Author: Daragh

  • The EU Data Protection Regulation

    This post was originally published on the ICS Data Protection Blog. It is republished here as it is my original work and I am putting my Data Protection musings in one place.

    Earlier this month we saw the leaking of a late draft of the forthcoming EU Data Protection Regulation.  Yes. That’s right. Regulation. In other words direct effect, standardised legal framework across Europe, less wriggle room at local level, and no waffling and stalling by national parliaments as they butcher a Directive into national law.

    The full final text is expected in January, with a 2 year implementation window being mooted.

    Among the criticisms I’ve seen levelled at the Regulation is that it is “longer than the Directive it will replace”. Yes. It is. But that’s because it has had to do more than just replace the existing Directive it has had to:

    • Update the Directive with new concepts such as the “Right to be Forgotten” and increased duties of transparency
    • Introduce new penalty structures (which were previously the preserve of the national enabling legislation that transposed the Directive) such as the 5% of Global turnover penalty for breaches of the legislation.
    • Define new governance structures for Data Protection in Europe at the EU level and between countries.
    • Imposes sanctions on Data Processors who act beyond the terms of their processor agreement (currently the only sanction is for the Controller to sue in Contract law, assuming a contract exists).
    • Adapt the existing regulations and governance models to things like Social Networking, Cloud computing and mobile devices.
    • Figure out how to deal with extra-EU entities selling into the Internal Market (easy.. they will have to comply with our rules now).

    Buried among the new changes was one aspect that jumped out at me was the introduction of lower value “administrative” financial penalties for smaller incidents of breaches of the legislation. I for one hope that that proposal makes it into the final draft of the Regulation as it would provide a tiered approach to penalties and put something tangible between the “softly softly encourage compliance” and “hit Controller with full prosecution”

    Another reason why I’d be interested to see this make into the final Regulation can be found in this post here (in which I argue in favour of just this form of small scale fines based system)

    (Yes folks, you read it on this blog first).

  • It’s Data and Contracts all the Way Down!

    The Tallaght Hospital story is a salutatory tale of what can go wrong when engaging third parties to perform any service for your organisation.

    Left to their own devices and absent any control or governance framework that can verify that what is to be done has been done (in its entirety) and has been done in keeping with the requisite standards under the agreement outsourcers may deviate from task, get creative, or just get down right sloppy and careless.

    When the outsourcing relationship consists of a chain of parties (an Irish entity, a UK entity, entities in 3rd countries) then things become even more complicated.

    The Data Protection Acts require that Data Controllers put in place a contract in writing with Data Processors. This contract should, at a minimum, include specifications as to the security standards and protocols that should be in place. Ideally it should also grant the Data Controller a right of audit and inspection of those standards.

    Things get really interesting when you bring multiple processors into the mix because the Data Controller continues to carry responsibility through the chain of contracts (or absence of contractual chain).

    The Data Controller has to be able to look through the layers of contract and see the Data Processor at the end and be sure that they are acting in a manner that is consistent with the requirement of the parent agreement between them and Processor 1.

    And if the data is moving around jurisdictions (such as out of the EEA) this becomes even more critical.

    So. When you are engaging a chain of data processors to do things on your behalf, it is important to remember that it is turtles all the way down. And if not turtles than at least Processors, contracts, and data.

  • Turd Polishing

    In the course of a twitter conversation with Jim Harris I used the phrase “turd polishing” to describe what happens when organisations try to implement check-box based data governance or Compliance programmes, or invest in business intelligence or analytics strategies without

