The DOBlog

Search results for: “"irish water"”

  • Irish Water, Data Protection, and the Cut and Paste Fairy

    A few weeks ago I wrote a post here about Irish Water’s Data Protection Policy, which was very poorly written and had all the hallmarks of having been cut and paste from another document (for example references to numbered clauses that were not in the Data Protection Notice).

    Today they have advertised on RecruitIreland.com for a Data Protection and Information Security Manager. Ignoring for a moment that this conflates two completely different but related skill sets, the advert on RecruiteIreland.com has all the hallmarks of being a cut and paste job from elsewhere. The clues are very obvious to anyone who knows about international data privacy law and practice. Like me.

    Take this paragraph for example:

    • Develop and implement Irish Water Information Security and Data Protection policies, processes, procedures and standards based on the existing Ervia framework, legislation and best practice (eg ISO 27000, other industry security standards such as PCI-DSS, NERC/CIP, and FERPA; HIPAA and other privacy/security legislation);

    Lots of alphabet soup there that looks very impressive. But what does it mean?

    • PCI-DSS  is a credit card processing data security standard. Scratch that… it is THE credit card processing data security standard.
    • ISO27000 is the benchmark standards family for Information Security.
    • NERC/CIP is a critical infrastructure security standard from the US for electricity networks. It’s used as a reference standard as the EU lacks equivalents at the moment (thanks to Brian Honan for pointing that nugget out)
    • FERPA is not a standard. It is the Family Education Rights and Privacy Act, a US Federal law covering data privacy of student education records. It actually creates rights and duties not unlike the Irish Data Protection Acts, but it applies only to schools that receive funds under an applicable program of the U.S. Department of Education. So, unless Irish Water has a subsidiary teaching creationism in the boonies of Louisiana, it’s not entirely relevant to the point of actually being entirely irrelevant to an EU-based utility company.
    • HIPAA is the Health Insurance Portability and Privacy Act. It is privacy law that applies to certain categories of patient data for patients of US hospitals and healthcare providers and processors of health data such as insurers. In the United States.

    Reading through the rest of the job description, the role is weighted heavily towards Information Security professionals. The certifications and skills cited are all very laudable and valid information security certifications. But they are not Data Protection qualifications. Indeed, the only data protection qualification that is specified is an ability to “work the Data Protection Acts”. Work them? I can play them like a pipe-organ!

    Given the range of qualifications that exist now for Data Protection practitioners such as the IAPP’s CIPP/E or the Law Society’s Certificate in Data Protection Practice (disclaimer: I helped design the syllabus for that course, lecture on it, and have  set and correct the assignments for it), it’s odd that there is no reference to appropriate Data Protection skills. The question I would pose is what would happen if a Data Protection specialist with experience in ISO27000 implementation, a formal data protection qualification, and experience in data governance applied for the job and wound up shortlisted against someone with a CISSP certification and no practical data protection/data privacy experience, who would get the job?

    My reading of the job advert on RecruitIreland.com is that it was cut and paste from somewhere else with minimal review of the content or understanding of what the role of a Data Protection Officer is and how that is related to but different from an Information Security Officer role.

    Perhaps it was cut and paste from this advert that appeared almost six months ago http://www.dole.ie/cache/job/3853096. It’s for an Information Security and Data Protection Manager in… Irish Water.

  • Irish Water Boarding

    A few weeks ago I did a lot of research to find the specific section of legislation that authorised Irish Water to request PPSN details from people. It is Section 20 of the Social Welfare and Pensions Act 2014.

    So, a bit of a law was done to do a thing. But could that thing actually be done? Were other things needed to be done to make the request of and processing of PPS numbers lawful?

    Simon McGarr correctly points out that putting a body on the list of registered bodies is only part of the governance. A protocol is required to be in place governing the use of the data which needs to be approved by the Minister. http://www.mcgarrsolicitors.ie/2014/10/22/irish-water-ppsns-and-the-missing-ministers-agreement/

    That protocol appears not to have been in place as of the end of September. After the forms were finalised and sent out. Any PPSN data obtained prior to the finalisation of such protocols was obtained unlawfully. This is a failure of Data Governance. A key Regulatory requirement appears to have been missed.

