• fixing the data which under pins those strategies
• addressing the organisational cultural and structural issues which have lead to the problem in the first place.

The 9th Doctor

BBC’s iconic series of the same name. In a genre that often falls for the easy charms of technology to drive a story, The Doctor (a 930 year old, two-hearted time travelling Time Lord from the Planet Gallifrey) invariably highlights and thrives on the Human Factor – the innate potential, ingenuity and power of the human beings (a lesser species) who he befriends, protects, and travels with.

Over the years I’ve tried to adopt and adapt some of the principles of The Doctor’s approach to leading Information Quality and Governance change projects:

There is nothing that can’t be solved by confectionery

The good Doctor in a number of his incarnations (4th, 6th, 7th, and 8th as memory serves)  was renowned for, in moments of high tension, proffering some confectioneries (specifically Jelly Babies) to help lighten the mood and distract thought. They were an incredible tool that enabled him to befriend others and buy time to develop cunning plans. Doctor Who Jelly Babies (video montage)

The key lesson is that it is often useful to have a “quirky” way to break down barriers and get conversations going. The Doctor has Jelly Babies. I’ve used various props. Kathy Hunter of DQM Group made extensive use of home baked cakes and biscuits when she was in a previous role to help open conversations.

It’s Bigger on the Inside

The Doctor’s space ship/time machine is a Blue Box. It is a Blue Box because the advanced circuitry that let it change appearance to blend in in different timelines got stuck on “Blue Box” on a trip to London around 1963 (the year the series was first broadcast). The thing about the Blue Box is that it is “bigger on the inside”, a fact that The various companions’s to The Doctor remark on whenever they enter the Blue Box for the first time. Bigger on the Inside (Youtube) . Invariably, The Doctor takes the surprise in his stride, often forgetting how big a shot it is to people when they see the size of his Blue Box for the first time.

The Doctor’s Blue Box is called the TARDIS, which stands for Time and Relative Dimensions in Space. By being able to engineer time and space The Doctor’s race, the Time Lords could build infintely large space craft that could fit into a small space (like the back of a props van on a TV show).

What’s the parallel with Information Quality? Well, those of us who have worked in Information Quality often forget that it is a discipline that is very much “bigger on the inside”. When people look at Information Quality from the outside, they might be forgiven for thinking that it has the general dimensions of a Blue Box (so to speak) and it is only when they venture inside that they realise there’s more to it than meets the eye. If your perception of IQM is that it is Data Profiling and some Cleansing, it can be quite a shock when you uncover the Change Management challenges, the human psychology issues, and the legal and regulatory issues that can affect Information Quality strategies.

Often we hard-core practitioners take it for granted that its is bigger on the inside, because we’re on the inside looking out.

People First, Technology Second

Quite apart from the long running love affair The Doctor has had with the Human Race, every adventure winds up with The Doctor being outrageously brilliant as a Time Lord, but more importantly inspiring and encouraging brilliance in his Companions and others around him. Whether it is calling in favours from old enemies (in return for some jelly babies perhaps) or rallying demoralised troops in the face of battle or unnatural enemies, The Doctor puts people first, often appearing willing to sacrifice himself to protect others.

Technology is applied in innovative and outlandish ways to meet the objective of protecting people. Even The Doctor’s trusted sonic screwdriver is not used as a tool in its own right but as a means of enabling things to happen and for information to be gathered to support decision making.

From an information quality management point of view it is important that we remember this lesson – the technology should not dictate the solution and, ultimately, it is people who are the brilliant and innovative sources of solutions to problems. A Data Profiler will tell you that the data looks broken. A human being will figure out the best solution (new business rule, new tools etc).

In short, to paraphrase The Doctor: “People are FANTASTIC!!”

Conclusion

I’m very much of the view that we can learn a lot from arts and literature about ourselves and who we can aim to be in how we approach things. Science fiction TV programmes are no different to the works of Shakespeare in this regard. Perhaps we can achieve more sustainable successes in our Information Quality travels by learning some lessons from The Doctor:

1. Everybody likes Jelly babies – (what is your equivalent?)
2. Not everyone can see that this is actually Bigger on the Inside… and when they step into the world of Information Quality it can be a bit of a shock to the system.
3. Technology doesn’t fix things. People fix things, occasionally using technology to get there. Remember that people are FANTASTIC!!

How much would you, personally, pay for such a technology? €1 a month? €5 a month? €10 a month?

What if it turned out that:

1. The technology actually didn’t stop the hurt or damage to children, just made it a little harder for people who paid for access to images of that to get at it and, at best, curtails demand slightly
2. Was relatively easily circumvented using free or low cost tools
3. Had been found not to work in other countries where it had been made available, with innocent individuals and businesses suffering due to poor quality data existing in the processes which meant they were tagged as “offending” and were being closed off from their market (in the case of businesses) or from their legitimate personal activities (in the case of individuals).

That’s what the Irish police have asked ISPs to do with their recent requests to implement IP filtering, outlined by Digital Rights Ireland today. IP Filtering has been found be ineffective in the Netherlands, has had declining effectiveness in the UK, and doesn’t actually address the problem of the images being accessible on the Internet. In Australia a leaking of the black list revealed valid businesses that had no child porn content, with almost 50% of the list being unrelated to the target intent of controlling access to images of child pornography (thanks to DigitalRights.ie for the linked to stories).

A far more effective approach is to get the images removed from the sites that are hosting them. Perhaps this is problematic and onerous. Let’s look at some statistics:

• Of the 72 requests to remove images of child pornography made by the UK’s Internet Watch Foundation in 2010, a paltry 100% were complied with in a geological “few hours” (source: BBC report on IWF’s Annual Report)
• Researchers in Germany working with AK-Zensur.de found that the 3 active sites on the sample of watch list data they worked with were taken down within 90 minutes of requests being made to hosting companies and/or domain registrars. In each case the images had been blocked but were still on-line for up to 2 years.

So… making requests to the hosting providers tends to be effective at removing the problem at source. Indeed, a draft EU Directive is calling for exactly that approach to be taken.