    • fixing the data which under pins those strategies
    • addressing the organisational cultural and structural issues which have lead to the problem in the first place.
    I have witnessed this happening with organisations who, for example, decide that investing in e-learning with a “learning kpi” (x% of staff having reached y% pass mark on an multiple choice exam with a 1 in 4 chance of guessing the right answer) is their approach to evidencing culture change and the embedding of learning.
    Of course, this fails miserably when
    • The cultural message is that data job isn’t as important as the Day Job
    • The management practice is to game the system (why take all your staff off the phones to do the learning when you have one person on the team who knows it who can do the exams for everyone with their logins?)
    • Management look only at the easy numbers (the easily gathered test scores at the end of an assessment period).
    • If management seek to rule by fear or quota (“hit these numbers and those numbers or else….”)
    If management seek to overlay a veneer of good governance on an unaligned/misaligned  and otherwise outright broken Quality Culture that doesn’t seek to value or maximise the value of their Information are engaging in little more than Turd Polishing. Turd Polishing can be seen in organisations that value Scrap and Rework over re-engineering as a way to address their quality goals. Turd Polishing can be seen in organisations that fudge reports to Regulators or announce “reviews” of issues that everyone has already identified the root causes of around the water coolers and coffee jugs.
    No amount of elbow grease and turd polish will change the underlying essence of what is being done. Nothing will improve, but increasing amounts of polish will be required to dress up the turd as a sustainable change programme.
    The alternative is to call a turd a turd but work with it to bring out the special properties of manure that can help promote growth and give rise to sweet smelling flowers. That requires spade work and patience to bring about the change of state from turd to engine of growth. But no polishing is required.
    In summary – turd polishing gives you a shiny turd that is still a turd. Digging into the manure can lead to you coming up roses.
  • Information Quality Change – the Doctor Who effect

    I’m a big science fiction fan. I make no apologies about this fact. One of my favourite science fiction characters is The Doctor, the lead character in the

    The 9th Doctor outside his Tardis
    The 9th Doctor

    BBC’s iconic series of the same name. In a genre that often falls for the easy charms of technology to drive a story, The Doctor (a 930 year old, two-hearted time travelling Time Lord from the Planet Gallifrey) invariably highlights and thrives on the Human Factor – the innate potential, ingenuity and power of the human beings (a lesser species) who he befriends, protects, and travels with.

    Over the years I’ve tried to adopt and adapt some of the principles of The Doctor’s approach to leading Information Quality and Governance change projects:

    There is nothing that can’t be solved by confectionery

    The good Doctor in a number of his incarnations (4th, 6th, 7th, and 8th as memory serves)  was renowned for, in moments of high tension, proffering some confectioneries (specifically Jelly Babies) to help lighten the mood and distract thought. They were an incredible tool that enabled him to befriend others and buy time to develop cunning plans. Doctor Who Jelly Babies (video montage)

    The key lesson is that it is often useful to have a “quirky” way to break down barriers and get conversations going. The Doctor has Jelly Babies. I’ve used various props. Kathy Hunter of DQM Group made extensive use of home baked cakes and biscuits when she was in a previous role to help open conversations.

    It’s Bigger on the Inside

    The Doctor’s space ship/time machine is a Blue Box. It is a Blue Box because the advanced circuitry that let it change appearance to blend in in different timelines got stuck on “Blue Box” on a trip to London around 1963 (the year the series was first broadcast). The thing about the Blue Box is that it is “bigger on the inside”, a fact that The various companions’s to The Doctor remark on whenever they enter the Blue Box for the first time. Bigger on the Inside (Youtube) . Invariably, The Doctor takes the surprise in his stride, often forgetting how big a shot it is to people when they see the size of his Blue Box for the first time.

    The Doctor’s Blue Box is called the TARDIS, which stands for Time and Relative Dimensions in Space. By being able to engineer time and space The Doctor’s race, the Time Lords could build infintely large space craft that could fit into a small space (like the back of a props van on a TV show).

    What’s the parallel with Information Quality? Well, those of us who have worked in Information Quality often forget that it is a discipline that is very much “bigger on the inside”. When people look at Information Quality from the outside, they might be forgiven for thinking that it has the general dimensions of a Blue Box (so to speak) and it is only when they venture inside that they realise there’s more to it than meets the eye. If your perception of IQM is that it is Data Profiling and some Cleansing, it can be quite a shock when you uncover the Change Management challenges, the human psychology issues, and the legal and regulatory issues that can affect Information Quality strategies.

    Often we hard-core practitioners take it for granted that its is bigger on the inside, because we’re on the inside looking out.

    People First, Technology Second

    Quite apart from the long running love affair The Doctor has had with the Human Race, every adventure winds up with The Doctor being outrageously brilliant as a Time Lord, but more importantly inspiring and encouraging brilliance in his Companions and others around him. Whether it is calling in favours from old enemies (in return for some jelly babies perhaps) or rallying demoralised troops in the face of battle or unnatural enemies, The Doctor puts people first, often appearing willing to sacrifice himself to protect others.

