Nearly 2 years ago I wrote a post on this blog about the adoption of US style internet campaigning and the use of Web2.0 in Irish politics from an information quality perspective. The scorecard wasn’t good from a data quality perspective. The strategy seemed to be “If Obama can get elected using this Internet thingy, then we need to copy what he did”. No attention seemed to have been paid to the simple fact that a “cut and paste” adoption of a pre-canned solution from elsewhere would not necessarily work.

2 years on I would have thought that some lessons might have been learned. So when Fine Gael announced they’d “stood down” their finegael.ie website in favour of a more interactive presence in the run up to the election I thought I’d take a quick look. While the Information Quality issues with the form were not too bad, the structure and operation of the site raise a number of concerns from a Data Protection perspective.

Bluntly – when a US election solution provider rolls up in Europe they will find that they literally ain’t in Kansas anymore, particularly with regards to what you must and must not do with regards to the capture and processing of personal data. Political parties buying these services need to be aware that they are Data Controllers and that the solution providers are Data Processors in the context of the Data Protection Acts 1988 and 2003.

Failure to set the “tone at the top” and cascade it through the organisation means that often the important questions are not asked (or the answers are ignored).

Ultimately, in a Data Protection context, you are dealing with issues that can impact on your brand. If you are positioning yourself as being a political party that will “get tough” with vested interests through more effective regulation and enforcement you can’t really start the ball rolling by flouting basic principles of Data Protection law.

Indeed, back as far as 2004 the Data Protection Commissioner wrote:

It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law

In 2009′s annual report the Commissioner also wrote that:

Rapidly changing technology can be both a threat to this right and the means of protecting it. Building data protection safeguards into new technologies and applications of these technologies remains the best approach. This is as much true of data processing in the “cloud” as it is of a routine development of an IT application in an organisation.

So… the issues?

Obscured by Clouds (Personal Data and Cross Border Transfer)

This site appears to be a reskinning of a solution provided by Electionmall.com, a US-based provider of “on demand” web-based campaign tools. So, FG have embraced the Cloud. However, as I’ve repeatedly said through 2010, and as the Irish Data Protection Commissioner also clarified at a number of events in 2010, there are certain due diligence steps that Data Controllers (and FG is a Data Controller) need to perform before embracing cloud.

1. Where is the data going? It would seem that the Data Processor in this case (ElectionMall Technologies) is a US based company. Transfer of Personal Data to the US from the EU is permitted where the Data Processor is registered with the Safe Harbor scheme. EMT does not appear to be listed on the Safe Harbor list (feel free to search for yourself – I couldn’t find them). EMT state (in their privacy policy) that the data is processed on their servers in the US, but the way this privacy statement is drafted it seems to be directed at the processing of personal data of their customers (who are the politicians) not necessarily the actual individuals who may submit data. The Data Protection Commissioner has some good advice for organisations considering transferring personal data abroad.
2. Is there a contract? The Data Protection Acts require any processing being undertaken by a Data Processor to be done so on foot of a written contract. Given that Enda Kenny famously took out a contract for Ireland in the 2007 General Election, one must assume that there is a clear contract that gives FG assurances re: technical and organisational measures re: security and Data Protection compliance in EMT. This is an issue for any organisation that is outsourcing the processing of personal data to a “Cloud” provider. Where the Data Processor in turn has hosting services provided by another 3^rd party, that “chain of contracts” can become important if there is a loss of personal data or an unauthorised disclosure.

Over on my company site I have a tutorial on Data Protection in Cloud Computing.

Fair Use/Fair Obtaining

S2 of the Data Protection Acts deals with the whole area of fair obtaining and fair use of personal data, including Sensitive Personal Data. There is a requirement for websites which are capturing personal data (and which fall within the remit of the Acts) to have a Privacy Statement. The Commissioner is quite clear about this. If data has not been obtained fairly it cannot be processed. I’ve looked all over finegael2011.com and cannot find a link to any Privacy Statement. (Unfortunately this is all too true for a number of other commercial and political websites from Ireland that I’ve looked at recently). The Commissioner provides some basic guidelines as to what should be in a Privacy Statement, including the need to take cross border data transfers into account when including information in the Privacy Statement and the importance of having contracts with Data Processors.

Examples of Political Party privacy statements include: Fianna Fail, the UK Labour Party , UK Conservatives.

Ultimately, the test of a Privacy Statement is whether something happens with personal data provided which a reasonable person reading the statement wouldn’t have expected to happen. For example, if you have to provide an email address to make a comment on a site but you find you’ve been added to a mailing list as a result then that would need to have been made clear in the Privacy Statement.

Likewise, if your personal data is being transferred outside of the EU to a Data Processor then that too would have to be made clear in the Privacy Statement, along with the grounds on which that transfer was legitimate (e.g. the Data Processor is Safe Harbor registered).

While political parties, politicians, and candidates for elected office enjoy certain exemptions under the Data Protection Acts they do not have immunity from the Acts. This case study from the Data Protection Commissioner’s website outlines the nature of those exemptions quite well. The exemptions extend to the processing of and disclosure of data, in particular Sensitive personal data (which includes statements of political opinion or belief). A key element of these exemptions in the context of an Election campaign would be S2B(1)(ix) which allows sensitive personal data to be processed by political parties without consent “in the course of electoral activities for the purpose of compiling data on people’s political opinions”.

They do not absolve politicians and political parties from the need to comply with the rest of their duties as Data Controllers under the Acts.

Wrap up

“Privacy by Design” is becoming the mantra of Data Protection enforcement world wide. Simply cutting and pasting a solution from another jurisdiction into an Irish or EU context invites breaches of legislation and failures of the required governance and controls. This is not just a technology issue.

Given that politicians are asking us to trust them, they should ensure that they take the necessary steps to earn that trust. Just like any other organisation embracing new technologies, they must ensure that the necessary due diligence and governance structures are in place to ensure that they are acting in compliance with long established legislation. If they are promoting a “tough on regulation” policy platform, then they must lead with a clear “tone from the top” of Compliance and good Governance.

In short they must Lead.

My personal opinion on the site is that it isn’t very nice looking (but then I’m not a big fan of black on green). However, I’m biased as I moderate the IQTrainwrecks.com blog for the IAIDQ which has been doing this for over 2 years now in an occasionally tongue in cheek manner. IQTrainwrecks.com gets reasonably good search returns on google (and we’re looking at ways to improve that further).

I’m flattered that Informatica have stumbled upon the same idea that the IAIDQ had back in 2006. I hope that we can figure out a way to have both sites working together for the benefit of information consumers everywhere. For example, the IAIDQ would love to reward members for submitting stories to IQTrainwrecks.com but our resources aren’t extensive enough to fund that (yet).

[Update] As Vincent McBurney correctly points out, the IAIDQ wasn’t the first to try to create a resource like this. IQTrainwrecks is a spiritual descendant of www.dataquality.com and also the listing of issues that Tom Redman has been tracking over on www.navesink.com). [/update]