Which leaves us back at the start, asking the question about how much you’d be willing to pay to have such a technology in place to block access to sites. Because a price will have to be paid in some way and in some form. On one hand, Irish telcos are not exactly awash with cash at the moment and the implementation of any blacklisting process will require some governance and resourcing (both technology and people) which will come at a price. Currently there is no proposal that the State would contribute to this cost, and the model of the Data Retention regulations would suggest that no such stipend would be forthcoming.

So the cost of web filtering would likely have to be borne by the ISP. Which would mean either higher bills or reduced investment in other areas as the money would have to be found somewhere (it is worth remembering in this context that eircom is currently trying to restructure its debts and cut costs by €92million). So, realistically, the costs will emerge somewhere on your bill. How much are you willing to pay for technology that doesn’t achieve its goals?

The other price to pay is the privacy cost.

The Garda proposal is, to my reading, an outrageous trampling of personal privacy rights while they take a lump hammer to swat a fly. In essence, they amount to a “guilty until proven innocent” position where inadvertent access will need to be explained by way of the ISP giving EVEN MORE data to the Gardaí about an individuals browsing history. As Digital Rights Ireland point out in their letter to the Data Protection Commissioner about these measures, such disclosures might actually be illegal in and of themselves under other legislation. And if your domain name can identify you as an individual there is always the potential for your personal reputation to be damaged if you are put on the blacklist in error given the text of the “stop page” message.

• What ever happened to “Adequate, Relevant, and Not Excessive”?
• And how bullet proof are you against malicious uploading of content to your website anyway?

It would seem that the only entity not incurring a cost in the entire equation is the Gardaí, as their letter does not outline any form of “right of reply”, any avenue for validating or correcting entries on any black list which might be created, or any form of judicial oversight or regulation of the powers which the Gardaí are taking upon themselves in this context.  Who do I contact if my business site is compromised, becomes a host for offensive content (if only for a few hours until it is spotted and removed) and is blacklisted? What steps have the Gardaí taken to ensure that they don’t mirror the Thai experience, where a blacklist introduced to control access to child pornography has experienced “scope creep” to include any criticism of the Royal family, or the Australian experience where, according to one expert:

“It seems to me as if just about anything can potentially get on the list”

Doing the right thing is very important. But equally important is doing the thing right. Internet filtering is ineffective as a tool. It is the equivalent of telling one part of a town they can’t shop in B&Q while the rest of the town sates their bricolage requirements at the “banned” store.

An analogy to the Garda proposal is this: Anyone entering certain areas of the country (“black-zones”) would be overtly tagged as probable criminals by reason of their being in that location. They might even be given a badge to wear at all times as a result. Where they are ‘just passing through’,  the probable criminal will need to provide evidence of their normal habitual movements to the authorities so they can satisfy themselves that the visit was accidental or as a result of an unexpected detour. Residents will not be told about their status as a “black-zone” and will have no ready right of appeal or opportunity to challenge the designation. Visitors will be told they are about to enter a “black-zone” that hosts criminal elements and activity by way of a large sign on the side of the road.

Would that be acceptable in Irish society?

Internet blocking is ineffective. The current proposal lacks sufficient checks and balances, and may even require ISPs and telcos to break other laws to comply. It will inevitably result in innocents being tarred as offenders. Data Protection principles (such as “Adequate, Relevant, and Not Excessive” are being blatantly ignored to implement an ineffective solution.

Far better is to shut down the shop by removing the images at source and invest time, energy, and resources into a more transparent effort to manage this issue.

Fine Gael have launched their “Twolicy Page”. I won’t comment on the hideous neologistic portmanteau that is “Twolicy”, other than to say it that seems to have been dreamed up by a pat.

What strikes me about the “Twolicy” page is that it is yet another import of an American election campaign tool into Irish Politics, particularly with the concept of the “E-Canvasser”. Fine Gael dynamically tell us that the E-Canvasser (perhaps some distant cousin of the “Cyber Reporter” who has emerged as the colour piece of the day on certain Irish current affairs shows?) will

“knock on all cyber doors by delving into the depths of Facebook, Twitter, Youtube, Flickr and more! Through the simple medium of sending e-mails, facebooking and tweeting messages of support for Fine Gael you can pledge your commitment to fixing the Irish economy.”

This is a strategy which exists to some extent in Irish politics even today. Many of the letters to Madame Editor are crafted examples of “Astroturfing” – something that appears to be a grass roots movement but is not. I first became aware of the concept back in 2002 when I spotted the Republican Party in the US running “GOPTeamLeader.com” (which, thanks to the interweb waybackmachine I can bring to you in hideous technicolour). Basically the party recruits a team of volunteers who are tasked with sending “on-message” communications to the media (which in 2001 was the newspapers, TV, and radio). In return, the GOP provided a set of reward points (like Green Shield Stamps) which could be saved up and exchanged for rewards such as barbecues, autographed photographs of the Reichsfuerher candidate, and (if memory serves me correctly, an RV.

Fine Gael liken this to door to door canvassing. However that analogy does not hold true because the Internet is not a housing estate or public street. Drop a bus load of eager canvassers on my door step and they will be able to

1. See my house
   
2. See my neighbours’ houses
   

They will not need to ask my neighbour to throw leaflets over my back wall. They will see the big sign in my hall window warning them of the fate that will befall them should they ring the bell and seek discourse (“Warning – political nut lives here”). And most of them are clued in enough to know that the “no canvassers” sticker in the window means that stuffing my letter box with bumph will just be providing stimulus to the paper recycling industry.

The Internet is different. Social media is different. Whoring out your personal contact list to a political party is different. And because it is different, we find ourselves to an extent in uncharted territory with regard to the Data Protection implications of Social Media driven Astroturfing.

Right now I have a contact list of 413 followers on Twitter for my personal account. I have a second twitter account that is for my business. People who follow me know (from my profile and what I tweet about) that I’m a Data nut and I do data protection and information quality training so content about those things will pop up in my timeline. People who follow me also know I’m a bit of a politics geek and enjoy holding our leaders to account. But I try and keep my business tweeting separate from my personal tweeting. And when I whore myself out too much on Twitter, I get friendly DMs from people or I get unfollowed.