    Technology is applied in innovative and outlandish ways to meet the objective of protecting people. Even The Doctor’s trusted sonic screwdriver is not used as a tool in its own right but as a means of enabling things to happen and for information to be gathered to support decision making.

    From an information quality management point of view it is important that we remember this lesson – the technology should not dictate the solution and, ultimately, it is people who are the brilliant and innovative sources of solutions to problems. A Data Profiler will tell you that the data looks broken. A human being will figure out the best solution (new business rule, new tools etc).

    In short, to paraphrase The Doctor: “People are FANTASTIC!!”

    Conclusion

    I’m very much of the view that we can learn a lot from arts and literature about ourselves and who we can aim to be in how we approach things. Science fiction TV programmes are no different to the works of Shakespeare in this regard. Perhaps we can achieve more sustainable successes in our Information Quality travels by learning some lessons from The Doctor:

    1. Everybody likes Jelly babies – (what is your equivalent?)
    2. Not everyone can see that this is actually Bigger on the Inside… and when they step into the world of Information Quality it can be a bit of a shock to the system.
    3. Technology doesn’t fix things. People fix things, occasionally using technology to get there. Remember that people are FANTASTIC!!
  • The missing link in Compliance and Governance

    Over the years I’ve done a lot of work in the area of Regulatory Compliance and Information Quality. Whether it is Data Protection, Information Quality, Governance or Compliance, it is important to bear in mind that what we are dealing with a Quality Management System:

    • Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
    • Information Quality programmes involve, by definition, the implementation of a Quality Management System
    • Information/Data Governance… well, that’s another form of Quality Management System
    • Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.

    In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:

    1. Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
    2. Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
    3. Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.

    Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.

    Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.

    Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.

    At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.

    A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.

    Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.

  • Expelling the Papal Nuncio

    A few days ago my friend Simon asked me to jump in and give him a hand admining a Facebook group he first set up in 2009 in response to some of the reports that had been published into clerical sexual abuse in Ireland. These reports highlighted a catalogue of blocking, interference, and general institutionalised non-cooperation with investigations by the State authorities.

    The recent publication of the Cloyne Report highlighted still further that there was a clear policy of non-cooperation and basic lip service being paid to child protection standards within many areas of the Irish Roman Catholic church, at the initiation of, with the support of, and with the backing of the Vatican State’s senior diplomat to Ireland, the Papal Nuncio. That this culture has spanned the tenure of multiple holders of the post over the past number of years (Guiseppe Lazzarotto [Nuncio from 2000 to 2007] blocked cooperation with inquiries on the grounds that ‘diplomatic channels had not been used’, Luciano Storero [Nuncio from 1995 to 2000] warned Bishops against implementing measures requiring mandatory reporting of child abuse) speaks to an institutional failure on the part of the diplomatic representatives of a foreign state to respect the laws of the Irish State and co-operate with enquiries into horrific cases of systemic and systematic abuse.

    And that is why I was only too happy to help Simon out. It’s not that I am anti-religion, anti-church, anti-priest, or anti-catholic. Those who know me well know my personal beliefs. I don’t feel it is relevant to share them here, because in parallel with my personal religious and philosophical beliefs I have a very strong belief that international relations between States must be grounded on trust, or at least respect. I do not believe it is acceptable for a diplomatic representative to place themselves above or outside the law of this State without there being clear consequences for the office holder and the office itself.

    Had the Danish Ambassador conspired systemically to block investigations into the alleged criminal activities of Danish citizens I’d be calling for him to be expelled as well.

    The fact that the Papal Nuncio holds a special senior position in the Diplomatic Corps in Ireland is doubly troubling to me. The Nuncio is the Dean of the Diplomatic Corps, effectively feted as the most senior diplomat on the Ferro Rocher circuit. And all while the office of the Nuncio has, for over two decades, facilitated the breaking of Irish laws and conspired to block and frustrate investigations of those alleged offences.

