Itâ€™s time for my annual â€œroll a data protection hand grenade under somethingâ€ blog post. Every year I try to be topical. And I try to apply a similar approach to spotting risks and getting them on the table for discussion as I do when conducting Privacy Impact Assessments or Compliance reviews. Only Iâ€™m less formal here.
This year my interest has been piqued by the new Household Charge which the government has introduced. Citizens are required to register for this tax at a specific website which is ostensibly (from the logo header) under the control of the Department of Environment Community and Local Government.
But a number of things about this whole process wrankle with me from a Data Protection point of view. Let me be clear â€“ I am not opposed per se to a property tax. I think however it should be fair and should reflect not just the value of property but the ability of the individual to pay. After all, in Ireland we have a generation of people living in properties that are worth a lot less than they were when purchased with people struggling to pay mortgages â€“ increased charges are yet another burden that should be levied carefully.
Looking at the website the first step is to check for compliance with SI336 (ePrivacy Directive) which requires that cookies can only be used with consent unless the cookies are necessary for the delivery of the information age service that the individual is seeking to avail of. Using the â€œView Cookiesâ€ add on in Firefox it is possible to see a listing of the cookies that a website is writing to your device.
On the home page a set of cookies starting with â€œ_utmâ€ are being written. These are tracking cookies written by Google Analytics, the popular analytics tool used by millions of websites the world over.
The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.
The Privacy Statement on HouseholdCharges.ie does not do this.
Because the Privacy Statement on HouseholdCharges.ie doesnâ€™t do this I would argue that, even on the first visit to the site, before you type anything, the site is operating in breach of SI336 as there is no means by which a user would be able to find information about the cookies that are being written and provide consent other than by blocking cookies entirely using their browser.
This is despite the admittedly very clever use of URL redirection as an alternative path for people to navigate the site if they have turned cookies off in their browsers. But the wording around this in the Privacy statement ignores that the site actually writes third party persistent cookies from Google, and Google requires them to tell you that (as well as SI336).
Privacy Statement â€“ Fit for Use?
Another concern I would have is with the loose wording and phrasing in the Privacy statement. The Data Protection Commissionerâ€™s Audit report on Facebook cautioned strongly against the use of open-ended consents and non-specific specific purposes. Yet here we see clear examples of this within this Privacy Statement.
Well, actually we donâ€™t. There is no statement about the purposes for which the data is actually being processed. And thatâ€™s just the beginning of it.
IP or Not to IP, that is the question.
The Privacy statement proclaims that for â€œgeneral web browsingâ€ they may capture the â€œlogical addressâ€ of the server you connect to the site from. Unless I am horridly mistaken that is the IP address. And that would be the IP address assigned to your broadband connection. Which is Personal Data, as eircom have recently found out. And there is no â€˜mayâ€™ about it. The data is captured by Google Analytics (see above) and any other stats tools the Department might have.
So. Personal data is being processed even if you are just browsing. Privacy statement is misleading in this regard and should be clarified.
Whoâ€™s the Daddy.. I mean Data Controller?
Frankly this thing is a mess. There is a horrendous lack of clarity about who is http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdfactually governing the processing of the data. Is it the Department (as it appears from the top right hand corner of the website)? Is it the LGMA (the collective IT department for most Local Authorities)? Is it the Local Authorities (as was set out in the legislation)?
Or to put it another wayâ€¦ who would the Data Protection Commissioner expect to get a call from if there was a security breach relating to this data?
If the Department is defining the format and structure and purpose of the data, they are the Data Controller as per the Article 29 Working Group Opinion1/2010.
Local Authorities collecting revenues on behalf of the Department would be Data Processors. The LGMA, as an entity acting to provide support services to Local Authorities would be a Data Processor (albeit further down the chain of processors).
What contractual or similar arrangements are in place governing this processing? Is there a clear governance structure established to ensure that breaches or problems are identified and dealt with in a timely manner?
