Elizabeth Arnett of Irish Water was on Morning Ireland this morning. Some good and important clarifications given.
- She confirmed PPSN would only be used for the purposes of validating allowance entitlements. That differs from the commentary in yesterday’s Irish Times in the context of landlords and tenants, but clears up the confusion. Irish Water will not be using the PPSN for a purpose not covered in their Data Protection Notice. Therefore, a lot of the concerns I raised yesterday hereÂ should prove unfounded as that use is not going to happen and I can only hope and assume that Irish Water have implemented appropriate internal governance to ensure that the temptation to stretch the scope of use of PPSN is resisted. My experience in organisations is that temptation to process data “because we can” is often very difficult to overcome and needs a strong governance culture to push back on rash impulses
Given that the DPC has expressed concern that there is a lack of clarity in the Data Protection Notice regarding the use of PPSN, it would be worth Irish WaterÂ investing time to ensure that the permitted use of PPSN is clearly communicated in the Data Protection notice and clearly reflected in internal policies and governance.
- The only 3rd parties that data will be shared with will be contractors delivering services on behalf of Irish Water, or Data Processors in Data Protection terms. There will be no sharing of data for marketing purposes. Again, this is a welcome clarification that should be reflected by appropriate wording in their Data Protection Notice. The wording that is there is reasonably good, but an example of the kind of person or kinds of purpose would help people understand better the processing involved. For example: “Examples of these kinds of 3rd parties would include maintenance engineers who would be provided with customer address and contact information for the purpose of carrying out maintenance on meters or doing ‘first fix free’ repairs for customers, contractors providing IT development or support services or related activities, or contractors providing bill processing or similar services.”)
- Ms Arnett clarified that Irish Water would only be engaging in postal marketing by way of bill insert and that this was something that people could opt out of. That is compatible with SI336 and the DPA, but needs to be clarified further in their Data Protection Notice which, as of this morning, still says
Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer by text message, email, post, landline or in person about water related products or services which may be of interest to the customer (“Marketing Purpose”).
Based on the clarification given verbally by Ms Arnett, this should now read:
Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer by post about water related products or services which may be of interest to the customer (“Marketing Purpose”).
These are important clarifications. They should be included in Irish Water’s Data Protection Notice which, while improved, can be improved further.
However there are a number of points that need to be clarified by Irish Water still. Among those are the following:
- What is the retention period that will be applied to PPSN data once allowances are validated? “For as long as permitted by law” is a nonsense as the DPA doesn’t provide a specific retention period (it says “no longer than necessary for the purpose for which the data was obtained”). So either the data is dumped immediately (to comply with the DPA requirement) or it is retained for defined period for a secondary related purpose that is not incompatible with the validation of allowances (the statutory purpose for which Irish Water was permitted to request and process PPSN). Clarification is needed on that point. “For the length of a piece of string” is a platitude not a policy.
- What are the purposes for which email, mobile phone, or landline data that might be provided will be used for? For example, is that data needed to contact customers in emergencies? Clarification is important to help restore trustÂ and compliance with the DPA.
- The retention period for “non-customer” data should be clarified. Irish Water’s social media team have been stating that it will be retained until such time as the information is verified. Is this an audit process where the data will be clashed against LPT data or Dept of Environment data to identify people who are claiming to be non-customers but are (perhaps through innocent mistake)? If so, that is a purpose for processing of non-customer data that needs to be stated in the Data Protection Notice. If there is no billing purpose, no allowances purpose, and no audit/verification purpose, I am unclear what the purpose for retaining this data is (and would have to ask why money is being spent processing data that has no purpose). It there is a purpose for processing non-customer data, it should be clearly communicated so that such data is obtained and processed fairly for a specified and lawful purpose as required under the DPA.
There are other questions that I’m sure Irish Water will be able to answer soon as well such as:
- What happens if you have a birth or a death in your family? How can you update the allowances etc.
- What happens if you move house? How do you transfer over allowances? How will personal data be kept accurate and up to date in that context?
It is also worth noting that, since the sixth of September, Irish Water have slowly made steps to improve their communication of Data Processing purposes. Almost a month. Played out in the media. Almost a month, during which time the DPC went from being disengaged to being actively involved. Almost a month in which trust in Irish Water was damaged by inconsistent and incomplete communication. Almost aÂ month for the tip of the iceberg (the Data Protection notice) to begin to be hammered into shape, but clarifications are still required and communication still needs to improve.
Privacy by Design thinking applied to the life cycle of information (which includes “PLANNING”) could have helped avoid a lot of this.Â One of the key points of Privacy by Design is it puts the customer at the centre of focus. It also puts Privacy at the Design stage in any initiative… and a month spent in design and in ensuring clarity of process, consistency of communication, and transparency of Data Protection Notice would have been a month well spent by Irish Water.
[I’m speaking on Data Protection, Data Governance, and Privacy by Design at EDBI in London next month and at IGQIE2014 in Dublin on the 7th of November. Tickets are still available for IGQIE2014 and discounted student rates are available for the morning session.]