    So. What I’m asking the Irish Government to do is to take action to remove the special standing of the Papal Nuncio immediately. They should then take the necessary steps to expel the Ambassador from the Vatican City State (the legal entity not the religious body).

    Finally, the Irish Government should also withdraw the invitation to the Pope to visit. Bluntly, we can’t afford it as the return on investment compared to other State visits from countries with diplomatic representation here simply isn’t there. When the Pope visited the UK it cost over GBP12 million (EURO14 million) before the policing costs were factored in. The combined visits of Obama and the Queen came to around €30 million in total.

    The United States as a population of over 300 million people. Fair enough only around 15% of them have passports, but that’s still a potential pool of 45 million travellers who might stop off in Ireland on their vacations. The UK has around 62 million people sitting a 1hr Ryanair flight away from us. So, the potential pool of possible tourists who can come from the UK and US as a result of the State visits in May is around 100 million people. So, it would have cost us €0.30 per head to target that population.

    The Vatican has a population of 826 people (source: CIA Factbook). Spending €12million on securing the Pope’s visit would cost us €14528 per capita to sell Ireland as a tourist destination to the population of the Vatican. Even if it cost us a quarter of what was spent on the UK visit, we’d still be spending over €3,000 per potential traveller to sell into a market that I’m sure Failte Ireland are already reaching through their advertising spend in Italy.

  • Mobile phone hacking and the e-Privacy Regulations

    The recent furore about the News of the World and other tabloids engaging in unauthorised access voicemails I thought it might be worth pondering the potential Irish legal situation. Now, I’m not a lawyer. This post is intended to work through some of the relevant legislation and the potential issues that might arise in Irish law. It is not legal advice. I fully expect members of the Irish legal blogging community to leap in and make comments and corrections as needed.

    The law

    There are a few pieces of legislation in Ireland that would come into play here:

    1. The Data Protection Acts 1988 and 2003
    2. The Criminal Damage Act 1991
    3. The Criminal Justice (Theft and Fraud Offences) Act 2001
    4. The Postal and Telecommunications Services Act 1983
    5. Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
    6. The ePrivacy Regulations 2011 (http://www.dataprotection.ie/documents/legal/SI336of2011.pdf)

    The Data Protection Acts

    The Data Protection Acts require that personal data be obtained and processed fairly.

    Journalistic exemptions to this and other provisions of the Acts exist under s22A, but only insofar as there is an actual intent to publish a story or other work based on the information which has been obtained. So… if a journalist and/or a private eye in the pay of a newspaper were to obtain personal information about Celebrity A on foot of a fishing trip through the voicemails of celebrities A through F when there was no intent to publish a story about Celebrity A until such time as the information was obtained, then the journalist might not be able to rely on their exemptions under the Acts. The protection of the right to Freedom of Expression is only protected where there is an intent to actually express something, and if the publication of that story is in the Public Interest (which is a thorny topic I won’t delve into here).

    Criminal Damages Act 1991 and Criminal Justice (Theft & Fraud Offences) Act 2001

    Journalists who engage in unauthorised access to voicemails may also be committing an offence under the Criminal Damages Act 1991. This Act makes it an offence to access information without authorisation and to modify that information whether or not that modification has an adverse effect. Listening to a voicemail modifies the content and nature of the information (at the very minimum changing a flag from “new” to “listened to”. The Act does make use of the word “computer”, which would suggest to a lay person that it would only be an issue if a device meeting the traditional view of a computer was used. However the term is undefined and as such it is open-ended as to what type of device might meet the legal test of a “computer”. In that regard, the definition applied in the Data Protection Acts (“a device operating automatically in response to instructions”) might be relevant.

    So… accessing a voice mail box (which is itself stored on a device operating automatically in response to instructions computer of some sort) without permission and listening to the recording is likely to be a criminal offence in Ireland, given the breadth of the definitions in play.

    This is doubly so when the Criminal Justice (Theft and Fraud Offences) Act is taken into consideration. It provides for an offence of “dishonestly” using a computer or causing a computer to be used within the jurisdiction of the State. The big question to answer here is

    • What’s a computer?
    • What’s dishonest?

    It might be argued that going on a fishing trip for personal data without any prior formed intent to publish a specific story about a specific individual could constitute dishonesty.

