Irish Water have published their Data Protection notice on their website. This document is a key element in any organisation’s data protection compliance. It is the way in which the organisation demonstrates “fair obtaining” of personal data and sets out the specific lawful purposes for which they are processing data. Â It is essential that these documents are as clear as possible, particularly for audiences who may have literacy difficulties. This is why IÂ strongly recommend to clients that they doÂ not let their legal team write these. Ultimately, data protection compliance is about ensuring you don’t have a surprised customer. It’s also about ensuring you establish and maintain a “Circle of Trust” about why you are asking for data and how you will process it.
In this post I’ll go through the Irish Water Data Protection notice and parse each paragraph and explain what it means and, where necessary, point you to the relevant legal justification for the processing that is taking place.
Irish Water Data Protection Notice
(sourced fromÂ https://www.water.ie/data-protection-notice/ 05/09/2014)
In order for Irish Water to provide the Customer with Water Services, it is necessary for Irish Water to collect and use data, including personal public service numbers, relating to the Customer. This data is used mainly to manage and administer the Customer account and for operational reasons, including for example, visits to the Premises, works required at the Premises and construction and maintenance activities. In addition, data relating to the Customer may be used for health and safety, administration, risk assessment, marketing and credit checking purposes. Irish Water may use the data relating to the Customer to carry out credit checks and for fraud prevention with licensed agencies including the Department of Social Protection and fraud prevention agencies. This data may be recorded by these organisations to prevent fraud, help make credit decisions about the Customer and for debt collection purposes. Irish Water may keep the Customer’s data for a reasonable period after the Customer ceases to be supplied with Water Services but will not keep it for any longer than is necessary and/or as required by law.
[comment: This paragraph basically says they are going to process data about you, including your PPSN. Â The problem arises here with their description of the purposes for which data is to be processed. It appears that they will be using your PPS number for things such as site visits and construction and maintenance activities. That strikes me as being irrelevant data and excessive for the purpose for which it is being put to use.
Data relating to “health and safety issues” might relate to a record of illnesses or medical conditions which might affect your need forÂ uninterrupted water supply – the ESB has similar data processing for elderly customers or customers with medical equipment in the premises so they don’t cut people off from life as a consequence of cutting them off from the ‘leccy. This would probably be covered under the provision in the Data Protection Acts that allows processing where it is necessary to prevent injury or damage to the health of the data subject. A key word there is “necessary”.Â
Administration, risk assessment, marketing, and credit checking would be covered under the heading of processing that is in the legitimate interests of the Data Controller. Nothing too bad there. We need organisations to be able to move paper about people to run the show. Â
The credit checking purpose raises its head again later in this paragraph. Credit checking and fraud prevention are legitimate purposes, checking with the DSP is likely to be related to validation and verification of PPSNs and validation of any claim of receipt of a relevant Social Welfare payment. But this is unclear. The question of sharing with “fraud prevention agencies” is one that I would watch closely to be honest: does this mean sharing data with private investigators/tracing agents? If so, what controls will be applied to this? I would hope that Irish Water have learned the lessons of various Credit Unions regarding the oversight and control of such agencies?
“This data may be recorded by these agencies” is a worrying sequence of words. This suggests a transfer of data that will be retained by these agencies. There is nothing stated here regarding the retention period that will apply to this data. One possible interpretation is that all data of all customers will be handed to unknown tracing agents to hold on to for a vague “fraud prevention” objective that may not be related to Irish Water itself but may beÂ utilizedÂ by other entities. I hope that is not the case. Also, why would these agencies need to retain data for “debt collection purposes” if they had been given it for fraud and credit checking purposes at customer sign up? That smells decidedly disproportionate and, frankly, non-compliant. Unless a person has failed to pay their bill there is no reason for their data to be retained by anyone for “debt collection” purposes. If you’ve passed the credit check and you account is in good order, there is zero lawful purpose for any 3rd party to have access to data aboutÂ you and your family. Â I’m hoping against hope that I’m misreading this, but I doubt it (I do this for a living).