This is because the contact details of my friends are information I have gathered for domestic purposes. As such the Data Protection Acts don’t apply. If I was to sign up to be an e-Canvasser (and I can’t get the image of a canvasser handing out bags of yokes out of my head) we would then face the question of whether I was still processing that data for Domestic use or whether I had become a Data Processor working on behalf of Fine Gael, a Data Controller.

The key question would seem to be how much control Fine Gael are exerting over the content and communication from their e-Canvasser Astroturfers, and whether they are offering any form of reward or incentive for people to encourage them to pimp out their domestic contact lists.

If Fine Gael are simply being “passive” and are relying on individuals to act on content that is made available, then there is probably no substantial issue here. It is a case of a person finding content on the web that they think would be of interest to their personal network. We do this every day. It is the way the social web works. Of course, that then raises the question of why they would need you to sign up to their team for this purpose… surely the type of political nut blogger who would retweet or repost their bumph would do so anyway without having to be officially flagged as an “E-Canvasser”?

If Fine Gael are being “neutral” and are simply flagging content to people who have signed up and asking them to do what they see fit with it, then this too is probably OK. The analogy would be the charity that Tweets out a fundraising message and asks their followers to retweet it to send the fundraising virally. The charity has not asked you to commit to being an active fundraiser on their behalf.

However, if Fine Gael are specifying specific content into specific constituencies at specific times and are exercising control over the content of the messages that are being sent, then we are into a potentially problematic area.

The e-Canvasser would not on the Fine Gael payroll. But they would be, in effect, processing personal data on behalf of Fine Gael as part of the “Fine Gael Team”. It would be interesting to find out how much direct “editorial” control that FG are placing on the Facebook Statuses that people are “donating” (and where does this fit in SIPO? What is the monetary value of a person’s Facebook status?) or the emails to “family and friends”. This is personal data that was given to them for a domestic purpose, not for the purposes of canvassing for Fine Gael. Once they commence a “active” canvassing then the use of the data has likely changed from “domestic” to political and the Data Protection Acts would apply. If Fine Gael are directing the timing of messages, the content of messages, and/or the audiences for messages then the e-Canvasser is being directed in their processing by the Data Controller, Fine Gael. And, as Data Controller, Fine Gael would need to ensure that there was clarity about the new political use of the personal data and a clear mechanism for the Data Subject (the canvasser’s family and friends) to opt-out would need to be in place – and FG would, of necessity, need to push this responsibility down to the Canvasser.

Otherwise, FG would not have obtained the data fairly for the purposes of electoral canvassing. It would be no different than if they had asked the local GAA club to email all their members to let them know about Fine Gael’s new policy on tax relief on sliotars and faceguards for hurlers. And that is the kind of thing that the Data Protection Commissioner has already warned against.

Things become an order of magnitude more complicated if Fine Gael are running any kind of incentive scheme for e-Canvassers to drive up the publication of their AstroTurf message.

Of course, Fine Gael have probably thought this through and will have the necessary protocols in place to ensure that there is a mechanism for a Canvasser’s friends to opt out of receiving Fine Gael campaign materials by email, Facebook or Twitter. They have probably realised that people have the same reaction to junk mail on-line as they do at their door step and need to have the ability to put up an on-line “No Canvassers” sign.

Currently the only opt-out mechanism I can see is to unfriend people, unfollow them or block them. Which is exactly what I would do in the physical world if a friend of mine kept ramming leaflets and policy statements from a political party into my face.

Of course, in the absence of such an opt-out facility, Fine Gael (as Data Controller) and the e-Canvasser (as Data Processor) would need to be cautious of falling foul of SI526 2008 (the e-Privacy regulations) which carry a fine of €5000 per breach, capped at €50,000 for an individual. While Twitter and Facebook might not be mentioned in the legislation, email is in section 13(1).

b) A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such a communication. 

[edit to clarify some points raised by @tjmcintyre]

Now, the DPC has ruled in the past that there is an exemption covering the Direct Mail (including email and texting)

carried out in the course of political activities by a political party or its members, or by a candidate for election to, or a holder of, elective political office

Question: is the eCanvasser the political party (I would argue yes if FG are exerting sufficient control that they would become a Data Controller)? In which case, the processing is possibly covered.

But I would suggest that this exemption assumes that the email or tweet would be clearly coming from Xyz@partyname.ie or an individual clearly identifying themselves as a member of the party or publicly known to be a candidate for election or an elected official. Getting an email from “yourbestmate@gmail.com’ telling you to go and look at Fine Gael policies, where that email has been sent on the instruction of and under the Control of the party or candidate would seem to me to fall outside the scope of issues already decided.

[/edit]

So, the upshot is that while physical world canvassers have to be careful of yappy dogs, cats that bite and political nuts who have hard questions, eCanvassers need to consider both the social acceptability and potential legality of pimping out their personal contact lists on behalf of a political party. Such tactics are de rigeur in the US. But the US does not operate with the same privacy legislation as Ireland, so ideas imported from overseas must be vetted properly to ensure that no Compliance risks arise.

I would be interested to see what the Data Protection Commissioner’s response to or advice on formal ecanvassing that places the data at arms length but creates a de facto Data Processor/Data Controller relationship would be, particularly if that relationship is not obvious to the recipient of the email or tweet. [update] Perhaps it would be sufficient for the emailer or tweeter to clearly flag that they are part of a formal eCanvassing team acting on behalf of and under the instruction of Fine Gael?[/update]

[update] But the issue of whether the change of use of the data from domestic to overtly political will, in my personal view, give rise to questions of whether the data has been obtained fairly for that new purpose, which is a point already clearly settled in the mind of the DPC.[/update]

Enda’s response was telling on a number of fronts.

1. He indicated that the FG site had been implemented because he’d been impressed by a to the European People’s Party (Maman Poulet wrote about that a while ago).
2. He indicated that they were looking into moving the site to an Irish host.
3. He stated that he was not competent in the technology
4. He stressed that “40 young people” were being trained in these new technologies in FG HQ, which would add to their CVs.

