The DOBlog

Category: Data Protection

data protection

  • Census and Data Protection

    My significant other has acted as an enumerator for the Irish Census of Population in the past, and has applied to do it again.

    Every census season, I see lots of ill-informed comment about the nature of the census, what the data can or will be used for, and who it will be shared with. This ill-informed comment actually highlights the importance of trust in government in the obtaining of personal data, something which the former Chairman of one of my company’s clients (a very large Government agency) was obsessed with – loss of trust was directly linked in their mind to a loss of their ability to conduct their agency’s primary function, which is a very important one.

    So, what is the legal position regarding data provided in the Census?

    1. Data that is obtained for a statistical purpose (i.e. obtained for a purpose under the Statistics Act 1993) is subject to a specific exemption under the Data Protection Acts 1988 and 2003.
    2. However, that exemption is justified largely by reason of the fact that it is prohibited under the Statistics Act 1993 to use the data obtained under that Act for any purpose other than “statistical compilation and analysis purposes” (section 32), and that to disclose data obtained under the Statistics Act which may be related to an identifiable individual without their consent (or the consent of their representative if they are deceased) is an offence under Section 33, except under specific circumstances, pretty much all of which relate to the operation of the function of the Central Statistics Office.
      • For the purposes of prosecuting an offence under the Act (you need to be able to identify the records that were the subject of the offence to prosecute the offence, so s33(1)(a) allows for them to be disclosed for that purpose
      • For the purposes of actually doing the statistical analysis functions of “officers of statistics” so that data can be aggregated and reported on (you need to have access to raw data to do the analysis and aggregation, so this is an obvious use of the data that has a very clear statistical basis)
      • For processing data for the purposes of the CSO in a form and manner governed by a contract in writing. This covers the use of 3rd party analysis tools or services or data enrichment, but ONLY for the purposes of the CSO, which is ONLY concerned with the publication of AGGREGATED statistical analysis.
    3. These restrictions do not apply to census data over 100 years old. However, the Data Protection Acts would still apply to data relating to any living individual in that data. Statistically, that is currently a small population and reasonably easy to check, and with a low probability of impact on fundamental rights for any disclosure. But as the life span of population increases, this would need to be kept under review.
    4. It is arguable that, should the CSO provide raw data to other government Departments for matching against their databases to append data for the CSO’s purposes, the recent CJEU ruling in Bara  would require them to disclose the fact of providing data to such Departments, but the Statistics Act 1993 would prevent those departments from making use of the CSO data for their own purposes (but this would likely need to be flagged by the “other side” of such a data enrichment process along the lines of “We get data from CSO and append information to it for statistical purposes but do not retain any CSO data at any time“).
    5. Regarding the actual census forms themselves, there is a very clear requirement under Section 42 of the Statistics Act 1993 that any records held by “officers of statistics” (which includes enumerators) be kept safe and secure “in such manner as to ensure that unauthorised persons will not have access thereto “, and that non-return of records constitutes an offence. Of course, the penalties on summary conviction (a prosecution taken by the Director General of the CSO, not the DPC) are pretty paltry (up to €1000 per offence), so might not be a sufficiently dissuasive penalty under the forthcoming General Data Protection Regulation.

    It’s important to note that breaches of data security or misuse of statistical data are prosecuted not by the DPC but by the Director General of the CSO. To my mind this is not ideal, but reflects the fact that the Data Protection Acts didn’t cover paper records in 1993 as this only became a function of the DPA under the 2003 Act (enacting the 1995 Directive). It does, however, make clear that there are offences, sanctions, and a prosecuting body for breaches of the 1993 Act.

    But of course, none of this will placate the tinfoil hat brigade who act on the default setting that any data you give to the Government is shared willy-nilly.  This highlights the importance of proactive data protection controls and data privacy considerations on the part of Government agencies and the legislature.

    While it is tempting to build ‘databases o’ the people’, every instance of non-transparent and inadequately controlled sharing of data creates a threat to trust. When trust expires, key data simply becomes unavailable or unreliable as people cease to provide it or provide misleading information (which is an offence under the Statistics Act). Trust is fragile and ‘mushroom management’ approaches and “bit of an oul’ law” fig leaves are no longer sustainable when the tinfoil hat can be a fashion trend before the facts and truth of a process has its boots on (to mangle Churchill).

    So: Census data is very strongly protected (albeit with sanctions that could and should be higher), and it is census data that underpins the priorities in government strategy, investment, and expenditure. It’s important for people to fill out the census accurately so that accurate data drives appropriate strategic decisions in Government.

