Irish Water and the DPC’s letter and what it means

[This is a repost of a post I wrote o the 24th of September. Some people said they had difficulty accessing it so I am reposting it. I’ve updated it with links to other relevant posts that I’ve made since then. They are included in-line]

This evening [24th Sept] the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

Dear Deputy Shortall,

I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

[This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water’s job to make sure that that clarity is there.

The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice” basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of “on-going contact” with organisations that have not quite got what is required of them.

If the DPC is in “on-going contact” with you to give “best practice advice” you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

Update: As Irish Water is subject to the Data Protection Acts, the apparent absence of an operational “movers/leavers” policy for people changing address is a problem. I explain why here. The summary being that one of the obligations under the DPA is to keep data accurate and up-to-date, in the context of the purposes for which it is being processed.]

The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

[This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

The bit in bold is interesting. The DPC are “giving their views” on the clarity of the Data Protection notice (which is also referred to as a “fair processing notice” in Data Protection-speak) because they are of the view that the notice as published doesn’t give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

Again, if the DPC is contacting you to “provide views” on something, you are not compliant. The DPC does not tend to write letters telling you you’re brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in “correspondence” – the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

I suspect Irish Water may get a mention but not for the right reasons.

Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It’s reassuring to see that the Data Protection Commissioner shares the concerns I raised.

update: Today, on foot of an Irish Times article, I wrote this post which points out that Irish Water are citing a purpose for retaining PPSNs that give a retention period of at least 6 years. And it is not a purpose that is related to the validation of entitlements to allowances.]

The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

[Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can’t see how that fits with only identifying categories, but would be happy to help figure it out. 

Interestingly, the DPC seems to be going beyond what I’d included in my mockup “alternative universe” version of the Data Protection Notice. I’ll be taking note of that and advising clients accordingly.

Also, the requirement to specify “categories” of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

Again, the DPC is “following up with Irish Water on this matter”. An organisation that is compliant with the requirements of the Acts does not require the DPC to “follow up”, and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identify where possible what type of data and for what purpose a transfer would occur.

[This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It’s a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?”

The DPC’s request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about “under what controls”.

Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the “amicable resolution zone” where the DPC talks gently to you to encourage more compliant behaviours. That’s a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

I suspect this particular well has not yet run dry.

Comments

5 responses to “Irish Water and the DPC’s letter and what it means”

  1. Colm Donoghue avatar
    Colm Donoghue

    Saw a simpler solution on a thread on boards

    Customer A declares X adults, Y children receiving child benefit live at address Z

    IW verify that dept SP are paying child benefit for Y children at address Z
    Dept confirm or refute to IW.

    no pps numbers go to IW

    Just because IW are legally allowed to get ppsn, surely doesn’t mean it’s the only way to verify

    1. Daragh avatar

      I agree. The question of proportionality of the method for validation is key.
      As I said on The Last Word the other day, DSP pay childrens’ allowance and the water allowance for children is just another variant. No reason why
      A) household allowance could not be added as a tax credit (like bin charge tax credit) and
      B) child allowance could not he added on to childrens allowance

      Existing systems could be reused and zero ppsn data needs to move outside of existing structures.

  2. […] Let’s just remind ourselves of what Irish Water told the Data Protection Commissioner they were going to use PPSN data for. The quote below is from a letter sent by the Acting Data Protection Commissioner to Roisin Shorthall TD that I blogged about last week. […]

  3. […] But they do not control water.ie – it’s not registered to them and never has been. Irish Water is a subsidiary of Bord Gais but it’s a separate legal entity, so it would make more sense if the domain name was registered to them and not the “parent”. After the amount of public criticism levelled at the entity I’m sort of surprised that Bord Gais haven’t wanted to distance themselves even further. See here for example. […]

  4. […] Nevertheless they usually do not get a handle on water.ie – it’s perhaps not subscribed for them and not has been. Irish liquid is a subsidiary of Bord Gais nonetheless it’s another appropriate entity, therefore it will make even more sense if the domain ended up being registered to them and never the “parent”. After the level of community criticism levelled during the entity I’m type of astonished that Bord Gais haven’t wanted to distance by themselves even more. See here as an example. […]