The Obsession

In short… FG are focusing on the technology. This is exactly the point I was trying to make in my first post about the need to set “the tone at the top” and ensure that the values expressed in that tone cascade down the organisation and are expressed and executed through effective governance.

By focusing on the technology rather than the effective governance of the information (in a way that would support their objectives and their brand), it seems FG have got tunnel vision on a particular technology and missed the point completely.

Indeed, back in 1999, Peter Drucker wrote that:

So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.

The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

FG may have had a purpose (to listen, and to build a mailing list) but they don’t appear to have considered what it means to gather personal data, particularly SENSITIVE personal data.

In this context, Enda and the leadership of FG are not being asked to suddenly become PhD level experts in all aspects of Information Security and Web design. What they are expected to do is apply reasonable levels of due diligence to ensure compliance with the law of the land and the standard of care that is expected of organisations who process Sensitive Personal Data.

Organisations like, for example, the Civil Service, who have produced very clear guidelines on the processing of personal data and the standards of care that must be exercised. Those guidelines are very explicit in a number of sections about the importance of encrypting sensitive data when it is being transferred. For example, in relation to transfer of personal data by email the guidelines say:

1. Standard unencrypted email should never be used to transmit any data of a personal or sensitive nature. Departments that wish to use email to transfer such data must ensure that personal or sensitive information is encrypted either through file encryption or through the use of a secure email facility which will encrypt the data (including any attachments) being sent. The strongest encryption methods available should be used. Departments should also ensure that such email is sent only to the intended recipient.

So, if FG become the leaders of the next Government, will it be a case of the Executive arm telling the Civil Service “Do as we say, don’t do as we do?”

That is what I mean by SETTING THE TONE FROM THE TOP.

Given the comments in the Evening Herald yesterday, apparently from the hackers who attacked the FG website, that the web-designers who built the FG website had left various passwords set to their defaults, my attention is drawn to the comments in the Civil Service Guidance Notice in relation to passwords.

In the context of mobile devices (like phones), the Guidance explicitly states that

Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device.

So, default settings aren’t allowed for security reasons in the Civil Service on devices as common place as mobile phones. In relation to databases and other devices, the guidance says:

Passwords used to access PCs, applications, databases, etc. should be of sufficient strength to deter password cracking or guessing attacks.

A reasonable implication here is “don’t leave it at the default settings”.

If it is good enough for the Civil Service, why not good enough for Fine Gael?

The Training

Enda tried to make a big noise about the “40 young people” who were getting training in the technology. It is very far-reaching to teach young people (how old are they?) how to use Social Networks and Twitter.

What would be more far reaching would be to ensure that all levels of the FG organisation received appropriate training in Data Protection principles and practice and rather than instill a technocratic focus in the culture of the organisation that FG began the process of inculcating a info-centric culture that put the meaning, purpose, and value, of Information at the heart of their strategy.

That info-centric culture would need to extend beyond flashy websites to the mundane matters of organisational governance, control, and accountability for information that the Party organisation processes, whether it is on the web, by email, or on paper.

A beneficial by-product

A by-product of such a culture change (and it would need to be an actual change, not just more banal lip-service) might be that we would get, perhaps for the first time, the articulation of what a “Knowledge Economy”  might actually be, expressed in terms that might echo the sentiments of Peter Drucker over a decade ago, that wouldn’t descend into babbling and burbling about technologies which, by his own admission, Enda isn’t competent to talk about.

This good and is to be commended. It is also in line with how the Data Protection Commissioner works with organisations who have compliance issues.  However, issues did exist prior to yesterday which will continue to present challenges to FG regarding their compliance with the Data Protection Acts.

Here’s a screen shot I took yesterday

Screenshot of FG website on 7th January

It is a bit small to read in the image, but the tick boxes on the site (after you submit your personal data) have the following text beside them:

I agree to receive campaign messages on my mobile telephone

I agree to share my comments on the website.

So, if you posted a comment prior to yesterday, the only communication you could provide any consent to was an SMS. If you found you had been added to a mailing list the data had not been fairly obtained (you didn’t know you were going to be getting emails) and any processing of your personal data to send you an email is technically a breach of  S.2 of the Data Protection Acts.

Given that a number of people apparently complained to the Data Protection Commissioner about getting unsolicited emails when they had posted comments the website is changed as of this morning with a very subtle edit to the wording of the text next to the first tick box…

I agree to receive campaign messages from Fine Gael.

… is what your choice is now when you post your comment. That is a broader statement that does now permit FG to email you (and potentially SMS you as well) with their campaign messages if you don’t ensure that you uncheck the box. Please note that this is an OPT OUT of their mailing list, not an OPT IN.

So, one compliance issue addressed. Of course, that leaves the question as to what they will do with the emails they captured prior to yesterday which cannot be used as it is unclear if the person has opted in or out of the use of their email address for campaign mailings. This is one of those areas where Data Protection and Information Quality overlap – where the meaning of a flag in the database changes at a point in time and the interpretation of that flag can have significant regulatory and compliance impacts.

I encountered this when running data migrations in a telco many years ago. The billing system had a flag “Junk Mail”, which allowed a “Yes” or a “No”. The problem was that there was no agreement on whether “Junk Mail =Y” meant people wanted junk mail or “Junk Mail = N” meant people wanted junk mail – the meaning of the value had been lost in the mist of time and the absence of formal documentation about the processes.

Suggestion: FG should use the date stamp (that they hopefully have) in their database to exclude any email address created on their database prior to January 8th from any email messages… just to be on the safe side. And as they don’t have a use for that data (they can’t email people) they would  be required under the Data Protection Acts to get rid of it they can’t hold data for longer than they have a legitimate purpose for it.

The Privacy Statement

I’ve written a few times over on the company site about the need for Privacy Statements to actually reflect the reality of what is happening with personal data that you are obtaining and the balance that needs to be struck by Data Controllers.

Screenshot of FG2011.com Privacy Statement

FG finally got around to putting up a Privacy Statement on their website late in the day yesterday (check the image above… its’ not there in the morning when I took the screen grab). They copied the privacy statement from their old website, which was accessible yesterday (along with all their policies etc.) at http://finegael.org but appears to have gone away as the screenshot from today below shows. Perhaps their web sites have moved (for security reasons, as FG say in today’s Irish Times).

