand grenade under something” blog post. Every year I try to be topical. And I try to apply a similar approach to spotting risks and getting them on the table for discussion as I do when conducting Privacy Impact Assessments or Compliance reviews. Only I’m less formal here.

This year my interest has been piqued by the new Household Charge which the government has introduced. Citizens are required to register for this tax at a specific website which is ostensibly (from the logo header) under the control of the Department of Environment Community and Local Government.

But a number of things about this whole process wrankle with me from a Data Protection point of view. Let me be clear – I am not opposed per se to a property tax. I think however it should be fair and should reflect not just the value of property but the ability of the individual to pay. After all, in Ireland we have a generation of people living in properties that are worth a lot less than they were when purchased with people struggling to pay mortgages – increased charges are yet another burden that should be levied carefully.

The website

Cookies

Looking at the website the first step is to check for compliance with SI336 (ePrivacy Directive) which requires that cookies can only be used with consent unless the cookies are necessary for the delivery of the information age service that the individual is seeking to avail of. Using the “View Cookies” add on in Firefox it is possible to see a listing of the cookies that a website is writing to your device.

On the home page a set of cookies starting with “_utm” are being written. These are tracking cookies written by Google Analytics, the popular analytics tool used by millions of websites the world over.

No mention is made in the Privacy Statement that accompanies the website about their use of Google Analytics [Update: The privacy statement was updated this afternoon to include the text referenced below… well done to who ever acted on that to fix it]. This is a breach of the Terms of Use of Google Analytics, which clearly states:

8. PRIVACY

8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

The Privacy Statement on HouseholdCharges.ie does not do this.

Because the Privacy Statement on HouseholdCharges.ie doesn’t do this I would argue that, even on the first visit to the site, before you type anything, the site is operating in breach of SI336 as there is no means by which a user would be able to find information about the cookies that are being written and provide consent other than by blocking cookies entirely using their browser.

This is despite the admittedly very clever use of URL redirection as an alternative path for people to navigate the site if they have turned cookies off in their browsers. But the wording around this in the Privacy statement ignores that the site actually writes third party persistent cookies from Google, and Google requires them to tell you that (as well as SI336).

Privacy Statement – Fit for Use?

Another concern I would have is with the loose wording and phrasing in the Privacy statement. The Data Protection Commissioner’s Audit report on Facebook cautioned strongly against the use of open-ended consents and non-specific specific purposes. Yet here we see clear examples of this within this Privacy Statement.

Well, actually we don’t. There is no statement about the purposes for which the data is actually being processed. And that’s just the beginning of it.

IP or Not to IP, that is the question.

The Privacy statement proclaims that for “general web browsing” they may capture the “logical address” of the server you connect to the site from. Unless I am horridly mistaken that is the IP address. And that would be the IP address assigned to your broadband connection. Which is Personal Data, as eircom have recently found out. And there is no ‘may’ about it. The data is captured by Google Analytics (see above) and any other stats tools the Department might have.

So. Personal data is being processed even if you are just browsing. Privacy statement is misleading in this regard and should be clarified.

Who’s the Daddy.. I mean Data Controller?

Frankly this thing is a mess. There is a horrendous lack of clarity about who is http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdfactually governing the processing of the data. Is it the Department (as it appears from the top right hand corner of the website)? Is it the LGMA (the collective IT department for most Local Authorities)? Is it the Local Authorities (as was set out in the legislation)?

Or to put it another way… who would the Data Protection Commissioner expect to get a call from if there was a security breach relating to this data?

If the Department is defining the format and structure and purpose of the data, they are the Data Controller as per the Article 29 Working Group Opinion1/2010.

Local Authorities collecting revenues on behalf of the Department would be Data Processors. The LGMA, as an entity acting to provide support services to Local Authorities would be a Data Processor (albeit further down the chain of processors).

What contractual or similar arrangements are in place governing this processing? Is there a clear governance structure established to ensure that breaches or problems are identified and dealt with in a timely manner?

What I’d have expected to see would be something along these lines:

This Household Charge is being administered by the Department of the Environment (the Data Controller). It is being collected on behalf of the Department by Local Authorities (Data Processors). As part of the support functions they provide to Local Authorities the Local Government Management Agency is providing hosting and technical support services for this collection facility, also as a Data Processor. REALEX payments are providing a secure payment processing facility that is certified to ISO27001 and meets the PCI-DSS security standards for credit card security.