    The 1983 and 1993 Acts

    Section 98 of the 1983 Act deals, in the first instance, with a general prohibition on the interception of “telecommunications messages”. In short… it’s illegal except in certain defined circumstances. Interception is defined as being

    “listening to, or recording by any means, or acquiring the substance or purport of, any telecommunications message without the agreement of the person on whose behalf that message is transmitted by the company and of the person intended by him to receive that message”

    The term “telecommunications message” is not actually defined in the legislation, which creates an interesting situation when you consider that this Act was drafted in the early 1980s when there was no digital voice mail, no email, limited use of fax services, and (importantly) when there was only one company laying cable and connecting people to a telecommunications network in Ireland. Significantly, the 1983 Act only applies to telecommunications services which require a license… which would exclude a lot of on-line communications tools such as VOIP, web-based email or IM chat.

    The 1993 Act deals essentially with phone tapping and interception of postal packets. The legislation is couched in terms suggesting that data at rest (e.g. a voice mail recording sitting on a server or an email sitting in in a mail host somewhere) may not be covered.

    Digital Rights Ireland argued in 2009 that the framework in place under the 1983 and 1993 legislation most likely did not cover most on-line activities and as such there was, strictly speaking, no clear legislative prohibition on the interception of SMS, email, VOIP etc., technologies which simply did not exist at the time the legislation was being drafted and as such probably left the State falling short of their obligations under the ePrivacy Directive.

    The European Commission rejected DRI’s submission at the time

    Electronic Privacy Regulations

    The new electronic Privacy Regulations place mobile phone operators in an interesting position with regards to phone hacking. The means by which voicemails were accessed, in the main, appears to have been default voicemail passwords being left unchanged. This is a security weakness in mobile phones and, for that matter, fixed line services which provide a voice mailbox service.

    For example, for most mobile phone operators, the default password for a voicemail account is 0000. In many fixed line systems, the password might be 1234. Failing to change this password leaves the data which is being recorded in the mailbox unsecure.

    The complication in Irish law for the telcos is that section 4 of the EPrivacy Regulations (SI 336 of 2011) requires providers of electronic communications services to

    1. Ensure appropriate security safeguards so that data is only accessed by authorised persons, with respect to the state of the art and cost of implementing (section 4(1))
    2. Ensure that the security measures can protect against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure (section 4(2)(b))

    Section 4(4) is the doozy I feel.

    In the case of a particular risk of a breach of the security of the public communications network, the undertaking providing the publicly available electroniccommunications service shall inform its subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to betaken by the relevant service provider, any possible remedies including an indicationof the likely costs involved.

    My reading of that section is that mobile phone and landline operators who apply default passwords to voicemail accounts need to be more proactive about alerting customers to the risk and, ideally,  implement a process which mitigates or eliminates the risk (such as having a randomly assigned password associated to a voicemail that is SMS’d or posted to the customer – just like bank security codes for on-line banking). I’ve asked the Data Protection Commissioner about it and it appears that my reading is, by and large, correct.

    And as the SI implements an EU wide directive this could get interesting in light of the NoTW noises.

    Conclusion

    The world of telecommunications and person to person linking using tools like VOIP, SMS, Instant messaging, voice mail, email, and “Unified Communications” which we find ourselves in today was almost unimaginable even fifteen years ago. I can recall when I started working with a large telco in the summer of 1997 that digital voice mail was a massively new fangled thing, had you told me that I would be getting voicemails emailed to me from a virtual VOIP phone system which I could open and read or listen to on my mobile phone I’d probably have laughed.

    But that is what we do every day now.

    The legislation may not have kept pace. However, where the legislation has caught up, providers of telecommunications services need to do their bit to raise awareness and understanding of how the world may have outstripped the law (at least for now).

    I invite any comments or corrections from more learned colleagues.

     

  • New Rules, Old Principles

    This was first posted on the Irish Computer Society Data Protection Blog. I am republishing it here as it is my original work and I am putting all my Data Protection musings in one place.