Finegael.org - Gone away?

While they have a link and can tick the box about having a Privacy Statement, in my personal view they get 10 out 10 for effort, but fail the test of whether that Privacy Statement actually reflects what they are doing in reality.

The first test is failed in the very first paragraph which says that

Visitors can use most of the site without being personally identified by Fine Gael.

OK. If by “Use” you mean “Sit and Read” then that is a correct statement. But if you want to engage with any of the primary functions of the site (like having your voice heard, telling them your opinions and complaints, all the good and wholesome stuff that Enda is inviting us to do) then you HAVE to provide them with personally identifying information. And in some cases that information can end up being quite granular. For example, if I was to put in my name and village I live in I would be uniquely identifiable as I’m the only person of that name in that village.

The fact that the Privacy Statement doesn’t address many of the specific  points that the Data Protection Commissioner and the legislation actually require to be addressed in a Privacy Statement is another key issue.

Compare the Fine Gael Privacy Statement (or Fianna Fail’s) to the equivalent statements on websites from UK political parties:

• UK Conservatives
• UK Labour
• UK Liberal Democrats

The UK Greens (like their Irish counterparts) don’t have a Privacy Statement on their website.

Given that FG have moved to new servers, with a website with new functionality and new purposes for personal data at the very least they should have reviewed their Privacy Statement to make sure it is still valid.

Indeed, that type of regular review is a recommendation of the Data Protection Commissioner and is a requirement of the BS10012:2009 standard for Personal Information Management Systems.

Suggestion: FG should review their Privacy Statement to make sure it actually matches what is actually going on. This should form part of their regular and on-going governance of data to ensure compliance.

Some Thoughts

Fine Gael seem to have made significant efforts in the past day or so to address a problem that earlier in the week they didn’t want to engage with. Indeed, up to yesterday morning they were telling TheJournal.ie that they “weren’t interested“. In that context, the steps that they have taken are a laudable effort.

But if they had actually taken the time to plan and build their Data Protection obligations into their new processes and website and ensure that they were demonstrably in compliance with the legislation before launching their site then this story would never have existed for anyone to be interested in at all!

The lesson that needs to be learned from the Fine Gael experience is that it is always far better to design privacy and data protection concerns into systems and processes rather than having to inspect out defects and errors. Just like with any quality process, if you don’t design quality in you will inevitably find yourself having to fire-fight issues in crisis mode, which means that you will almost always miss something else.

Privacy by Design is a key concept in Data Protection circles. The fact that the Data Protection Acts create a Duty of Care, then care should be taken when embarking on the processing of personal data to ensure that you understand that Duty of Care and how to meet the associated Standard of Care.

Not do so means you risk regulatory penalties, litigation (where there is damage suffered as a result of the breach of the Data Protection rules), and damage to your brand and commercial reputation. Regulatory penalties can be paid, court cases can be settled, but the media coverage and comment on your brand, particularly in the age of Twitter, blogging and Google will have a half-life all of its own.

A lawyer friend of mine often tells people:

There’s only one thing worse than being sued and losing, and that’s being sued and winning. Because no one will remember that you won! It’s always better to avoid being sued in the first place.

Nearly 2 years ago I wrote a post on this blog about the adoption of US style internet campaigning and the use of Web2.0 in Irish politics from an information quality perspective. The scorecard wasn’t good from a data quality perspective. The strategy seemed to be “If Obama can get elected using this Internet thingy, then we need to copy what he did”. No attention seemed to have been paid to the simple fact that a “cut and paste” adoption of a pre-canned solution from elsewhere would not necessarily work.

2 years on I would have thought that some lessons might have been learned. So when Fine Gael announced they’d “stood down” their finegael.ie website in favour of a more interactive presence in the run up to the election I thought I’d take a quick look. While the Information Quality issues with the form were not too bad, the structure and operation of the site raise a number of concerns from a Data Protection perspective.

Bluntly – when a US election solution provider rolls up in Europe they will find that they literally ain’t in Kansas anymore, particularly with regards to what you must and must not do with regards to the capture and processing of personal data. Political parties buying these services need to be aware that they are Data Controllers and that the solution providers are Data Processors in the context of the Data Protection Acts 1988 and 2003.

Failure to set the “tone at the top” and cascade it through the organisation means that often the important questions are not asked (or the answers are ignored).

Ultimately, in a Data Protection context, you are dealing with issues that can impact on your brand. If you are positioning yourself as being a political party that will “get tough” with vested interests through more effective regulation and enforcement you can’t really start the ball rolling by flouting basic principles of Data Protection law.

Indeed, back as far as 2004 the Data Protection Commissioner wrote:

It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law

In 2009′s annual report the Commissioner also wrote that:

Rapidly changing technology can be both a threat to this right and the means of protecting it. Building data protection safeguards into new technologies and applications of these technologies remains the best approach. This is as much true of data processing in the “cloud” as it is of a routine development of an IT application in an organisation.

So… the issues?

Obscured by Clouds (Personal Data and Cross Border Transfer)

This site appears to be a reskinning of a solution provided by Electionmall.com, a US-based provider of “on demand” web-based campaign tools. So, FG have embraced the Cloud. However, as I’ve repeatedly said through 2010, and as the Irish Data Protection Commissioner also clarified at a number of events in 2010, there are certain due diligence steps that Data Controllers (and FG is a Data Controller) need to perform before embracing cloud.

1. Where is the data going? It would seem that the Data Processor in this case (ElectionMall Technologies) is a US based company. Transfer of Personal Data to the US from the EU is permitted where the Data Processor is registered with the Safe Harbor scheme. EMT does not appear to be listed on the Safe Harbor list (feel free to search for yourself – I couldn’t find them). EMT state (in their privacy policy) that the data is processed on their servers in the US, but the way this privacy statement is drafted it seems to be directed at the processing of personal data of their customers (who are the politicians) not necessarily the actual individuals who may submit data. The Data Protection Commissioner has some good advice for organisations considering transferring personal data abroad.
2. Is there a contract? The Data Protection Acts require any processing being undertaken by a Data Processor to be done so on foot of a written contract. Given that Enda Kenny famously took out a contract for Ireland in the 2007 General Election, one must assume that there is a clear contract that gives FG assurances re: technical and organisational measures re: security and Data Protection compliance in EMT. This is an issue for any organisation that is outsourcing the processing of personal data to a “Cloud” provider. Where the Data Processor in turn has hosting services provided by another 3^rd party, that “chain of contracts” can become important if there is a loss of personal data or an unauthorised disclosure.