The retention period that is referenced in the last sentence is “a reasonable period”. That’s a similar duration as the length of string I have in my pocket. Curtailing it with reference to “as necessary and/or as required by law” is lawyer weasel words. This sentence is largely meaningless. If you are a ceased customer who has no outstanding debt with the company then there is no legal time period applicable and Irish Water would need to set a policy – many of my clients have similar issues and we get them to PICK A NUMBER and JUSTIFY IT WITH A REASON. Regarding ceased customers, the relevant period is the statute of limitations on a debt. “What about if people sue us or we are suing people?” organisations ask me: Have a ‘legal hold’ provision I reply. “Data may be retained on a case by case basis where necessary to seek legal advice or exercise or defend legal rights” is one useful form of words.]
Irish Water may share the Customer’s data with agents or third parties who act on behalf of Irish Water in connection with the activities referred to above. Such agents or third parties are only permitted to use the Customer’s data as instructed by Irish Water. They are also required to keep the Customer’s data safe and secure. The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). In the event that the data is stored outside of the EEA, Irish Water shall procure that all relevant laws are complied with to secure the data. It may also be processed by staff operating outside the EEA who works for us or for one of our suppliers. Such staff maybe engaged in, among other things, the processing of your request for information and the provision of support services. By submitting data to Irish Water, the Customer agrees to this transfer, storing or processing. Irish Water will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Clause 19.
This clause should have a “data sharing” heading. It repeats a bit of what was in the previous section. “Such agents or third parties are only permitted to use the Customer’s data as instructed by Irish Water” is a reasonable sentence. Of course, it must be assumed that those agents and third parties have contracts with Irish Water that specify the purposes and controls for processing.Â
This section also tells us that data “may be transferred to, and stored at, a destination outside the European Economic Area”. This suggests use of outsourced data centres or data processors that are outside the EEA. There is nothing wrong with this in and of itself, but the problem comes with the next statement: “Irish Water shall procure that all relevant laws are complied with to secure the data”. This is problematic, apart from the awkward use of the word “procure”. Cross border data transfer outside the EEA requires either that the destination country is either a Safe CountryÂ , be covered by Safe Harbor (i.e. the US), or be undertaken using model contracts.
Why is our data being transferred? Staff outside the EEA working for Irish Water or a supplier will be processing data if we request information or to provide support services. This sounds like either IT support services being provided outside of the EEA or direct customer support call-centre type services being provided outside of the EEA. Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?
Apparently, by submitting data to Irish Water we will have agreed to the transfer. This is probablyÂ not valid consent under EU Data Protection law. While it is specific and informed, it is not freely given. IndividualsÂ haveÂ to provide data to Irish Water. While I am heartened to see that Irish Water will take all steps reasonably necessary to ensure data is treated securely, I’m bloody confused where “Clause 19” comes from (I suspect this Data Protection notice is an extract from a longer T&Cs document). Unfortunately, Irish Water are not required to take all “reasonably necessary steps”. They Â are required to ensureÂ appropriateÂ organisational and technical controls.
And as for processing “in accordance with this Clause 19”? Well, without knowing what that Clause 19 actually is (it might be this paragraph *shudder* or it could be something else) I can’t add anything about the impact or meaning of that sentence.]
Irish Water may disclose the Customer’s data to third parties in the event that it sells or buys any business or assets, in which case it may disclose Customer data to the prospective seller or buyer or such business or assets; if Irish Water or substantially all of its assets are acquired by a third party, in which case Customer data held by it about its Customer will be one of the transferred assets. Irish Water may also disclose Customer data if it is under a duty to disclose or share Customer data in order to comply with any legal obligation, or in order to protect the rights, property, or safety of Irish Water, its customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. Irish Water will also disclose Customer data if it believes in good faith that it is required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order, or other valid legal process.