    So, the revised e-Privacy Directive has been given legal effect as of 1st July (only a little over a month late). The Data Protection Commissioner has issued revised guidance on the processing of personal data in the context of electronic communications. Some of what is contained in this legislation is new. However, even the new stuff is merely an incremental evolution of the underlying principles of Data Protection to address the privacy concerns presented by new technologies, the maturing of existing technologies, and the emergence of new ways of processing personal data.

    The key to ensuring compliance with these revised rules is to ensure that you have a solid understanding of the underlying principles of Data Protection and the role of information in your organisation (it’s meaning and purpose) so that you can better understand how the actions of your staff and the systems you use to interact with your customers might affect your ability to work within the regulations.

    An earlier post discussed the likely impact on Cookies from the regulations. In short, you need to understand when, where, how, and why your websites and mobile device apps are writing data to your customer’s “subscriber equipment” [aka the device that is at the end of the telecommunications service connection, be that a physical phone line, wifi, 3G, GPRS, HSPDA etc.]. Once you know that information you can figure out what data storage requires consent and what data storage is essential to the delivery of the information age service.

    Another interesting and subtle change is that the Commissioner has removed the ‘grey area’ around collecting email addresses in business networking or similar activities. Before there was an assumption of “one bite free” where you could contact people once but give them the option to opt out of future contact. This is now very categorically an opt-in thing where you are sending emails to an identifiable natural person, particularly where that person is not party to a customer relationship.

    You can still avail of the “free bite of the apple” when dealing with non-individually identifiable business entities, and with individuals in organisationswho might reasonably be interested in the product, service, or subject matter of the message.

    A worked example might help explain this better.

    • Frank is a sales man for BloggoTech. At a trade fair he meets Jerry, who is a purchasing manager from ClientCo, who BloggoTech have an existing relationship with.
    • Frank also meets Mary, a marketing manager from ProspectCo. Neither Mary nor ProspectCo are clients of Bloggotech.
    • Jerry gives Frank an email address to contact him at: Jerry.Client@ClientCo.ie
    • Frank also has ClientCo’s general contact email address: info@clientco.ie
    • Mary gives Frank her business card with email, phone, SMS etc.
    • The business card also has “info@prospectco.com” as a general contact email address.

    Frank can contact Jerry by any contact point he has for him (subject to Jerry making his preferences known) because ClientCo are an existing client who have purchased within the last 12 months. As soon as Jerry asks Frank to stop contact him by whatever contact mechanisms or for whatever purposes, Frank must do so.

    Mary, however, poses a problem in light of the revised guidance. If Frank has not gotten her permission to do a follow up contact with her then the only email address he can use is the “info@prospectco.com” email, unless he is communicating with Mary about something that he knows will be of interest to her. Of course, he has the option of sending a fax for her attention (which the company can opt out of), or posting her materials by snail mail (which she can opt out of).

    This relates to the fundamental principle that personal data must be obtained fairly, for a specified and lawful purpose.

    Many people might protest that requiring people at conferences to get consent before doing a follow up contact is unduly burdensome but it is actually quite simple. When handing over your business cards, simply ask “Is it OK if I drop you an email later in the week with some information about [insert subject matter here] and a link to our newsletter sign up?”. This simple conversation point clarifies that you will be contact the person, and clarifies the context in which you will be communicating with them.

    There.. consent obtained.

    The real challenge is presented to event organisers who might share lists of delegates at an event with other attendees. Care must be taken to remove any means of electronic contact. But most large data management events I attend provide heavily redacted delegate lists that identify the person and the company, and perhaps their country, but not enough that you could contact them directly from it. So, event organisers need to start thinking about contact information as valuable data which should not be shared.

    I’ve had experience with a business networking event sharing my details willy-nilly in an attachment sent to the other 100+ people who had registered for the event (which would be a notifiable disclosure under the Data Breach Code of Practice). The problem could have been prevented by simply having an opt-in box telling me that my details could be shared if I wanted them to be.

    In short… designing privacy into the process, not inspecting breaches out.

    Companies exhibiting at events need to up their game away from the “business card fishbowl” with a spurious raffle to collate contact details. Again, a little thought can help design a safer and more compliant process (a tick box for consent to further contact for purposes not related to the raffle for example, or clarification that anyone entering the raffle will receive one marketing email). After all, if the guidance from the DPC is that the communication needs to be relevant to the interests of the Data Subject, I might only want to receive communications from the company about the iPad I’ve won.