What Iâ€™d have expected to see would be something along these lines:
This Household Charge is being administered by the Department of the Environment (the Data Controller). It is being collected on behalf of the Department by Local Authorities (Data Processors). As part of the support functions they provide to Local Authorities the Local Government Management Agency is providing hosting and technical support services for this collection facility, also as a Data Processor. REALEX payments are providing a secure payment processing facility that is certified to ISO27001 and meets the PCI-DSS security standards for credit card security.
Funds will be dispersed from the Department to each Local Authority as part of their budgetary allocations during the year.
Itâ€™s a bit clearer who is doing what. But the question is whether that actually matches what the enabling legislation for this charge actually said.
Donâ€™t tell me the what, show me the why?
The Privacy Statement tells me that
Data collected on this site is gathered for the purpose of processing household charge payment transactions. This data may be reused in future years for notifications regarding liability for household charge properties.
So the purposes for which the data is being processed are:
- Processing a payment for the charge this year.
- Sending a bill to me for the charge next year.
No other purpose (statistical, strategic, or operational) is put forward for the processing of the information which is requested by the site.
What information is required to send me a bill?
- My name
- My postal address
- My email address (should be optional if I donâ€™t want to rely on electronic billing)
Which begs the question: Why is my PPSN number being requested given the particularly protected status of the PPSN in Irish law, a position I know from aÂ client engagement last year that the DPC takes VERY seriously indeed.
Quite apart from the limited scope that exists under Irish law to actually ask for and process a PPSN (which affects the â€œlawful purposeâ€ of processing, the simple question under the Data Protection rules is whether, given that it is not necessary to have my PPSN to process a payment and send me a bill next year, why is this information being asked for.
If there is a secondary purpose (such as the development of a Property register which can be used as the basis of a valuation system in subsequent years) this should be stated as a specific secondary purpose in the Privacy statement.
If Facebook is not permitted to be sneaky with Scope Creep in their Privacy Statements, the Government should be be either.
Iâ€™ll post more on this as I get time to poke around a bit more.
19 thoughts on “Household Charge–A Data Protection kerfuffle in the making?”
Pingback: The Household Charge Website And Data Protection | Broadsheet.ie
I hope you dont mind. I circulated this post to broadsheet.ie and journal.ie to inform people.
They may decide to choose alternative methods when intending to pay the charge.
From speaking to online contacts , I believe the data commissioner is already in receipt of complaints of the household charge site surrounding the data protection issues.
Thanks for circulating the post, which I must stress is made on a personal blog in a personal capacity.
People are more than entitled to choose different ways to pay. I know I will. Once the question about why they require my PPS Number is resolved.
Interesting to hear that there are already complaints to the DPC.
Pingback: The household charge website in breach of data protection laws
One thing however, anyone running a website with any sensitive information would be mental NOT to maintain a log of IP addresses. (The CAO found out why a few years back.)
An IP log is useless unless an idiot discovers SQL injection. 😛
I agree – logs containing IP addresses have a valuable role to play in computer forensics etc. But uses like that can be flagged in a Privacy Statement with text like
“We keep logs of activity on this site for a [insert period here] to assist in root cause analysis of problems with the site, tracking malicious activity on the site, and assisting authorities with investigation of illegal activities affecting or relating to our hosting or our website”.
Purpose stated, period stated, no problem logging the data.
Missing /body found. Mediocrity suspected. http://validator.w3.org/check?uri=http%3A%2F%2Fwww.householdcharge.ie%2FDefault.aspx&charset=%28detect+automatically%29&doctype=Inline&group=0&verbose=1&user-agent=W3C_Validator%2F1.2
Thanks, Daragh, for that useful analusis.
From my experience, the DP defects are probably due to ignorance of the legal requirements and to arrogance (“it doesn’t apply to us”). Cock-up rather than conspiracy — but it doesn’t mean the information will not be used for future nefarious purposes. “Just because you’re paranoid doesn’t mean they’re not out to get you!”
I agree with you. It smacks of a race to obtain data without first stopping and thinking the process and associated Privacy risks through and ensuring that adequate controls and communication were put in place.
“Just because you can, doesn’t mean you should” is another mantra that would apply here.