Funds will be dispersed from the Department to each Local Authority as part of their budgetary allocations during the year.

It’s a bit clearer who is doing what. But the question is whether that actually matches what the enabling legislation for this charge actually said.

Don’t tell me the what, show me the why?

The Privacy Statement tells me that

Data collected on this site is gathered for the purpose of processing household charge payment transactions. This data may be reused in future years for notifications regarding liability for household charge properties.

So the purposes for which the data is being processed are:

  1. Processing a payment for the charge this year.
  2. Sending a bill to me for the charge next year.

No other purpose (statistical, strategic, or operational) is put forward for the processing of the information which is requested by the site.

What information is required to send me a bill?

  • My name
  • My postal address
  • My email address (should be optional if I don’t want to rely on electronic billing)

Which begs the question: Why is my PPSN number being requested given the particularly protected status of the PPSN in Irish law, a position I know from a  client engagement last year that the DPC takes VERY seriously indeed.

Quite apart from the limited scope that exists under Irish law to actually ask for and process a PPSN (which affects the “lawful purpose” of processing, the simple question under the Data Protection rules is whether, given that it is not necessary to have my PPSN to process a payment and send me a bill next year, why is this information being asked for.

If there is a secondary purpose (such as the development of a Property register which can be used as the basis of a valuation system in subsequent years) this should be stated as a specific secondary purpose in the Privacy statement.

If Facebook is not permitted to be sneaky with Scope Creep in their Privacy Statements, the Government should be be either.

I’ll post more on this as I get time to poke around a bit more.

Comments

19 responses to “Household Charge–A Data Protection kerfuffle in the making?”

  1. […] Household Charge–A Data Protection Kerfuffle In The Making? (The DO Blog) […]

  2. Brian avatar
    Brian

    I hope you dont mind. I circulated this post to broadsheet.ie and journal.ie to inform people.

    They may decide to choose alternative methods when intending to pay the charge.

    From speaking to online contacts , I believe the data commissioner is already in receipt of complaints of the household charge site surrounding the data protection issues.

    1. Daragh avatar

      Brian
      Thanks for circulating the post, which I must stress is made on a personal blog in a personal capacity.
      People are more than entitled to choose different ways to pay. I know I will. Once the question about why they require my PPS Number is resolved.
      Interesting to hear that there are already complaints to the DPC.

  3. […] audit of the new household charges website https://www.householdcharge.ie/ Full blog post here: Household Charge–A Data Protection kerfuffle in the making? | The DOBlog Some choice quotes: "No mention is made in the Privacy Statement that accompanies the […]

  4. Rory avatar
    Rory

    Brilliant article.

    One thing however, anyone running a website with any sensitive information would be mental NOT to maintain a log of IP addresses. (The CAO found out why a few years back.)

    An IP log is useless unless an idiot discovers SQL injection. 😛

    1. Daragh avatar

      I agree – logs containing IP addresses have a valuable role to play in computer forensics etc. But uses like that can be flagged in a Privacy Statement with text like
      “We keep logs of activity on this site for a [insert period here] to assist in root cause analysis of problems with the site, tracking malicious activity on the site, and assisting authorities with investigation of illegal activities affecting or relating to our hosting or our website”.

      Purpose stated, period stated, no problem logging the data.

  5. John P avatar
    John P

    Thanks, Daragh, for that useful analusis.

    From my experience, the DP defects are probably due to ignorance of the legal requirements and to arrogance (“it doesn’t apply to us”). Cock-up rather than conspiracy — but it doesn’t mean the information will not be used for future nefarious purposes. “Just because you’re paranoid doesn’t mean they’re not out to get you!”

    1. Daragh avatar

      John

      I agree with you. It smacks of a race to obtain data without first stopping and thinking the process and associated Privacy risks through and ensuring that adequate controls and communication were put in place.
      “Just because you can, doesn’t mean you should” is another mantra that would apply here.
      Also I think it is potentially a problem of underresourced/overstretched staff who have Data Protection as a line item responsibility in their brief but have not received any appropriate training or supports to enable them to do that job properly (it is difficult to run it as a ‘part-time’ job and to do it effectively requires a broader skillset than just a familiarity with the 8 Principles).

  6. John avatar
    John

    Excellent work, this is a very informative article and it does beg the question as to why the site is collecting so much information which is not protected?