The inclusion of a disclosure purpose covering sale or transfer of assets is normal and common sense for any business. The biggest asset in most businesses now is its customer data. Disclosure of data whenÂ buyingÂ an asset is a question mark purpose, but one scenario might be due diligence when buying another water services business serving the Irish market to validate the size of the additional customer base being acquired. I’d question the legitimacy of disclosing data when buying a non-water sector business however.Â
This clause also says that Irish Water will disclose data if required to do so under any legal obligation or to protect rights, property, or safety of Irish Water, its customers, or others. This is allowable under the Data Protection Acts, but should not be read as a blanket provision allowing any kind of disclosure. Appropriate governance controls would need to be in place to ensure that the “legal obligation” is valid and to ensure that the decision about protecting rights, property, and safety is taken under appropriate guidelines and controls. Â Of course, we can’t ignore the last sentence here which basically restates in a different way the kinds of legal obligation under which data might be disclosed. The “believes in good faith” clause suggests to me that IW will not contest any order requiring disclosure of data. My reading: If you are drinking tea while engaged in illegal downloading, IW will tell IRMO if asked.
This paragraph reiterates the exchange of and disclosure of data to third parties for fraud prevention and credit control. I’ve already raised an eyebrow about that earlier.]
From time to time the Customer may speak to employees of Irish Water (or agents acting on its behalf) by telephone. To ensure that Irish Water provides a quality service, the telephone conversations may be recorded. Irish Water will treat the recorded information as confidential and will only use it for staff training/quality control purposes, confirming details of the conversations with Irish Water or any other purposes mentioned in this Clause 19.
This actually a reasonably good provision, at least in part. It provides for the recording of calls with their employees or sub-contractors (i.e. customer service staff in call centres – see my question re: where those call centres might be in the future earlier).
The problems with this clause are that it starts with specific statements of purpose (“staff training/quality control”) and then degenerates quickly into catch-all vagueness (“or any other purposes mentioned in this Clause 19”). Firstly: Clause 19 is not numbered or identified in this document. Secondly, I’m a Data Protection professional and I can’t say that, evenÂ after a number of readings, I could list what specific purposes are mentioned in this document. There are a lot of “reasonable”, “as necessary”, and “because we’re worth it” type phrases. I can’t scan quickly and directly to a single section that says: “These are the purposes for which we are processing information”.]
The Customer has a right to ask for a copy of the Customer’s data (Irish Water is entitled to charge a nominal administration fee for this) which is held by Irish Water about the Customer. If the Customer wishes to avail of this right, a request must be submitted in writing to: Irish Water, Data Protection Officer, PO Box 860, South City Delivery Office, Cork City. In order to protect the Customer’s privacy, the Customer may also be asked to provide suitable proof of identification. If any of the Customer’s details are incorrect the Customer is entitled to notify Irish Water to amend such details. Where the Customer has any queries in respect of Customer data it should contact Irish Water using the details provided in Clause 20.2.
This paragraph tells us we have a right to ask for a copy of our data and we have to submit the request in writing. Correct thus far, this is as required under Section 4 DPA). They say they are entitle to charge an administration fee. This is correct. It’s â‚¬6.35 maximum. They don’t tell us how to pay that (postal orders, 10 â‚¬0.65 stamps, 635 1-cent coins…). They provide a postal address to send our requests to. It’s worth bearing Â in mind that the Data Protection Acts only require that the request is in writing and organisations are not actually allowed to prescribe a standard form or mechanism for sending in Subject Access Requests. Personally, I’d have used an email address for this in addition to the postal address to ensure capture of SARs early in the process. I also hope their processes for handling requests that come in are better defined and resourced than this classic example.
That Irish Water are telling us they may ask for proof of identification for a Section 4 request is not a bad thing. It is good practice to verify the identity of a requester and is a basic organisational control practice to prevent unauthorised disclosure. Of course, once identification information is provided (e.g. passport copy) and the identification process has been met, the data should not be retained. The DPC looked at this in Case Study 16 of this year’s Annual Report.
This paragraph also requires us to address any queries in respect of data to a different address. We’re told the contact details are in Clause 20.2. Out of context, that is utterly meaningless – they might as well have asked us to send our requests attached to an Owl care of Hogwarts. It is important to note that queries in respect of customer data are most likely Section 3 requests – requests to confirm if data is being processed, and why, or requests to have data rectified or erased under Section 6 of the DPA.Â The use of two different addresses for Data Protection related processes strikes me as potentially inefficient and an inevitable cause for confusion. I always recommend to clients that they have a single “Data Protection request” funnel and have well defined back-office processes to sort the requests and process them effectively and efficiently.