    The new rules are built on old principles. If you understand the principles and take them to heart you can begin to develop strategies for using the new rules to your advantage.

  • Three strikes – you’re out(?)

    I’ve recently been pondering the 3-strikes process which is used by eircom to police illegal content uploaders and the Data Protection implications of same. [By way of full disclosure, I used to work there in a role that involved me analysing processes and finding out where they were broken and potentially non-compliant with host of regulations. That said, given that when employed there a big part of my job was to call b*llshit on defective processes and get them fixed or killed, I would not consider myself an apologist for eircom].

    The process (as I understand it) is this.

    1. A person goes onto torrent site and seeds a torrent with copyright protected material.
    2. As part of seeding the torrent, their IP address is published in the torrent service.
    3. A 3rd party company monitors torrents and flags to eircom IP addresses and details of copyrighted materials that are being seeded.
    4. eircom checks the IP addresses provided against the IP addresses in use by customers at the time of the seeding and a letter is produced informing the customer that copyright protected content was being distributed illegally via their account. They are given three chances to prevent this distribution before their account is suspended.

    So. What is happening here? An illegal act is being committed in a public place (IP addresses are published in the torrent service). This public data is passed to an ISP who seeks to associate the IP address with a named ‘controller’ of the service, who is then advised that an illegal act was committed using their service and advising them to ensure that the activity ceases.  Music labels are not told of the offenders. Personal data of eircom customers is not transferred to music labels.

    No data is passed about individual customers to any 3rd party by eircom. eircom acts on public data compiled and processed by a 3rd party on their behalf. Eircom processes this information in order to enforce sections 5.5 and 5.6 of the Terms and Conditions which govern their Broadband service.

    The analogy I would draw is with the system for enforcing speed limits using traffic cameras. If your car is on the motorway doing 135kmh and you are snapped by a traffic camera in a GATSO van operated by a private company working on behalf of the authorities, your car registration number and the record of the speed you were doing when snapped is sent for processing against the vehicle licensing database which associates the registration number with a named person (the registered owner of the car). A few weeks after you are snapped you receive a letter in the post with a copy of the photograph, details of the speed, and details of the fine you will have to pay.

    An illegal act, in a public place, where a publicly visible identifier can be recorded, which can then be associated with other information to identify the nominated responsible person for the conduct of that vehicle. The parallel is, at least to me, very clear.

    It is also very clear that in both the Broadband case and the Traffic camera case that there are certain evidentiary controls that need to be in place to ensure that data is being processed fairly and accurately and appropriate safeguards need to be in place to ensure that data is not processed or disclosed unlawfully.

    For example, eircom recently had an issue where a number of customers received warning letters about downloading which did not relate to them. The root cause was a failure of a server to update to Summer Time from Daylight Savings time, meaning the timestamps associated with IP addresses were out by an hour. Accurate timestamping and recording of location data of traffic cameras is also important, as the Australian State of New South Wales and the US  city of Long View discovered recently.

    Of course, it is important to point out that eircom did not send personal data about Customer A to Customer B. They simply attributed, erroneously, the actions of Customer A to Customer B.

    The Data Protection Acts do not provide a shield behind which people who commit offences can hide. The right to Privacy is not an absolute one and must be balanced. So long as the processing of the data is done in a manner which does not infringe privacy or result in unwarranted disclosure of personal data companies have a legitimate interest in ensuring that they can enforce the terms and conditions of contracts that are entered into.

    Where people chose to commit an illegal act in a public manner, or where through neglect or lack of domestic control they allow such acts to be committed, then a polite but firm reminder of their duties as parties to the contract is to be expected. Where that reminder is provided without personal data being disclosed to 3rd parties (as was the case previously) then this is a half-way house that balances competing rights but which must be kept under constant scrutiny to ensure that there is no scope creep, function spread, leakage or abuse.

  • The Cookie Monster Cometh

    First published on the Irish Computer Society Data Protection Blog. Republished here as it is my original work and I’m putting all my Data Protection musings in one place.