Over on my company site I have a tutorial on Data Protection in Cloud Computing.

Fair Use/Fair Obtaining

S2 of the Data Protection Acts deals with the whole area of fair obtaining and fair use of personal data, including Sensitive Personal Data. There is a requirement for websites which are capturing personal data (and which fall within the remit of the Acts) to have a Privacy Statement. The Commissioner is quite clear about this. If data has not been obtained fairly it cannot be processed. I’ve looked all over finegael2011.com and cannot find a link to any Privacy Statement. (Unfortunately this is all too true for a number of other commercial and political websites from Ireland that I’ve looked at recently). The Commissioner provides some basic guidelines as to what should be in a Privacy Statement, including the need to take cross border data transfers into account when including information in the Privacy Statement and the importance of having contracts with Data Processors.

Examples of Political Party privacy statements include: Fianna Fail, the UK Labour Party , UK Conservatives.

Ultimately, the test of a Privacy Statement is whether something happens with personal data provided which a reasonable person reading the statement wouldn’t have expected to happen. For example, if you have to provide an email address to make a comment on a site but you find you’ve been added to a mailing list as a result then that would need to have been made clear in the Privacy Statement.

Likewise, if your personal data is being transferred outside of the EU to a Data Processor then that too would have to be made clear in the Privacy Statement, along with the grounds on which that transfer was legitimate (e.g. the Data Processor is Safe Harbor registered).

While political parties, politicians, and candidates for elected office enjoy certain exemptions under the Data Protection Acts they do not have immunity from the Acts. This case study from the Data Protection Commissioner’s website outlines the nature of those exemptions quite well. The exemptions extend to the processing of and disclosure of data, in particular Sensitive personal data (which includes statements of political opinion or belief). A key element of these exemptions in the context of an Election campaign would be S2B(1)(ix) which allows sensitive personal data to be processed by political parties without consent “in the course of electoral activities for the purpose of compiling data on people’s political opinions”.

They do not absolve politicians and political parties from the need to comply with the rest of their duties as Data Controllers under the Acts.

Wrap up

“Privacy by Design” is becoming the mantra of Data Protection enforcement world wide. Simply cutting and pasting a solution from another jurisdiction into an Irish or EU context invites breaches of legislation and failures of the required governance and controls. This is not just a technology issue.

Given that politicians are asking us to trust them, they should ensure that they take the necessary steps to earn that trust. Just like any other organisation embracing new technologies, they must ensure that the necessary due diligence and governance structures are in place to ensure that they are acting in compliance with long established legislation. If they are promoting a “tough on regulation” policy platform, then they must lead with a clear “tone from the top” of Compliance and good Governance.

In short they must Lead.

The fun part for me of any new mobile phone purchase is playing with the new toy  tool and seeing what it can do that my old one couldn’t. For example, back in the 1990s when I did my first upgrade from my first mobile phone (an ericsson model so old that I actually can’t find it referenced on the internet), I found that the new phone was so much smaller and lighter I was actually able to carry it around.

The irritation I have is when it comes to moving my contacts and synchronising with my various other technologies that hold contact details (laptop, gmail, company address book). Inevitably I wind up with duplication and triplication of contacts. I thought I had the problem licked on the iphone though as there are a number of apps available for managing contact details and reducing duplicates.

However, having spent a few days using them I am unimpressed as they seem to be making a the traditional rookie mistake in de-duping records – assuming that name matching is enough.

My brother and father share a given name and a family name. They have different middle initials, different addresses, different phone numbers, different email addresses (all the stuff that you would have in a contact record on your phone). Each application I tried decided that they were a duplicate entry and merged the records. This was annoying.

In other cases, I have duplicate entries with varying degrees of record completeness. For example, my friend Cathal exists at least 4 times, with one entry having most of his contact details,  with spurious email addresses or social networking nicknames in the others.  The “data quality tool” very kindly merged all the records into the entry that had the least amount of data, and deleting the other records.

Right now I’m considering firing up talend, datanomic, or informatica tools to dedupe a dump from my iphone and reload it to the phone, and then hopefully that will cascade through the rest of my data stores when I synchronise.

But I’ll need to draw a data flow map of all of that to make sure.

Grrrrhhh.

So. If the existing tools for data quality on the iphone are not up to the jobs, what is missing? The good news is that the data sets are fairly clearly structured (once they get into the iphone), so that is less of a concern than the actual processing of matching and consolidation of records.

1. Probability scoring across multiple fields would be nice. If two people have the same name but significantly different contact details then it is very probable they are not the same person. A corollary – if there are two records with the same name and one has contact information and the other record has only a name, chances are they are duplicates.
2. Presentation of matches for review. While the machine can make good guesses where the name and contact details are the same, where there is confusion, the matches should be flagged for a review by the phone user (the “Data Controller”). This way we can avoid having to unpick erroneous matches.
3. Merging of records should be done on a more structured basis, with mapping of fields being user-customisable based on a standard template. I despair of important contact information being dumped into a notes field (it reminds me too much of when I had to try and migrate data out of a Siebel call centre system a few years ago).
4. The matching should be able to cater for multi-lingual input (as phones don’t all live and work in english speaking lands).

There may be other requirements that I am not thinking of here at the moment, but those 4 are a starting point. Perhaps an obliging Data Quality tool vendor will develop an iphone app to a web service for matching contact records.

Personally, I think that having such a service available would help raise awareness of the value of quality non-duplicated contact information to individuals and to organisations.  However, the app on its own isn’t enough as the average smart-phone user may have personal information held in a variety of places and, just like in a large enterprise with lots of data stores, creating a “Single View of Contact” will require you to understand the flow of your contact information around your tools (i.e. does the phone update the laptop and does the laptop synch to google apps and does google apps synch to the phone?) to avoid the cleanup work being undone the next time you plug your phone into your PC.

