Irish Water channelling Alec Guinness

Business, Data Protection, Information Quality, The Business of Information, Uncategorized / By / October 6, 2014

 

Irish Water is working hard on Twitter and in other forums to convince itself, if not us, that all is well with regard to their Data Protection policies and procedures.

In response to questions raised about the retention of data, specifically PPSN data once allowance entitlements are validated and personal data of non-customers, Irish Water have trotted out the standard 140 character line. Their response is essentially a variation on the following:

Data will be stored in Irish Water, after a customer ceases to be a customer but not longer than is required by law.

It is that response that has prompted my choice of image for this post. Those of you over the age of 12 will recognise Alec Guinness in one of his most famous mortgage paying roles, Obi Wan Kenobi in the original Star Wars. And why does my brain make this connection?

These aren’t the droids you’re looking for. You can go about your business. Move along” (waves hand enigmatically)

Unfortunately for Irish Water many of us are not as feeble minded as an Imperial Storm Trooper in a fictional universe. These Jedi Mind Tricks don’t work. We have a detailed specification for the specific droids we are seeking and we are pretty sure those are they.

  1. What is the specific purpose for the processing and retention of non-customer data by Irish Water? (i.e. why are they processing data about people who are not connected to a public water supply?)
  2. What is the retention period for that data? Why is it being retained? What is the basis for the retention period that has been selected that makes that retention proportionate? Which law are they operating within for their retention period?
  3. What is the retention period that Irish Water are applying to PPSN data provided to them? Why is that data being retained (for what purpose) given that the sole purpose Irish Water has for processing PPSN data is the validation of entitlements, suggesting that once that purpose has been completed the data should be deleted.

These are simple questions. They should be easy to answer if appropriate efforts were made to conduct Privacy by Design based compliance with the Data Protection Acts.

Once this grumpy old Storm Trooper gets a coherent and credible answer I’ll gladly move along.