    This is a good example of how doing “a bit o’law” to enable sharing of data is insufficient to ensure compliance. In the absence of a strong Data Governance function to ensure that the right things are done in the right way errors occur, disproportionate processing takes place, and groupthink takes hold. I discuss this at length in a submission my company Castlebridge Associates made in conjunction with Digital Rights Ireland to the Dept of Public Expenditure and Reform on a proposed Data Sharing and Governance Bill.

    That document is here: http://castlebridge.ie/products/whitepapers/2014/09/data-governance-and-sharing-bill-consultation-submission

  • Irish Water: Quality by Design

    Irish Water: Quality by Design

    Having failed the Privacy by Design Test, Irish Water have lurched into one of my other specialist areas today, Information Quality. This story in the Irish Times http://www.irishtimes.com/news/environment/some-householders-having-trouble-reading-water-meters-1.1959841 relates to the quality of information presentation in the design of some of the meters used by Irish Water. It also relates to data quality characteristics such as adequacy, precision, and accuracy, and how Irish Water don’t seem to be able to grasp the customer perspective.

    Some back ground information for people first:

    Information Quality Management is the application of quality management principles to the management of information. It’s what I do. I’ve done it for longer than I’ve done Data Protection. I consider data protection compliance to be a component of or a subset of Information Quality.

    The key determinant of quality is, in all cases, the customer. Danette McGilvray (a very good friend of mine and mentor, and one of the pioneers in the field of information quality) defines “Quality Information” as information that is fit for any or all required purposes. Dr Tom Redman (who lead the Data Quality labs in Bell Telecom in the 1980s and was one of my first mentors in the field, and who now guest lectures in UCC and the IMI) defines data as being of good quality if they are “fit for their intended uses in operations, decision making, and planning”. Larry English (another mentor of mine early in my career, and who I had the honour of hosting at a conference in Dublin a few years ago) stressed the importance of the “product specification” for information, particularly in the context of the process goals or objectives for an employee or customer.

    So… data is of good quality if it can be used. That quality is a product of design.

    Irish Water have implemented a number of processes and policies that call for the consumer to be able to have an accurate reading of their water consumption. As the water consumption is billed in litres, allowances are provided in litres, and bills will be a calculation of litres consumed minus allowances times the price per litre, consumers would reasonably be assumed to have a reasonable expectation that they might read their bill in litres.

    Given that, if you have a leak, you want to find it quickly before it floods out and costs you money, it’s only reasonable that consumers would be able to read their meters in litres. This is particularly the case given that Irish Water were telling people that that’s the way to check for leaks

    Given that ever other meter that is attached to a home (gas meter, electricity meter) allows people to see their consumption from the smallest unit so that issues of leaks or over consumption (the infamous electric immersion heater) can be quickly identified, it’s a reasonable paradigm to replicate and give consumers the same user experience.

    But no. Irish Water has installed meters that obscure part of the meter dials so that the micro-level (hundreds, tens and ones) are obscured.  It’s like giving you a lovely big telly and hiding one edge behind the curtains.

    Irish Water argues that it’s all OK because the measurement in cubic meters of water and that is enough for an accurate meter reading. A cubic meter being 1000 litres. Or EUR5. Or 1.8% of the annual bill for an “average” family. Or a waste of 999 litres of water when a leak could be detected earlier by watching the red numbers spin around like the electricity meter when the immersion is on.

    Irish Water argues that the meters in question comply with an EU standard. Standards are a minimum, and they are also technical standards. The objective of quality is to meet or exceed the customer’s expectation.

