Adequate, Relevant, Not Excessive

For the last number of weeks we have been told by the Government and by Irish Water that PPS numbers are required by Irish Water for the purposes of validating entitlement to allowances. We have been told that not providing the information will result in people not being able to have their water bills reduced by the credit amounts. The invasiveness of the request for data, particularly data about children, by a private company (albeit one operating to provide a public utility service) has sparked much concern and discussion. I think it has, in no small way, helped make Data Protection issues more relevant and personal for the citizen.

This morning we are told that the budget announcement will include the introduction of a tax credit for low and middle income earners for their water. This will be in addition to the existing household water allowances. Other provisions are mooted on the social welfare side of the fence to alleviate financial impact on lower income families.

So. The Government is proposing using the Revenue systems and the Social Welfare systems to implement a system where by the cost of water services provided by a utility company. Which raises the question: if the Government can achieve this objective through the existing Revenue and Social Protection systems, which do not require PPSN data to be shared with a private company (notwithstanding the existence of legislation to allow it to be done), what does this mean for the necessity and proportionality of existing provisions that do require this to be done, in processes that exist to achieve broadly the same objective (reduction of cost to households of water service charges)?

Three weeks ago I asked this question in relation to the current system of allowances: could the same goal have been achieved through different means that did not require a private company to process PPSN data? I blogged about it here and set out a high level alternative approach.

Assuming the mechanism that is used to implement the proposed budget changes is broadly in line with the structure I outlined, the question must be asked now what is necessary and not excessive about the processing of PPSN data by Irish Water if a broadly similar impact on the household bottom line can be delivered in the Budget through existing public sector processes/systems?

I’m sure there is a clear and compelling difference I’m missing that makes the PPSN relevant and not excessive for the objectives of Irish Water.

<update><update 2 – tweaked again to correctly reflect a nuance in DRI v Ireland>

One of my erudite and learned colleagues has pointed out that the European Court of Justice recently reiterated the critical nature of the proportionality, relevance, necessity, and not excessive elements of data processing, even where there is a bit of a law that, on the face of it, allows the processing. The CJEU held in Digital Rights v Ireland that, even where there is a statutory basis, processing of personal data must be done in a manner that is proportionate to the need, relevant to the objective, necessary for achieving that objective, and not excessive to achieving that objective – basically the key tests under Article 8 of the European Charter of Fundamental Rights that we all signed up to under the Lisbon Treaty.

What this means is that where a less intrusive option might exist that can achieve the same goal, the relative impact on privacy must be assessed and the measures taken cannot go beyond what is required to achieve those objectives (see paragraph 46 of the CJEU ruling in Digital Rights v Ireland). And that assessment of proportionality needs to take into account the appropriateness and existence of safeguards where “personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data” (to quote from paragraph 55 of the CJEU ruling).

The CJEU struck down an entire Directive on that basis. Given that the State appears able to introduce additional tax credits in the budget, it would suggest that a less intrusive option does exist, and did exist at the time the data processing for Irish Water was being devised. Absent a very compelling reason why this is different, or why the processing of PPSN by Irish Water is proportionate to the objective of reducing cost to households (and it would probably have to be good enough to get past the CJEU, who struck down a Directive because those supporting the action didn’t have their homework done) the alternative option might indeed need to be adopted.

The upshot: The Government needs to have clarity in their homework as to why Irish Water is processing PPSN data versus it being handled via the Social Welfare and taxation systems. That clarity has, thus far, not been entirely forthcoming. And the clarity needs to show why it is proportionate, relevant, and not excessive to do it the way it is being done.

(I knew all that of course but didn’t want to bore people with too much detailed law talking).

</update></update 2>

Posted in Data Protection, The Business of Information.