Over the past few days, the Irish Times has carried a larger volume than usual of the “Data Protection Commissioner is evil” letters, giving out about her “nonsensical powers” because the bad lady won’t let them do things they want to do with data about people who are/might be alive.
I don’t always agree with the ODPC (more often than not we have “differences of opinion” on things). But when (against all the odds) they appear to be DOING THEIR JOB, I will defend them. So, I wrote a letter to the Editor. It is probably too long and will get gutted or not published at all. Here it is (with links to the original letters)
Over the past few days your letters page has carried unchallenged comments about the Data Protection Commissioner and her “nonsensical powers”.
Robert Frewen states that Electoral register information is available in hard copy through libraries. This is true, but it differs from an on-line and searchable resource in a number of key ways, namely that each search is manual and laborious and the library staff can act as a foil against trawling for data – multiple searches will easily be spotted and librarians are a fearsome breed in my experience. He also states that electoral register information is available on-line. This is incorrect. Electoral registers are available to search online, but only if you have the exact name and address of the individual – so you are searching for information you already have in your possession, not trawling for new facts.
Claire Bradley writes that the DPC’s decision is “small minded” and that “most of the people eligible to vote in the 1940s would be dead by now”. Unfortunately, that means that some of the people eligible to vote in the 1940s (such as my own Grandfather) are still very much alive and continue to enjoy a fundamental right to data privacy. This fundamental right is what the DPC has acted to uphold. Far from being a small minded sectoral interest, the DPC has acted in support of a broadly based fundamental principle.
The DPC has made similar decisions in relation to other genealogy resources, which have been widely reported by the Irish Times, and clear rules of thumb have been established for births, marriages, and deaths. Perhaps rather than bemoaning the application of fundamental human rights rules to personal data, Ms Bradley might contribute more constructively by suggesting a reasonable and proportionate rule of thumb for the publication of electoral registers in an open and searchable format. The DPC, in my experience, welcomes such constructive discussion. Perhaps a benchmark can be found in the release of the 1911 Census Records?
It is important to note that the DPC has not said that any records should be destroyed, just that they cannot be made available for an open and unrestricted search. Yet.
Finally, Cllr Lacey seems to bemoan the DPC’s recommendation to Local Authorities that they respect and comply with Data Protection principles such as ensuring access to data and processing of data is conducted with a specified and lawful purpose. I would suggest that rather than blaming the DPC for the loss of patronage and perceived power that Councillors may have experienced when their participation in housing allocation was curtailed, he instead address his complaint to the Department of the Environment and ensure that a clear and explicit statutory basis in primary legislation is created to clearly set out what data about Council tenants Councillors can have access to, why, and under what controls such access will operate.
The release of Electoral Register data from the 1960s, 1970s and 1980s constitutes the release of personal data of living individuals for a purpose unrelated to the purpose for which it was obtained, and brings with it a risk of identity theft. If Cllr Lacey believes that the release of this data is sufficiently important, he should seek to have every person communicated with to obtain their consent to the release of their data for this new and, at the time, unforeseen purpose.
It is rare in recent times that I find an opportunity to fall full square behind the DPC and the actions of her office. This is one. Their function is imperfect, and in a professional context as Data Protection consultant and trainer, I have more than ample grounds to be critical of their actions at times. But far from being nonsensical, the powers of the DPC are woefully inadequate in many ways for the challenge that they face as one of the leading Data Privacy regulators in the world upholding and protecting a fundamental right. As the Oireachtas prepares the updated Data Protection Act to beef up the DPC in line with the requirements of the General Data Protection Regulation, one hopes that the many weaknesses of the DPC will be addressed to make them more fit for purpose.
“Wha!!! Data Protection laws make things hard!” is a dumb argument. Better for people who have valid interests to assess what the “win-win” outcome would be and strike an appropriate balance.