    The customer wants to be able to find if they have a leak anywhere quickly, because 999 litres of water can do a heck of a lot of damage, even if the cost is only EUR5. The customer wants to have some transparency on their consumption. The customer wants to have sufficiently granular and timely information that they can make quick decisions about their water consumption patterns.

    Therefore, from the perspective of the customer, a blocked meter dial that prevents them spotting a problem until the 1000th litre rolls down the drain, is as useful as a chocolate teapot and does not provide quality information.

    Irish Water’s defence of themselves relies on a standard that is actually a technical engineering standard for meters, in the same way as the calibration of the fuel pump in your local petrol station is done to a standard. But if your petrol station owner obscures the screen on the pump so you can’t see how much fuel you’ve pumped into your car, that still leaves you with a data quality and customer service problem.

    Irish Water has meters some of which are obscured. But all of them are outside, where the cold lives, and all of them need a cover to be levered off and then for the little numbers on the dial to be visible. A challenge for able bodied people in their thirties, but doubtless a nightmare for the infirm or elderly. The customer experience does not appear to have been considered.

    From the perspective of the end customer, the bill payer, a meter that has obscured digits is not fit for purpose. The information it produces is not accurate enough for operations or decision making in that household. It’s crappy data quality and yet more case study material of how customer focus is essential in quality management and compliance. A meter that is outside, where the cold lives, requiring tools and effort to get at, and which can only be read accurately by a remote sensor device in a van, was never intended to be read by customers, was it.

  • Irish Water channelling Alec Guinness

    Irish Water channelling Alec Guinness

     

    Irish Water is working hard on Twitter and in other forums to convince itself, if not us, that all is well with regard to their Data Protection policies and procedures.

    In response to questions raised about the retention of data, specifically PPSN data once allowance entitlements are validated and personal data of non-customers, Irish Water have trotted out the standard 140 character line. Their response is essentially a variation on the following:

    Data will be stored in Irish Water, after a customer ceases to be a customer but not longer than is required by law.

    It is that response that has prompted my choice of image for this post. Those of you over the age of 12 will recognise Alec Guinness in one of his most famous mortgage paying roles, Obi Wan Kenobi in the original Star Wars. And why does my brain make this connection?

    These aren’t the droids you’re looking for. You can go about your business. Move along” (waves hand enigmatically)

    Unfortunately for Irish Water many of us are not as feeble minded as an Imperial Storm Trooper in a fictional universe. These Jedi Mind Tricks don’t work. We have a detailed specification for the specific droids we are seeking and we are pretty sure those are they.

    1. What is the specific purpose for the processing and retention of non-customer data by Irish Water? (i.e. why are they processing data about people who are not connected to a public water supply?)
    2. What is the retention period for that data? Why is it being retained? What is the basis for the retention period that has been selected that makes that retention proportionate? Which law are they operating within for their retention period?
    3. What is the retention period that Irish Water are applying to PPSN data provided to them? Why is that data being retained (for what purpose) given that the sole purpose Irish Water has for processing PPSN data is the validation of entitlements, suggesting that once that purpose has been completed the data should be deleted.

    These are simple questions. They should be easy to answer if appropriate efforts were made to conduct Privacy by Design based compliance with the Data Protection Acts.

    Once this grumpy old Storm Trooper gets a coherent and credible answer I’ll gladly move along.

  • Morning Ireland, Irish Water, and Data Protection clarifications

    Elizabeth Arnett of Irish Water was on Morning Ireland this morning. Some good and important clarifications given.

    1. She confirmed PPSN would only be used for the purposes of validating allowance entitlements. That differs from the commentary in yesterday’s Irish Times in the context of landlords and tenants, but clears up the confusion. Irish Water will not be using the PPSN for a purpose not covered in their Data Protection Notice. Therefore, a lot of the concerns I raised yesterday here should prove unfounded as that use is not going to happen and I can only hope and assume that Irish Water have implemented appropriate internal governance to ensure that the temptation to stretch the scope of use of PPSN is resisted. My experience in organisations is that temptation to process data “because we can” is often very difficult to overcome and needs a strong governance culture to push back on rash impulses

    Given that the DPC has expressed concern that there is a lack of clarity in the Data Protection Notice regarding the use of PPSN, it would be worth Irish Water investing time to ensure that the permitted use of PPSN is clearly communicated in the Data Protection notice and clearly reflected in internal policies and governance.