  7. ciaro avatar
    ciaro

    I sent this to my local TDs this morning,. you should do the same.

    Why did this tax require yet another quango established to collect it? unbelieveable!
    Household Charge Project Board, who are the members, how much does it cost to run?
    Please address these questions to your local TD:
    1. Who are the members of the Household Charge Project Board and what is their renumeration?
    2. What is their Annual Budget
    3. How were these people appointed? Was it by open competition as promised by the Government?
    4. Does Ms Jackie Maguire remain on the board of the Housing Finance Agency?
    6. What is her renumeration for this position?
    7. Does Ms Jackie Maguire remain on the board of The Western Development Commission ?
    8. What is her renumeration for this position?
    9. Does Ms Jackie Maguire remain as designated manager of the Border Regional Authority?
    10. What is her renumeration for this position?
    11. Does Ms Jackie Maguire remain as council member of Comhar?
    12. What is her renumeration for this position?

  8. Mark avatar
    Mark

    Superb article , very informative. Quick question…

    Can the government prosecute “out of state” property owners for not paying??
    So in essence, are they exempt…?

  9. Tom Doyle avatar

    Excellent article Daragh!

    The whole approach to the household charge is terrible in my opinion. I don’t know how they expect people to automatically know that they can actually pay it online.

    I suspect there being a lot of none payers simply down to lack of education.

    I too would like an alternative way of paying – but is there one?

  10. Fiskar avatar

    If it is okay with you, I have hyperlinked this webpage to a discussion on Ask about money .com where it seems people are running away with them selves to pay this online as quick as possible without waiting for the proper controls to be checked and put in place.
    Totally agree with you about the amount of information, cookies being requested. Why on earth is a PPS number is required..

  11. peter murray avatar
    peter murray

    Many thanks for your wonderfully written and researched article.

    The legislation authorizes the Revenue Commissioners to require the provision of PPSNs – but only where it is reasonably required to discharge their functions under the legislation. There is no discernable reason that I can think of why the provision of my PPSN could be required for the purposes of collecting a property tax whose liability attached to the property and not the person of its owner or occupier.

    In the meantime, I will be paying my €100 by cheque to Household Charge, P.O. Box 12168, Dublin 1. I will not be enclosing my PPSN or telephone number. I will be providing the address of my residence and a demand for a receipt for my payment.

    I will let you know how I got on.

    Perhaps I will have a rendevous with the Revenue Commissioners in the High Court. Should be fun.

    Peter

    1. Daragh avatar

      Peter

      Thanks for the comment. Keep me posted on how you get on.

      Daragh

  12. Eoin C. Bairéad avatar
    Eoin C. Bairéad

    To be utterly pedantic, all that’s required is the address & the dosh – even a name is superfluous. The receipt can be sent to “The Owner” who is, after all, the one responsible for the payment. The PPSN requirement seems either silly or ominous, especially when the house may be in joint ownership,or where the owner has no Irish PPSN.

    The bottom line appears to be that the entire project, like selling Dublin bin collection to Greyhound, was appallingly badly planned, executed & managed. And on that latter topic, what personal information was given by Dublin City Council to a non-Irish firm (Greyhound) whose HQ is in the Isle of Man, and who may not be subject to Irish data protection legislation.

  13. Eoin C. Bairéad avatar
    Eoin C. Bairéad

    Hi

    I did two things. I sent a cheque with a covering letter to the PO Box – we’ll see what happens.

    And I asked the Household Charge people why they needed the PPSN. Here are 3 lines from the answer:

    We need a PPSN so we can identify you on our system as there are many properties in Ireland with the same address so we need to be able to individualise each property that is being paid.

    It does not matter which PPSN you put down if there are multiple owners of the property.

    A PPSN is mandatory except for foreign nationals who own an Irish property.

    I’ve passed the comments on to the Data Protection Commissioner – it’s clearly a rather non-standard use of the PPSN. We’ll see what he says.

    Eoin

  14. iamreddave avatar

    The security questions on the household charge website are woefully poor.

    They questions they ask are easily guessable, could be looked up and are used so often they could be phished using a fake website. Because of this gaining access to large numbers of peoples accounts could be trivial. I wrote about the issue here
    http://liveatthewitchtrials.blogspot.com/2012/03/household-tax-security-question.html