    However, Government needs to realise the impact that damaged trust in public sector data management and respect for data protection has on the willingness of people to trust the government with large amounts of data in the form of  a census. From POD to Health Identifiers to Irish Water there is a litany of error and misstep. Trust is fragile. Government needs to learn how not to step on it, or get used to tinfoil hat fashion shows and policy decisions grounded on statistical quicksand.

    One route to restoring trust would be for our independent Data Protection regulator to regulate independently and take decisive action against public sector organisations that breach the Data Protection Acts. Enforcing the law is a key step towards ensuring that people trust the law will be enforced.

     

     

  • Farewell Caspar

    Over the course of my career I’ve been lucky to meet and become friends with many of the pioneers in the fields of Information Quality, Data Governance, and Data Protection.  I have been doubly fortunate that some of these people have also become mentors – helping me to figure out what I wanted to do, and more importantly what I stood for, in the world of Information Management.

    I had hoped one day to make the same connection with Caspar Bowden. Sadly that will not be possible now. This saddens me.

    However, over the past few years, twitter has allowed me some level of contact with Caspar. It was often affirming to see him retweet one of my rants or rambles, or engage with me to clarify some point I was making or question I was raising.  At times it felt like I was getting a gold star from teacher… “10/10 for effort… keep paying attention to the details”.

    I have no doubt that, had we met, we’d probably have wound up arguing about something. I’m sure it would have been an argument I’d have lost. But it would have been fun (and educational) to have argued.

    The world has lost a true pioneer, a prophet of the dark consequences of unfettered digital privacy invasion, and a staunch advocate for finding better ways to do things.

    It is never easy to be an advocate swimming against the tide, as Caspar often seemed to be.  However, sometimes the fight is worth fighting so that the pendulum finds a balance between rights, duties, and obligations in society, and so that people become more aware of the erosion of their privacy rights through legislative or technological changes.

    So, if anyone in Ireland wants to remember Caspar Bowden, I can think of no better way then donating to Digital Rights Ireland or any of the other digital rights advocacy groups who fight the same fight that Caspar fought.

    He may be gone but his spirit, and the fight, remain.

     

  • We might be in a bit of a #gemalto

    Gemalto is a manufacturer of mobile phone SIM cards based in the Netherlands. If you have a mobile phone, there is a good chance you have a SIM card manufactured by Gemalto. They also manufacture smart cards and identity validation solutions for financial services and government.

    It has been revealed that Gemalto has been hacked by US and British intelligence agencies (GCHQ and NSA) and the encryption keys that encrypt the communication between your phone and the mobile phone network have been taken. This means that messages and calls can be intercepted and decrypted with ease by intelligence agencies. And anyone else who has these keys.

    This arguably (in my view definitely) represents a particular risk of a breach of the security of the public telecommunications network.

    In Ireland, Section 4(4) of SI336, the legislation that enacted the 2009 ePrivacy Directive (the “cookies law” as it has incorrectly become known) places a specific requirement on telecommunications companies to inform their customers of the issue without delay and, where the phone company isn’t in a position to fix the issue themselves they have to advise on steps that can be taken to minimise risk.

    (4) In the case of a particular risk of a breach of the security of the public communications network, the undertaking providing the publicly available electronic communications service shall inform its subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to be taken by the relevant service provider, any possible remedies including an indication of the likely costs involved.

    That Section enacts verbatim the text of Article 4.2 of the original 2002 ePrivacy Directive.

    Irish telcos have been required by the Data Protection Commissioner in the past to provide blanket notification on their website regarding smishing (SMS-based phishing) threats and similar risks to the security of data on their networks. This is a whole level of complexity higher again.

    The threat of unauthorised interception of GSM calls was perceived as relatively low risk due to the calls being encrypted between device and the network. Some threat vectors were identified, but in general the view was the encryption on any call would need to be cracked on a case by case basis. Now that encryption cannot be relied on. There is a particular risk.

    My view is that telcos in Ireland, and potentially other EU countries, would need to inform their customers, and telcos should ideally be looking for a solution to reinstate the security of the SIM-to-Network link and issue new SIM cards to their subscribers. While National Security is outside the remit of the Data Protection laws and ePrivacy directives, that should be interpreted narrowly to relate to the actions of the Intelligence services in their spying. Hacking Gemalto may have been just on the right side of the line (I’m not saying that it is). However, it creates a problem for Telecoms companies in that the day to day operation of their networks is not a National Security or Intelligence service activity and the networks are now compromised if the telecoms company uses Gemalto SIM cards.

    That will be costly and complex and, inevitably, telecoms companies will pass the cost on to their customers (it’s a tight margin business at the best of times, and reinstating a chunk of your customers with new SIMs is not to be undertaken lightly).