    1. The only 3rd parties that data will be shared with will be contractors delivering services on behalf of Irish Water, or Data Processors in Data Protection terms. There will be no sharing of data for marketing purposes. Again, this is a welcome clarification that should be reflected by appropriate wording in their Data Protection Notice. The wording that is there is reasonably good, but an example of the kind of person or kinds of purpose would help people understand better the processing involved. For example: “Examples of these kinds of 3rd parties would include maintenance engineers who would be provided with customer address and contact information for the purpose of carrying out maintenance on meters or doing ‘first fix free’ repairs for customers, contractors providing IT development or support services or related activities, or contractors providing bill processing or similar services.”)
    2. Ms Arnett clarified that Irish Water would only be engaging in postal marketing by way of bill insert and that this was something that people could opt out of. That is compatible with SI336 and the DPA, but needs to be clarified further in their Data Protection Notice which, as of this morning, still says

      Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer by text message, email, post, landline or in person about water related products or services which may be of interest to the customer (“Marketing Purpose”).

    Based on the clarification given verbally by Ms Arnett, this should now read:

    Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer by post about water related products or services which may be of interest to the customer (“Marketing Purpose”).

    These are important clarifications. They should be included in Irish Water’s Data Protection Notice which, while improved, can be improved further.

    However there are a number of points that need to be clarified by Irish Water still. Among those are the following:

    1. What is the retention period that will be applied to PPSN data once allowances are validated? “For as long as permitted by law” is a nonsense as the DPA doesn’t provide a specific retention period (it says “no longer than necessary for the purpose for which the data was obtained”). So either the data is dumped immediately (to comply with the DPA requirement) or it is retained for defined period for a secondary related purpose that is not incompatible with the validation of allowances (the statutory purpose for which Irish Water was permitted to request and process PPSN). Clarification is needed on that point. “For the length of a piece of string” is a platitude not a policy.
    2. What are the purposes for which email, mobile phone, or landline data that might be provided will be used for? For example, is that data needed to contact customers in emergencies? Clarification is important to help restore trust and compliance with the DPA.
    3. The retention period for “non-customer” data should be clarified. Irish Water’s social media team have been stating that it will be retained until such time as the information is verified. Is this an audit process where the data will be clashed against LPT data or Dept of Environment data to identify people who are claiming to be non-customers but are (perhaps through innocent mistake)? If so, that is a purpose for processing of non-customer data that needs to be stated in the Data Protection Notice. If there is no billing purpose, no allowances purpose, and no audit/verification purpose, I am unclear what the purpose for retaining this data is (and would have to ask why money is being spent processing data that has no purpose). It there is a purpose for processing non-customer data, it should be clearly communicated so that such data is obtained and processed fairly for a specified and lawful purpose as required under the DPA.

    There are other questions that I’m sure Irish Water will be able to answer soon as well such as:

    • What happens if you have a birth or a death in your family? How can you update the allowances etc.
    • What happens if you move house? How do you transfer over allowances? How will personal data be kept accurate and up to date in that context?

    It is also worth noting that, since the sixth of September, Irish Water have slowly made steps to improve their communication of Data Processing purposes. Almost a month. Played out in the media. Almost a month, during which time the DPC went from being disengaged to being actively involved. Almost a month in which trust in Irish Water was damaged by inconsistent and incomplete communication. Almost a month for the tip of the iceberg (the Data Protection notice) to begin to be hammered into shape, but clarifications are still required and communication still needs to improve.

