Earlier this week the Data Protection Commissioner bemoaned the lack of attention to detail and the poor culture of Data Protection compliance practices in the Irish Public Service.
He was right to do so. My experience as both a service user and as a consultant has been that there are excellent people making excellent efforts to swim against a tide of indifference and short-cutting that results in breaches of legislation and puts personal data of citizens at risk.
In a “brain fart” moment yesterday I googled the words “Election”, “Training” and “Ireland” by accident. It brought back a website called ElectionTrainingIreland.ie. This website announces itself to be the “Official Presiding Officer Online Training “. Apparently Presiding Officers in this year’s Local and European Elections are required to complete this training, which I understand consists of a series of videos. It’s actually a rather good idea.
However it has been badly implemented from a Data Protection perspective.
- It requires a PPS Number to login. This is not a permitted use of the PPS Number. For a start, ElectionTrainingIreland is not registered as a Registered User of the PPSN under the 2005 Social Welfare Consolidation Act.
- Using PPS Numbers as a login is not good information security practice.
- As I understand it, Presiding Officers receive a letter that contains their PPS Number and a password for this site – which suggests that passwords are stored somewhere in an unencrypted freetext format (again BAD Information Security practice)
- There is no information about who Election Training Ireland are. They are NOT an official state body or division of the Department of the Environment. There is no privacy statement on the website that explains the purposes of processing of data, the retention of data, or (for that matter) where Election Training Ireland got the PPSN that they are using in the background to verify your identity.
- The website, which asks you to key in your PPS Number, does not have a valid SSL certificate. There is no encrypted transfer of information. Given the value of the PPS Number, that’s simply not good enough from a Data Protection point of view.
Looking at the process from the outside, armed only with nearly two decades of experience in designing and reviewing information management processes for regulatory compliance, I suspect that this might be the underlying process:
- A list of all people who registered to be Presiding officers was provided to Election Training Ireland. This list included PPS Numbers, names, and home addresses. [Issue #1 below]
- This list was used to create a database of Presiding Officers which in turn was used to create a list of user logins for the website. These user logins used PPSN as the user id [issue #2 below]
- This list was used to generate a mailmerge to each Presiding Officer at the address provided by them for contact (which is almost inevitably a home address) which contained their password [Issue #3 below]
- The website is not encrypted. [Issue #4 below]
- This list was provided to and processed by Election Training Ireland, who are an external contractor working (one assumes) for the Department of the Environment [See: “Who are ETI?” below]
Issue #1: Transfer of data about candidate Presiding Officers
Data constituting a significant portion of what is defined in the 2005 Social Welfare Consolidation Act as the “Public Service Identity” has been transferred to a 3rd party by local authorities and/or the Dept of Environment. What was the lawful basis for this transfer? Was there a statutory basis (which is the DPC’s favoured basis for data transfers in the Public Sector)? What was the protocols regarding security of transfer, retention, security of storage, restrictions on use etc? Is there a Data Processor contract in place (if there is it will be a doozy IMHO because of questions under “Who is ETI” below)?
As ETI is not registered as a User of the PPSN with the Department of Social Protection, issues potentially arise with the legality of transfer here. And even assuming that ETI has a valid contract etc. with either EVERY local authority or the Dept of Environment, the PPS numbers would have been obtained originally from Presiding Officers for the purposes of processing their payments and making appropriate deductions for taxation and PRSI etc. Not for using them as a unique identifier in a system hosted by a 3rd party.
Issue #2: Creation of lists and user logins
As mentioned above, the creation of a central database of presiding officers and the use of their PPS Number as an identifier in that database constitutes a new purpose within the context of the Data Protection Acts. Using PPS Number as a login is just dumb (a proxy could easily have been created). This database has PPS Numbers, names, and addresses of Presiding Officers. Where is it being stored? Under what security protocols? Who has access to it? How long will it be retained for? (Please don’t let them have saved it to Google Docs, otherwise I’ll have to get cross).
Issue #3 Mail merge and posting out passwords
Passwords are stored in plaintext if they could be mailed out in a mail merge. Being able to do a mail merge means that who ever sent the letters to Presiding Officers has their PPS Number, name, and addresss. That’s a heck of a lot of personal data. And if they are not thinking of the implications of storing passwords in an encrypted for and not sending them out in unsecured plain text, what’s the level of confidence in back-end security and security of related data transfers?
Issue #4 No SSL on the site
Using PPSN as a login is not great. Doing it in a way that could result in the data being intercepted by anyone minded to do so compounds the issue. Some might say it’s overkill for “just a login”, but the PPS Number is a significant identifier for people using public services in Ireland.
Who are ETI?
The site is not owned or operated by any Local Authority or Government Department. It is owned and operated by a partnership of three people based in Co. Meath. It took me 90 seconds to find that information on the CRO website, a basic due diligence test. If they are a partnership, each individual member of that partnership is a Data Processor acting on behalf of the Data Controller that engaged them (which might wind up being EVERY local authority or the Dept of the Environment – that is still unclear to me). There is nothing on the website identifying that the holder of the data doing this processing is not a government body.
So a private sector organization has been given a chunk of the Public Service identifier for a defined population of people, has implemented a solution that is arguably illegal in its design and is certainly not good information security practice. There is a questionable lawful basis for the transfer of data to this 3rd party. (I haven’t looked for the tender for this training solution, I’m assuming it went to tender and there was some specification of information security and data protection standards in that document. But I’ve got a day job to do).
What could be done better/differently?
Lots of stuff.
- Use a proxy identifier. If the data controller holding the PPSN had created a proxy identifier (an alphanumeric string that was NOT the PPSN) and provided that to ETI to use as a login the PPSN issue would not arise.
- Ensure proper contracts in place with the data processor
- Use SSL by default.
- Use an encrypted (salted and hashed) password that could be generated from a link that a user could follow that would bring them to a page where they set their own password, rather than having a plaintext password sent in the post.
- Improve transparency and communication about who the actors are in the process and their role.
That’ just my first four. Depending on the detail of the processes etc. there could be a LOT more. But none of them would cost a heck of lot of money and would result in a more compliant and less insecure processing of personal data.