    So, this day next week (26th May) will see the introduction into Irish Law of Directive 2009/136/EC. It’s a tweak to the existing electronic privacy regulations. The ones that relate to spamming by fax, email and SMS and carry penalties of up to €5000 per breach.

    [update: Well the deadline came and went without the Irish Government enacting the legislation. We await further developments]

    [Update 2: Legislation in effect from 1st July 2011. See Data Protection Commissioner website for Guidance Note]

    These new regulations relate to Cookies, those little text files which are written to your computer by websites. Of course, it’s not just text files. Flash also has a version of ‘cookies’ to help track your interactions with flash movies or activites (so if you go away you can restart where you left off rather than having to go back to the beginning – for example in an e-learning package). The intention of the Directive is (amongst other things) to improve the personal privacy of internet users by controlling the use of cookies.

    While the intent of the Directive (to come into effect in a Statutory Instrument next Thursday) is relatively straightforward, the practicalities of implementing it may be challenging for organisations. Added to that there is a level of unawareness about the issue in Ireland, particularly on the business side of organisations. This will actually be the biggest challenge to Compliance.

    Organisations now need to step back and stop thinking of cookies and web development as a techie issue. Cookies are a data asset of the organisation which you use to achieve certain goals and purposes. The key key issues that need to be considered are:

    • What are your processes and their objectives?
    • How do cookies help you achieve those goals?
    • What information do you need to be writing to cookies to achieve your goals?
    • What things/services that people want to use on your site won’t work without cookies?

    The Regulations set out two sets of conditions where the use of the cookies is permitted. Either:

    1. You have gotten informed consent from the Data Subject by way of providing prominent and accessible information about your use of cookies and providing some means of recording the consent to those purposes (fyi: this cannot be a ‘passive’ process) OR
    2. Being able to identify that the use of the Cookies is strictly necessary for the delivery of services explicitly requested by the subscriber

    Being a little bit blunt about this, the first condition is only slightly more onerous than the existing requirements on websites who process personal data about individuals who have to provide a coherent statement of what they are going to use the personal data for (most don’t in my experience – the standards of some that I have looked at over the past few years often leaves a lot to be desired and is indicative of a ‘tick the box’ approach to Compliance).

    The second condition however gives a conditional pass, similar to the Lawful Processing condition of ‘Necessary to complete a contract’ under section 2 of the Data Protection Acts 1988 and 2003. Basically if you can demonstrate that the thing that the customer wants to do (and has asked to do) can’t be done without having a cookie to temporarily store some data on the subscribers ‘terminal equipment’.

    So. How do you do that? And how do you identify which of the cookies your site and processes are writing fall into the camp of needing to be flagged and consented to and which ones fall into the ‘doable because we can’t deliver without it’?

    By stepping back and looking at the MEANING and PURPOSE of the information you are writing to the devices of people who are visiting your site you can start to make informed business driven choices about what needs to be changed and why in terms of how your websites work. This means having to look at the process flow and information flow underpinning your website and informing yourself about what is being done where, why, how, and by whom.

    I can’t upload graphics to this blog, but over the next few weeks I’ll post some articles over on my company website that will examine some of the approaches to doing that kind of analysis as part of an Information Governance framework that will support Data Protection goals. However, it is important to note that this is not a job (just) for techies because you need to be very clear on the “Just because you can doesn’t mean you should” aspects of Data Protection. This must be lead by the Business leadership of the organisation because, ultimately, they are the people who will have to explain to the Data Protection Commissioner, the Courts, and Joe Duffy what the cookies on the website were doing.

    When you write a cookie to someone’s device (pc, phone etc.) you are essentially renting space from them to store information about them or their behaviour or what their interactions might be. Individuals can limit your ability to rent that space using browser settings to block cookies, but at the current state of the art these are somewhat crude tools and, in the case of Flash, are not actually a complete set of tools (you need to do different things to block Flash Cookies).

    The forthcoming regulations seek to introduce a rebalancing of the rights and duties relating to the information stored by and represented in cookies in line with the spirit and practice of Data Protection law and Privacy rights. It will take time for that balance to settle, but those who take the time now to understand the meaning and purpose of cookies they are using and their role in the processes running on their websites will be in a much stronger position to meet future Compliance standards under these regulations.