    Privacy by Design thinking applied to the life cycle of information (which includes “PLANNING”) could have helped avoid a lot of this. One of the key points of Privacy by Design is it puts the customer at the centre of focus. It also puts Privacy at the Design stage in any initiative… and a month spent in design and in ensuring clarity of process, consistency of communication, and transparency of Data Protection Notice would have been a month well spent by Irish Water.

    [I’m speaking on Data Protection, Data Governance, and Privacy by Design at EDBI in London next month and at IGQIE2014 in Dublin on the 7th of November. Tickets are still available for IGQIE2014 and discounted student rates are available for the morning session.]

  • For Feck’s Sake Irish Water, I’ve got a day job…

    Stopped to take a breather for lunch. Saw this from TJ McIntyre (a man who knows his onions when it comes to Data Protection and Privacy).

    I’ve covered off the issues with the marketing consents for Irish Water on my company site.  The total confusion here effectively makes any implied or explicit consent for marketing open to challenge on the grounds that it was not unambiguous. Irish Water need to step up, stop faffing around, and fix this. It is a total disaster and it is getting in the way of me doing my real job. Also, the consent Irish Water are relying on isn’t Opt-In, its Opt-out.

    I’m not against Water Charges, I’m against what I see as an inevitable waste of 10%-35% of turnover in Irish Water due to poor data quality management, leading to manual work arounds and scrap and rework, and I’m against approaches to obtaining and processing personal data that frankly seem to be oblivious to the national and EU legislation that should be governing that processing.

    I’m against €82.4 million being spent on consultants who don’t seem to know how to approach this kind of project correctly given the gaping issues that exist in a data management context. And I’m against me having to be the paramilitary wing of the Data Protection Commissioner’s office asking key questions in public the day before it all kicks off that should have been addressed in private months ago during the design phase. And I’m against any absence of accountability or stewardship over critical data. That just irks me.

    I’ve got a day job and clients to serve. conferences to prepare keynote presentations and tutorials for, and a conference of my own to run. The mental exercise of analysing Irish Water was fun, but frankly it’s like shooting fish in an over-engineered under-designed barrel at this point.

    So, for all the Irish Water people reading this:

    1. Please come to IGQIE2014 in November. You will learn something you really need to know
    2. Ask you boss if you can hire my company to help you figure this stuff out. We’re pretty good at it. And we’ve got friends who are good at the bits we’re not good on. We will be a rounding error on €82.4 million.
    3. Please try to stop screwing up on your data management and data protection issues quite so publicly because when people ask me about a think I’m wired to look at it and figure it out. They find me on twitter and look to me for answers, and I feel obliged to try to help explain because you are doing such a crappy job of it. This stuff made me trend for Ireland. I hate trending for Ireland.

  • Reposted: Irish Water, the letter from the DPC, and what it all means

    [On the 24th September I posted this. I’ve updated it to insert relevant updates in other posts in context]

    This evening the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

    Dear Deputy Shortall,

    I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

    Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

    [This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

    One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water’s job to make sure that that clarity is there.

    “The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice” basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of “on-going contact” with organisations that have not quite got what is required of them.

    If the DPC is in “on-going contact” with you to give “best practice advice” you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

    Update: Today I posted this which looked at the apparent lack of a “signed off” movers/leavers process for when people change address and the data protection and operational implications. That is basic utility billing stuff, and is also a basic requirement under the Data Protection Acts – at least to have the mechanism by which changes to data can be made in the course of a customer life cycle.]

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    [This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

    The bit in bold is interesting. The DPC are “giving their views” on the clarity of the Data Protection notice (which is also referred to as a “fair processing notice” in Data Protection-speak) because they are of the view that the notice as published doesn’t give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

    Again, if the DPC is contacting you to “provide views” on something, you are not compliant. The DPC does not tend to write letters telling you you’re brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in “correspondence” – the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

    I suspect Irish Water may get a mention but not for the right reasons.

    Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

    Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It’s reassuring to see that the Data Protection Commissioner shares the concerns I raised.