Information Quality Management poses challenges for the enterprise, but can also create friction for the individual trying to manage something as simple as a list of contacts across multiple information stores.

Do we have an app for that?

Back in May 2009, Simon over on Tuppenceworth.ie reported this problem to Bank of Ireland and blogged about his customer service experience. On foot of what Simon had written, I emailed Bank of Ireland to try and get details on the issue before I wrote it up over at IQTrainwrecks.com.

The response I received from Bank of Ireland on the 4th of June was:

When BoI receives an authorisation request from a retailer, a ‘hold’ is placed on those funds until the actual transaction is presented for payment. The transaction is posted to the customer’s account on receipt from the retailer.

Relative to the number of transactions processed there are a very small number of instances where a transaction may appear twice. For example these may occur if the retailer inputted the wrong amount and then re-input the correct amount or the transaction is sent in error twice for authorisation. These types of transactions are not errors or a system issue created by the Bank. The Bank receives an authorisation request and subsequently places a hold on those funds. These types of transactions are not unique to Bank of Ireland.

Bank of Ireland responds to all customer queries raised in connection with above.

(I have the name and contact details of the Bank of Ireland Press Office person who sent me that response).

So. Basically the response in June was “those kind of things happen. They happen in all banks. If customers complain to us we sort it out on a case by case basis”.

These are the questions I submitted to BoI in June. The quote above was the response I received to these detailed questions.

Fast forward to today. Today, the bank is telling the media that in “recent days” there was a “technical error”. I’m as baffled by the Bank by this, but for different reasons.

• The first question I put to the bank in June was “When did you become aware of  ’double dipping’ of customer accounts?”.  The answer is not “in recent days” or “over the weekend” (as the Bank spokesperson told the Irish Times today) and is more correctly “at least since June”.
• In May, Simon had been advised that the cause of the problem was a software upgrade. In June I asked the Bank
  • “We have been informed that this issue was triggered by the deployment of new software. Is this the case?” AND
  • “If it is the case that a new software deployment has caused the problem, is it not possible to ‘roll back’ to the previous version of the software until the software bug can be resolved?” AND
  • “Do you feel that sufficient care was taken to ensure the software was fully tested against ‘real-world’ operation scenarios before being deployed to prevent this type of duplication of transaction? For example, was the software tested to see what would happen in common usage scenarios such as leaving a tip, having multiple transactions in succession in one store (perhaps at one Laser terminal), or retailers resorting to ‘old’ processes out of habit?”
  • In June the Bank did not address these points.

In June, Bank of Ireland was explicit in its identification of the root cause for this type of error.

…there are a very small number of instances where a transaction may appear twice. For example these may occur if the retailer inputted the wrong amount and then re-input the correct amount or the transaction is sent in error twice for authorisation.

In today’s Irish Times they are less certain

A spokeswoman for the bank said that she was unable to say how customers had been affected by the error, but that she believed that the customers affected were from across the State and not from one particular area.

The good news from today’s Irish Times report is that I’ve finally gotten an answer to one of my questions, which was:

Does Bank of Ireland have the capability to identify any “shadow transactions” raised against customer accounts in error independent of any action by the customer? If yes, how will the Bank inform customers of these errors?

It would seem that they have, at least since this past weekend, and their method for notifiying customers is a report to the Irish Tmes.

So, what does this mean for Bank of Ireland (from an Information Quality perspective)?

It would suggest that there are weaknesses in their “Quality Culture” and Customer Focus.

The response to a report of overcharging by the bank (and potentially significant overcharging at that) was summarily dismissed and was being handled on a case by case basis. It would seem from the reports (and I worked in Compliance long enough to know that what is in the paper isn’t necessarily the whole story, so I’ll admit this may be a stretch) that the issue was only taken seriously when it was “spotted” by BOI staffers over the weekend.

Of course, it may well be that the surprise find over the weekend was the result of a long period of investigation and analysis within the Bank by a crack team of information quality specialists (even if they are not called that). If so, they should be given credit for their diligent work, not airbrushed from the story like so many other “special forces”.

It means the time span they need to look at for remedying the over charging may be a lot longer than they think

If the Bank is looking just at transactions over a period spanning a few days either side of last weekend, then they are potentially missing customers who have been overcharged through their error. Bear in mind that this issue was first brought to the Bank’s attention in May 2009. It is now September.

That is a 4 month window. How many Laser transactions do Bank of Ireland process per day? Tens of thousands? Times 120 days (approximately)?

It suggests that their Customer care and Media responses to reports of overcharging need to become more, well… Customer and Quality focussed.

Simon was effectively dismissed by BoI when he tried to flag the issue. They were handling things on a case by case basis. I was effectively dismissed by BoI. Yes, I got a response, but the response didn’t address any of the questions I actually raised. The response simply repeated the line Simon had been given.

The story in the Irish Times reads to me like a truthful and well meant attempt to explain the situation that actually highlights the failure of Bank of Ireland to have in place sufficiently adequate processes to deal with reports of Information Quality problems from their customers which resulted in Simon’s complaint and my subsequent queries not triggering any sort of alarm bells.

The alternative (that it is a fabrication put together to spin the story as positively as possible for the Bank) is unthinkable, surely.

And the other alternative is that maybe they did but it just took 4 months to get to the bottom of the issue.  I have worked on projects like that. Sometimes the problems are hard and take time to figure out. But the timescale the Bank quotes for the error suggests that this is not the case.

By the way….

Bloggers had this story 4 months ago.

As some of you may know, I’m a member of the IAIDQ, an international not-for-profit dedicated to developing the profession of Information Quality Management (a profession that spans both business and IT, and a host of professional disciplines from Compliance to Risk Management, to Legal, to Marketing, to Sales/CRM… Basically, if you need good quality information to succeed in a role, you need good quality information quality management).