If the Customer signs up for any of the Irish Water online services and Irish Water communicate with the Customer by email, the Customer is solely responsible for the security and integrity of the Customer’s own email account. The Customer accepts that electronic mail passing over the Internet may not be free from interference by third parties. Consequently, while Irish Water will take all reasonable security measures, Irish Water cannot guarantee the privacy or confidentiality of information relating to the Customer when passing over the Internet. Unfortunately, the transmission of information via the internet is not completely secure. Although Irish Water will do its best to protect Customer data, it cannot guarantee the security of Customer data transmitted via the internet; any transmission is entirely at the Customer’s own risk.
[comment: Summary of this is that Irish Water accept no responsiblity for the security of email communications. This is true. They can’t be responsible for external malicious attacks on your email account. This is a limitation of liability clause. It is not unreasonable. Of course, IW could give the option of using encrypted email communication…
MarketingÂ [note: this is where some fun starts]
Irish Water and/or authorised agents acting on behalf of Irish Water, may wish to contact the Customer by text message, email, post, landline or in person about water related with products or services which may be of interest to the Customer (“Marketing Purpose”).
This paragraph does not meet the requirements of SI336.
- Marketing by SMS requires opt-in consent under SectionÂ 13(1) of SI336. Given there is no alternative water service provider, any implied consent that might be argued would likely be invalid on grounds of it not being freely given. This basically amounts to a pre-ticked box on a web-form, which the Article 29 Working Party has already said doesn’t meet the requirement for informed opt-in consent.
- The same goes for marketing by email.. (SI336 lumps email and SMS messages in under the same term – electronic message).
- Post is OK for an opt-out mechanism under SI336
- Landline calls are also OK for an opt-out mechanism under SI336 (Section 13(5))
The “in person” provision is door to door selling.Â
The catch all “related with products or services which may be of interest to the Customer” clause here is very wide. The service being offered does not have to be related to your water service – This is sufficiently broad that Irish Water could call you to sell Andalusian Time Share units if they so desired.
I note that their consent landgrab does not extend to mobile phones. If I was mischievious, I’d suggest that people enter their mobile phone number as a contact number as SI336 requires prior, explicit, opt-in consent for calls to mobile numbers (SI336, Section 6).Â
If the Customer does not wish to be contacted for Marketing Purposes as set out above, the Customer may exercise a right of opt-out by either writing to Irish Water at FREEPOST, Irish Water, Data Protection Opt-out, PO Box 860, South City Delivery Office, Cork City or by calling Irish Water on 1890 278 278.
[comment: You can send your opt-out requests by a freepost letter or by ringing their call centre. Another address, another set of processes. It is clear that there is a strong presumption that opt-out is a sufficient mechanism for their marketing. This is incorrect.]
There are some good things about this Data Protection notice. However, they are outweighed by:
- Poor structure and layout that makes it very difficult to find relevant information and understand what is being done with data
- Some extremely vague and non-specific provisions, as well as some “kitchen sink” “just-in-casery” in terms of what is being addressed
- Some simply unsupportable approaches to obtaining consent
- An appearance of a fragmented and not properly thought through approach to governance of Data and management of Data Protection obligations.
- Tinfoil hat brigade will have wriggle room to misunderstand potentially valid and allowable processing purposes, which will lead to more nonsense and noise.
- The rest of us will find our data being processed in a range of vague and unspecified ways to which we will be told “you consented”, which we actually didn’t as consent needs to be freely given and meaningful and it is difficult to see how one can consent to take -it-or -leave-it provisions in the terms and conditions of a monopoly organisation.
- Irish Water will wind up dealing with Data Protection complaints, some groundless but many with a strong basis.
- Irish Water will engage in activities that will actually breach Data Protection rules when they engage in marketing, and will attempt to argue that customers consented. This will result in investigations by the DPC, and avoidable legal costs in defending prosecutions.
My rating: 5/10 – close, but no cigar.