    Update: I wrote this this morning following an Irish Times report that Irish Water would use PPSN as part of debt collection. This is not a stated purpose, and is not the “sole purpose” that the DPC had recognised and approved of.  It appears Irish Water are unclear internally about things that the Regulator believes they are clear about]

    The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

    [Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

    The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can’t see how that fits with only identifying categories, but would be happy to help figure it out. 

    Interestingly, the DPC seems to be going beyond what I’d included in my mockup “alternative universe” version of the Data Protection Notice. I’ll be taking note of that and advising clients accordingly.

    Also, the requirement to specify “categories” of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

    Again, the DPC is “following up with Irish Water on this matter”. An organisation that is compliant with the requirements of the Acts does not require the DPC to “follow up”, and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

    Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identifywhere possible what type of data and for what purpose a transfer would occur.

    [This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It’s a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

    I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

    Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?”

    The DPC’s request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about “under what controls”.

    Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the “amicable resolution zone” where the DPC talks gently to you to encourage more compliant behaviours. That’s a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

    I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

    Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

    The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

    I suspect this particular well has not yet run dry.

  • Accurate and Up-to-date – Irish Water and changing data

    So, via Twitter I’ve learned that Irish Water don’t have a process defined yet for people moving house. Well, they have one defined but its “not signed off on yet”. This is a pretty basic process that exists in all utilities, satellite TV companies, and fixed line phone companies. Its the one you rely on to ensure that the bills are correct at the point of hand over.

    Given that Irish Water are billing quarterly, that means that people are inevitably moving in or out of a property during a billing period. This will lead to what is known as “broken period billing” in utilities. When I worked in telco, it was the handling of these scenarios that gave rise most often to billing errors, particularly where the broken period for billing crossed a VAT period or where the preparation of a final bill involved the calculation of and application of credits on final bills etc.

    This is tricky stuff, which is why it is good they are taking their time about it. However, if true, the absence of such a process or procedure NOW means that:

    1. Irish Water is in breach of the Data Protection Acts which requires Data Controllers to keep data “accurate and up to date” , at least accurate enough and up to date enough for their purposes. Having the wrong name associated as bill payer on a property is inaccurate for their purposes. They don’t need to ensure accuracy per se, but they need to have a defined process where by changes to data can be made. That’s the kernel of the obligation in the DPA and, let’s not forget it, a fundamental right under EU law under Article 8 of the Charter on Fundamental Rights.
    2. Bills will inevitably be sent to the wrong people, potentially in the the wrong amounts, which will potentially affect collections processes.

    It looks more and more like the data design here and attention to data changes in customer life cycle is appallingly bad. I do hope that the tweeter got the wrong end of the stick when they were talking to Irish Water, but my optimism is rapidly going down the outflow pipe.

    This stuff is really, really basic. However it means having to think about your data as more than just “stuff that lives in the database” and treat it as an asset that is subject to certain fundamental governance requirements.

    We’ll be touching on a lot of these topics at IGQIE2014 on the 7th of November, and I’m teaching about it at conferences in Belgium and the UK in the mean time. I was struggling for examples….

  • Irish Water and PPSN data

    This morning the Irish Times has a story about Irish Water, landlords, tenants, and PPSNs

    The article tells us that:

    Bills are to be issued quarterly, but as Irish Water will have the tenant’s PPS number, the utility firm will be able to pursue the tenant for any arrears and even apply any arrears to new accounts, when the tenant moves to a new address.

    What this tells me as a data geek is:

    1. Irish Water has a purpose for PPSN data that goes beyond the purpose agreed with the DPC (the validation of allowances)
    2. They are using PPSN as a primary key to identify people linked to properties (which goes beyond the “validation of allowances” purpose agreed with the DPC)
    3. Irish Water have some mechanism to identify tenants versus landlords, otherwise they are retaining ALL PPSN details for a period of at least six years. (It may be the PRTB data they have access to under S26 of the Water Services Act 2013).
    4. The retention period for PPSN is likely to be 6 years from the date of the final bill issued, but only where there are arrears on the account. Therefore, retention will be a rolling period for PPSN as bills are issued. It will only crystallise at 6 years once a final bill issues.
    5. The tenant who fills out the Irish Water application will be responsible for any arrears, even if they only wash every second week while their flatmates operate a water park in the kitchen.
    6. Irish Water haven’t modeled scenarios correctly as not every tenant in a rented property will be registered on the Application form… only one. I refer back to point number 5.