This year the IAIDQ is 5 years old and is having a series of rolling celebrations, the Blog Carnival “Festival del IDQ Bloggers” being one of the strands of those celebrations. I’m honoured to be counted among the cadre of IDQ Bloggers (people who blog about Information Quality issues) and take immense pride in presenting to you, dear reader, the Roll of Honour for IDQ Bloggers from May 2009.

Entry #1 Steve Sarsfield

 Steve Sarsfield of the Data Governance and Data Quality Insider with this great post about Data Quality/Data Governance as a Movie. In it, he compares the “heroes” of the Data Governance/Data Quality profession as they battle (á la Neo or John McClane) to eliminate the “bad guys” of poor quality information and sloppy or ineffective data governance. 

Personally, I’d have added Kelly’s Heroes to the mix here, but then those of you who know me would say that I’d try and add Kelly’s Heroes to anything.

Steve Sarsfield is a data quality evangelist and author of the book the Data Governance Imperative.  His blog covers the world of data integration, data governance, and data quality from the perspective of an industry insider.

Entry #2: Bob Lambert

In this thought provoking post, Bob Lambert  shares his insights into why Project Sponsors aren’t blind, they just need glasses. In it, he highlights an all to common problem in poorly aligned IT projects and ‘re-engineering’ efforts where the project hits a “speed bump” of poor quality information and missed data integration requirements which leads to an inevitable project failure. Bob argues that the Project team should be given the mandate to have a checkpoint for the Project Sponsors to reality test the project costs and business case before blindly tilting at windmills trying to make the project work.

This one should be mandatory reading for anyone working in an IT/Business interface role who is staring down the barrel of a “rationalisation” programme or a “next generation business/systems architecture” programme. 

Bob Lambert is an IT professional interested in information management, business analysis, databases, & projects, and how IT and business get together to plan, build, and maintain business value. His blog at RobertLambert.net is about “aligned IT:” Aligned IT means IT integrated with business to create business value, and as such implies on time, on budget projects that meet their goals and motivated professionals working together to solve problems.

Entry #3 Jim Harris

Jim “the Gentleman” Harris returns this month with yet another amusing and thought provoking post on how the path to poor quality data is often paved with good intentions. In his post “The Nine Circles of Data Quality Hell“, Jim collates a number of factors (explored in earlier posts on his blog) which can lead to the Hell of Poor Quality data.

While a few commeters on Jim’s blog have suggested a few more, I think Jim has done a very admirable job documenting the common pitfalls that leave poor data quality managers every where facing yet another day pushing boulders up hills.

Jim Harris is an independent consultant, speaker, writer and blogger with over 15 years of professional services and application development experience in data quality. His blog, OCDQBlog.com is an independent blog offering a vendor-neutral perspective on data quality.

Entry #4 William Sharp

Entry number four comes from “new kid” on the Information Quality blogging block, William Sharp. In his post “Begin at the End – Ensuring Data Quality Success” elegantly sums up one of the challenges in developing, presenting, and implementing information quality improvement – the Value Proposition. William very nicely spells out the need to link you data quality project to clear business objectives in order to sell the value as, unlike ‘traditional’ IT projects, the impact of an information quality project is not as immediately apparent.

A great post from a promising new arrival to the Community.

William’s blog is the “DQ Chronicle“,  attempt to capture the  opportunities and challenges that exist as part of the various data quality initiatives encountered in the enterprise environment. He tries to keep the topics in a format easy to digest and direct as possible, side stepping profound pronouncements on Information Quality theory in favour of more direct content aimed new comers to the profession and people wanting to learn more.

William is a skilled business professional with 12 years experience in client partnering. He is based in US.

Entry #5 Tuppenceworth.ie

Tuppenceworth.ie is one of the leading blogs in the Irish Blogging community. Earlier this month they ran a post about poor quality information in one of the leading Irish banks and its impact on customers – a touching “real world” story of a real customer impact (I blogged about it myself and it was picked up by IQTrainwrecks.com).

Read the post here

Founded in 2001, initially as a static HTML site before morphing into its current blog format in recent years, Tuppenceworth.ie has become a noted fixture in the Irish Blogging community. Members of its writing team have featured on Irish media discusing blogs and blogging and bloggers (amongst other things). With themes ranging from media, arts, culture, politics and legal issues, Tuppenceworth is an eclectic read.

Tuppenceworth.ie is the brainchild of Simon McGarr and Fergal Crehan, with frequent guest contributions.

Entry #6 IQTrainwrecks.com 

IQTrainwrecks.com posted a story in May about a banking error by a bank in New Zealand which left a young couple with a massive overdraft facility, which they proceeded to drain before absconding. What IQTrainwrecks pointed out which was missed in mainstream media was that this was not the first time that this particular bank has made an error of this kind.

Read: Antipodean Bankers Sheepish over Overdraft Bungle (again)

Since 2006, IQTrainwrecks.com, which is a community blog provided and administered by the International Association for Information and Data Quality (IAIDQ), has been serving up regular doses of information quality disasters from around the world.

Entry #7 The DoBlog.

Despite having a busy month in work, I found time to put one post up that was inspired by the Tuppenceworth post.

In “Software Quality, Information Quality, and Customer Service”  I let a picture from a recent Dilbert strip do the talking for me (eventually). 

Perhaps if the Pointy Haired Boss had someone explaining the value of Information to his objectives (á la William’s post),  and if the project team had the mandate to cry “Halt” when things stopped making sense (as Bob suggests), then the team and customers wouldn’t find themselves descending the 9 Circles of Data Quality Hell, and the organisation wouldn’t need to cast around for a hero (see Steve’s post) to fix the inevitable IQTrainwreck.

Wrap up

Thanks to everyone who submitted a post for the June published, May reflecting edition of the IDQ Blog Carnival. Steve Sarsfield is the host for the next edition, hitting the Internet on or just before the 1st of July, covering Information/Data Quality blog posts published in the month of June (no cheating people – if you have a really good one from January.. update it and submit it). 

Literally within seconds of writing the first draft of this, I spotted a few more new Information Quality bloggers joining the fray. Welcome to them and I hope they submit a post or three.

If you want to submit a post for that edition, please visit the IAIDQ’s Blog Carnival page for details on how to submit your post.

Keep blogging!