Qui Custodiet CAI?

The CAI (@the_cai on twitter), not to be confused with that famous venture capital firm based in Langley Virginia, the CIA, has today announced that it wants people who have been affected by the Ulster Bank IT outage in recent weeks to provide personal data to them for the purposes of starting a Class Action http://thecai.ie/media-news/the-consumers-association-of-ireland-cai-ub-%E2%80%98class-action%E2%80%99-initiative/suit. Or Initiative. It’s not entirely clear which, for reasons to follow.

Jebus.. where do I start on this one?

  1. I have the legal standing of a Matlock script (4 yrs UCD Law as a BBLSer but never qualified professionally) and even I know that there is NO SUCH THING AS A CLASS ACTION SUIT IN IRISH LAW. So to claim that you are going to initiate such a thing is false and misleading advertising. So the CAI has stated it is a process to gather information to provide to the Dept of Finance and the Central Bank for the purposes of calculating the losses and impacts suffered.
  2. Should this campaign ever appear in print or media adverts as a “class action” I will be lodging a complaint with the Advertising Standards Authority on the basis that any such advert would be misleading as to a significant matter of fact
  3. Journalists covering the story should pay attention to the Press Council code of practice on accuracy in reporting – do not report as being something that is about to happen something that CANNOT EVER HAPPEN. Talk to a lawyer about this and get a quote from one. Simon over in McGarr Solicitors is a good one, and Fergal Crehan BL is a frequent media commentator on legal issues whose surname is not McDermott.
  4. I think the use of the phrase “Class Action” in this context is just dumb as the average consumer doesn’t know that there is no such thing as a Class Action in Irish law, given that their legal training and skills are derived from reruns of LA Law and Boston Legal, and perhaps a few episodes of the Good Wife. Therefore I would suggest that the CAI needs to be very careful how they set and manage expectations here.

Right, now that that bit is out of the way, it is worth considering the implications of what the CAI is proposing to do here.

  • Obtain Personal Data and potentially Personal Financial Data from individuals
  • For the stated purpose of doing
  • A thing that can not be done without a legislative change that has been long fingered… well, since I was a doe-eyed undergrad in UCD Law to be honest, unless the thing that is being done is just to forward the information on to the Central Bank and Dept of Finance.

But the DPC is very clear that the expectation of the customer is important here – they should not be ‘surprised’ by the processing of their data. And what exactly will be presented to Government? Raw data or aggregated data? The former creates risk of ‘scope creep’ if data is left with Government and finds its way into other processes.

I’ve put the words “Personal Data” and “Personal Financial Data” in Capitals because they are important Words of Power (to steal a term from Frank Herbert’s Dune saga, a story that has more chance of happening than the ‘Class Action’ the CAI is discussing).

Personal Data is protected under the Data Protection Acts. It must be obtained for a specified and lawful purpose, be adequate and not excessive for the stated purpose, and it needs to be disposed of once that purpose has expired. And while you have it you have to keep it safe and secure.

Personal Financial Data is a term that entered Irish Data Protection practice in July 2010 with the introduction of the Data Security Breach Code of Practice (which I was involved in consultation submissions on). Basically it is a surname and an account number, or an account number or data from which a surname could reasonably be inferred.

Personal Financial Data needs to be kept safe and secure as well. And if there is even the suspicion that it has been lost, stolen, misplaced, accessed with out authority, or otherwise tampered with, the Data Controller (in this case the CAI) has a very clear duty to notify the Data Protection Commissioner and the affected Data Subjects. It too must be obtained lawfully and fairly by the Data Controller.

So, let’s run the rule over this shall we:

  • There is a specified purpose.
  • It is not one that can be achieved in law… (Oh… there’s a problem, if people think they’re entering a process to have their day in Court).
  • The purpose for which it is being obtained cannot come into being (if it is a “Class Action” as described), therefore the data should not be retained. (OK.. fill out a form, press send, clear form, don’t send any data).
  • Given that the stated purpose cannot actually be achieved (see my earlier point about Class Actions in Irish Law) then, by definition, any data obtained for that purpose is excessive and should not be captured or retained.

So, in short…

IN OPERATING A PROCESS TO OBTAIN AND RETAIN PERSONAL DATA AND PERSONAL FINANCIAL DATA FOR THE PURPOSES OF A CLASS ACTION WHICH CAN NEVER TAKE PLACE UNDER THE CURRENT LEGAL SYSTEM IN IRELAND CAI ARE ALMOST CERTAINLY ACTING IN BREACH OF THE DATA PROTECTION ACTS.

Of course, we are in the wonderful world of branding and sound-bites and the phrase “Class Action” will doubtless wind its way into UB Headquarters where it will be bounced around meeting rooms like a tribble at a Star Trek convention (I used to freak out when people mis-used the term “Duty of Care” and talked about “Precedence” when they meant “Precedents”, all without a fricking clue what the terms ACTUALLY meant in a Legal & Regulatory context – but a man on Matlock kept saying them so they must be WORDS OF POWER they told me).

This may spark some more serious introspection about the issues involved in the Bank but won’t actually get inside a Court, which could be a problem for CAI if people submitting information to them believe that a mass litigation is the end game with money at the end of the rainbow.

So, CAI need to be a little more up-front and explicit about the SPECIFIC PURPOSE for the data they are processing. The branding isn’t helping that and could trigger problems under the Data Protection Acts. Also, they need to be clear about WHAT data is being presented to the Government and the Central Bank. And they need to be clear about what will happen to it once the Government and Central Bank have been briefed. And then they need to be clear about when it will be deleted. Also they need to be darned sure that the security on the submission of that data is secure (hint: email is not PCI-DSS compliant).

Yes.. lobby and campaign and organise on behalf of consumers. But in doing so don’t get so caught up in the branding, image, and soundbites of what you are doing that you forget about the rights of the, well… ummmm…, CONSUMER.

(There is a way they can go about this without any of the problems outlined above but it will mean

  • Changing their branding and eating humble pie about the whole thing
  • Hiring me to be VERY VERY CLEVER on their behalf with some Smart Monkey Consulting â„¢

Heck, if they want to have an independent Data Quality review of the end to end processes and impacts I am a qualified Information Quality practitioner with years of experience and two books under my belt. (Hint… the key to it all is process and information flows).