    Let’s just remind ourselves of what Irish Water told the Data Protection Commissioner they were going to use PPSN data for. The quote below is from a letter sent by the Acting Data Protection Commissioner to Roisin Shorthall TD that I blogged about last week.

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    I’ve highlighted the relevant sentence. And the crucial word. So any use of or retention of PPSN for purposes other than validating allowances is potentially a breach of the Data Protection Acts. Full Stop. End of story. Move along.

    [It also means that they can’t validate the rest of the data – only the entitlement. So they can verify that the PPSN of Joe Blow is valid, and that the PPSN data provided for Joe’s 623 children is valid and that those 623 children exist and are resident in the jurisdiction. No more. So they cannot legally “enrich” their data from the DSP’s data sets (despite what some people are stating might be the case). Of course, this is a perfect reason why the Water Allowance for Children, which is payable only to children in receipt of Child Benefit, would have been better paid as an allowance from the DSP, as I’ve blogged about already.]

    Are Irish Water making this up as they go along ?  If so, this crisis of communication around a critical issue of Regulatory compliance could be a lot worse under the surface. For example, has Irish Water modeled their data and processes to allow for customer life events (births, deaths, marriages, divorces, people moving in, people moving out)? Not doing that will lead to data quality and data protection headaches down the line. If those scenarios are not catered for in their processes, bills will be wrong. Designing for Privacy means considering data and its processing, which means you being to look at how the organisation knows or can know important facts about things it needs to know. Lurching around like a drunken uncle at a country wedding does not suggest good design for processes, data, or privacy.

    At an upcoming conference on the 7th of November I’ll be talking about Data Protection, Data Governance, and Privacy by Design. The other delegates include some of the world’s leading experts on Data Governance, Information Strategy, and Data Quality. It’s a pretty darn good conference.

    Irish Water might want to send some people so they can learn from the other delegates and I about Data Protection, Data Modelling, and Data Governance.

    [Update: This status update has appeared via the @IrishWater twitter account which seems to suggest the Irish Times had it wrong:

    Because Irish Water can’t be wrong can they? Left hand needs to communicate with right hand and then talk to their customers!]

  • Irish Water – A Data Architecture thought noodle [Updated]

    [preamble: This is a thought noodle. It’s not a solution. It just sets out possible options for an alternative approach. I fully expect issues and wrinkles to be pointed out. ]

    There has been a lot of discussion about the legality of Irish Water’s use of PPS Numbers. It is correct to say that Irish Water has a legal basis f or requesting PPS Numbers under the Social Welfare & Pensions Act 2014. The Water Services Act 2013 also gives them the power to request data from the Revenue Commissioners and the Department of Social Protection (amongst others).

    So, there is a legal basis for obtaining data. However, the Data Protection Acts require that the data being processed by a Data Controller be adequate, relevant and not excessive to the purpose for which it is being obtained.  Article 8 of the EU Charter of Human Rights also requires that processing be proportionate, a point that was stressed by the CJEU in the Digital Rights Ireland Data Retention case.

    <update>Also, as Fred Logue points out:

    </update>

    So… is it proportionate for Irish Water to be processing PPSNs, notwithstanding the legal basis that might exist permitting it? When working with clients designing data processes, I try to encourage avoidance of excessive processing of data by looking at whether existing functions can be repurposed to minimise the number of hands data must flow through. Thinking “lean” is important. Looking at this from a Data Architecture perspective, we must first look at the purposes. There are two.