Also I think it is potentially a problem of underresourced/overstretched staff who have Data Protection as a line item responsibility in their brief but have not received any appropriate training or supports to enable them to do that job properly (it is difficult to run it as a ‘part-time’ job and to do it effectively requires a broader skillset than just a familiarity with the 8 Principles).
Excellent work, this is a very informative article and it does beg the question as to why the site is collecting so much information which is not protected?
I sent this to my local TDs this morning,. you should do the same.
Why did this tax require yet another quango established to collect it? unbelieveable!
Household Charge Project Board, who are the members, how much does it cost to run?
Please address these questions to your local TD:
1. Who are the members of the Household Charge Project Board and what is their renumeration?
2. What is their Annual Budget
3. How were these people appointed? Was it by open competition as promised by the Government?
4. Does Ms Jackie Maguire remain on the board of the Housing Finance Agency?
6. What is her renumeration for this position?
7. Does Ms Jackie Maguire remain on the board of The Western Development Commission ?
8. What is her renumeration for this position?
9. Does Ms Jackie Maguire remain as designated manager of the Border Regional Authority?
10. What is her renumeration for this position?
11. Does Ms Jackie Maguire remain as council member of Comhar?
12. What is her renumeration for this position?
Superb article , very informative. Quick question…
Can the government prosecute “out of state” property owners for not paying??
So in essence, are they exempt…?
Excellent article Daragh!
The whole approach to the household charge is terrible in my opinion. I don’t know how they expect people to automatically know that they can actually pay it online.
I suspect there being a lot of none payers simply down to lack of education.
I too would like an alternative way of paying – but is there one?
If it is okay with you, I have hyperlinked this webpage to a discussion on Ask about money .com where it seems people are running away with them selves to pay this online as quick as possible without waiting for the proper controls to be checked and put in place.
Totally agree with you about the amount of information, cookies being requested. Why on earth is a PPS number is required..
Many thanks for your wonderfully written and researched article.
The legislation authorizes the Revenue Commissioners to require the provision of PPSNs – but only where it is reasonably required to discharge their functions under the legislation. There is no discernable reason that I can think of why the provision of my PPSN could be required for the purposes of collecting a property tax whose liability attached to the property and not the person of its owner or occupier.
In the meantime, I will be paying my â‚¬100 by cheque to Household Charge, P.O. Box 12168, Dublin 1. I will not be enclosing my PPSN or telephone number. I will be providing the address of my residence and a demand for a receipt for my payment.
I will let you know how I got on.
Perhaps I will have a rendevous with the Revenue Commissioners in the High Court. Should be fun.
Thanks for the comment. Keep me posted on how you get on.
To be utterly pedantic, all that’s required is the address & the dosh – even a name is superfluous. The receipt can be sent to “The Owner” who is, after all, the one responsible for the payment. The PPSN requirement seems either silly or ominous, especially when the house may be in joint ownership,or where the owner has no Irish PPSN.
The bottom line appears to be that the entire project, like selling Dublin bin collection to Greyhound, was appallingly badly planned, executed & managed. And on that latter topic, what personal information was given by Dublin City Council to a non-Irish firm (Greyhound) whose HQ is in the Isle of Man, and who may not be subject to Irish data protection legislation.
I did two things. I sent a cheque with a covering letter to the PO Box – we’ll see what happens.
And I asked the Household Charge people why they needed the PPSN. Here are 3 lines from the answer:
We need a PPSN so we can identify you on our system as there are many properties in Ireland with the same address so we need to be able to individualise each property that is being paid.
It does not matter which PPSN you put down if there are multiple owners of the property.
A PPSN is mandatory except for foreign nationals who own an Irish property.
I’ve passed the comments on to the Data Protection Commissioner – it’s clearly a rather non-standard use of the PPSN. We’ll see what he says.
The security questions on the household charge website are woefully poor.
They questions they ask are easily guessable, could be looked up and are used so often they could be phished using a fake website. Because of this gaining access to large numbers of peoples accounts could be trivial. I wrote about the issue here
Comments are closed.