    1.  To verify entitlement to a household water credit
    2. To verify and validate child water allowances.

    Next, we need to see if there are any similar functions currently operating in the State that might provide either a model to replicate or a function that can be extended to deliver these objectives. 

    Household Water Credit

    Prior to 2012, households were entitled to claim a tax credit for domestic waste services from Revenue. Each household applied and the credit was applied as an income tax benefit. PPSN information was not shared with local authorities or private bin collectors to implement the tax credit. Policing the credit was simply a matter of using existing Revenue powers to seek information into Revenue for audit purposes. While the system was retired in 2012, old code doesn’t die, it just gets commented out. Reintroducing this mechanism for the Household Water Credit likely have been simple and cost effective as the basic structures for implementing it had already been developed and worked. They were just mothballed. Therefore: in determining the proportionality of allowing a private company access to 4 million PPS numbers, did anyone examine the feasibility of reusing an existing system that would not require data to be shared outside of an organisation that already processes PPSNs? Did anyone consider reusing/recycling this processing?

    The Children’s Water Allowance

    Irish Water tell us that they need to have PPS numbers of children to confirm their eligibility for a water allowance.  There is an allowance. For children. A children’s allowance if you will. A benefit for children. That must only be given to children who are in receipt of Child Benefit…. So why not just either add the allowance for water to the existing Child Benefit payment, or clone the Child Benefit processing in the DSP to deliver the Child Water Allowance? This would have avoided the need to request PPS numbers of children, a sensitive matter for many. No data would be processed outside the existing state agency that deals with Child Benefit and the PPSN data of children. <update>Another tweeter raised the question of non-resident recipients of Child Benefit.

    This does not invalidate the approach outlined above. It simply adds a business rule to the data queries necessary to run the process. When working with clients on projects this kind of thing crops up a lot.  It’s one of the many reasons why, after half a life time doing this ‘data thing’ I advocate organisations invest in PLANNING and design for data before jumping into building databases.

    Dermot Casey nailed the necessary business rule in “code speak”

    Translating that for humans: “IF a child has a PPSN AND is resident in Ireland THEN assign credit ELSE don’t assign credit”.

    Of course, this assumes that the DSP has a data field that identifies if the country of residence is Ireland or not (and if they don’t then I would have to ask how any statistics about how many non-resident children are in receipt of Child Benefit are calculated).

    </update>

    Value For Money?

    Given the set up costs of Irish Water, one must ask as well whether reusing/recycling or repurposing existing systems and processes to the objective of having credits and allowances might have resulted in a net saving to the exchequer, particularly in difficult economic conditions.

    I cannot answer that and would suggest that is a question the C&AG should consider asking. However, from a Data Protection perspective, it would have resulted in a zero fuss outcome – “State Agencies process data the way they always have to ensure credits and benefits are applied appropriately – SHOCK!!” is not an attention grabbing headline. A private company that is processing PPSN and other personal data but is unable to give clear answers about the nature and scope of that processing IS a headline or dozen.

    The Importance of the Information Asset Life Cycle

    When I teach Data Governance or Information Quality or when I engage on consulting projects, I always introduce the POSMAD lifecycle of information. POSMAD is a standard model for any asset management consisting of six steps.

    • Plan
    • Obtain
    • Store and Share
    • Maintain
    • Apply
    • Dispose

    Part of “Plan” from a Data Protection perspective is asking “Is there a less invasive/less privacy risky way of doing this?”, and from a ‘return on investment’ perspective it requires us to assess if the way we are proposing to do something is the best. Working through this life cycle allows organisations to apply “Privacy by Design” thinking earlier in the lifecycle of the data.

    It appears Irish Water jumped straight to the “Obtain” phase because they had legislation that allowed them to do it, but nobody gave consideration to the PLAN stage. This is a function of effective Data Governance in an organisation and I would hope that the Government learns a valuable lesson from this as they formulate their Data Sharing and Governance Bill over the coming months.

More posts