    Of course, it requires EU Data Protection Authorities to engage with the companies in their jurisdictions to ensure they are acting in compliance with the relevant legislation. And that means ALL EU Data Protection Authorities, not just the one that everyones likes to beat up on for being “light touch”.

    [Update: What about National Security and Criminal investigation exemptions?]

    The Data Protection Acts in Ireland, and equivalent legislation across EU, has limited exemptions for activities of law enforcement and intelligence services relating to National Security and the investigation of criminal offences. This is being relied on by the UK ICO in relation to the Gemalto hack (see https://twitter.com/lisafleisher/status/569482404521496576/photo/1)

    And I agree. In the context of the specific action of an intelligence service, the Data Protection Authorities have little authority due to the exemptions given under current legislation (Note: the exemptions are still subject to the Article 8 ECHR provision around a right to personal data privacy, which has been ruled on by the CJEU in the context of mass surveillance). So, in relation to the actual accessing of a company network and taking encryption keys, there is no role for a Data Protection Authority. In the conduct of intelligence service and law enforcement activities, Data Protection Authorities have very limited roles.

    However, the fact that the keys are no longer under the control of Gemalto creates a “particular risk of a breach of security” in a communications network. So, telcos would still, in my view, need to give serious consideration to their obligations under Article 4.2 of the ePrivacy Directive. Yes, it is an intelligence agency (or two) that has the keys. Yes, they may have, in certain circumstances, a legitimate national security or criminal investigation purpose and associated exemption. But a risk to security of a public telecommunications network exists, and telcos are required to do something about it under Article 4.2. And that is something that national Data Protection Authorities are entitled to enforce.

    In effect, the action that a telco needs to take should be no different than if a criminal organisation had executed a similar attack on a SIM card manufacturer. Because Article 4.2 doesn’t include a “… unless the particular risk arises from an action of an authorised intelligence agency or law enforcement body”. And, as I’ve said earlier in this post, the Irish DPC has previously required telecommunications companies to provide blanket notifications about the risk of Smishing as a security issue in the public telecommunications network.

    I believe that telcos need to have some alert to customers about the risk that has been created.

    For example, any telco that uses Gemalto SIMS could use a notice like this on their website:

    It has been reported that the encryption keys for SIM cards manufactured by our supplier Gemalto have been taken by intelligence services acting, as we understand it, within their legal remit. These keys keep your calls and messages private and secure in our network in the normal course of activities, and this action creates a risk that calls and messages which would otherwise be encrypted between your device and our network can now be intercepted by anyone in possession of the correct encryption key without our knowledge. While we have no reason to believe the keys will be misused by the intelligence agencies in question or any other entities, a risk to security in the network does exist. We continually examine our options to keep your data safe and secure in our network and will provide updates on this situation as they arise.

    Wording along these lines would meet the requirement of Article 4.2, and doesn’t take away from the legitimate access to telecoms network traffic and call data by intelligence services and law enforcement for the investigation of crimes or national security purposes. It has the added bonus of showing that the telco takes data security seriously enough to at least try to comply with the letter of the law.

    It doesn’t get around the mass surveillance issues that arise when any call from any device using a Gemalto SIM can be decrypted, which almost certainly raises issues under Article 8 of the Charter of Fundamental Rights. But that is not the telecommunications companies’ issue to address, nor is it a matter for Data Protection Authorities. It’s one for Governments.

  • Data Protection Rake: WHACK!!

    Sideshowbob walking on rakesSo, the Minister for Education is fighting a rear-guard action to justify the method of execution of the Primary Online Database. Get ready for the rakes.

    Correctly, she is stressing the need for a means to track education outcomes as children move from primary to secondary education, where there is a drop-out rate which is rightly concerning. It’s been concerning since 2006 when Barnados highlighted the mystery of what was happening to the 1000 children a year who didn’t progress from primary to secondary education.

    She has stated that the Data Protection Commissioner has been consulted and “and that office is satisfied with what we are doing“. The Data Protection Commissioner has commented that the Department has presented “a legitimate and proportionate purpose for requesting to be provided with the data it is seeking“. Now… that’s not the same thing as being “satisfied with what we are doing” as the Minister has said. It also depends very much on what purpose was communicated to the Office of the Data Protection Commissioner in 2013.

    Even in an ideal world scope creep occurs, particularly when the objective for processing the data seems to be a bit confused. Is it for purely statistical purposes (which is implicit in the statements that the data would only be accessed by a small number of people in the statistics unit of the Department of Education), or is it for more day-to-day operational decision making purposes (which is implicit in comments made by the Minister that school funding could be at risk if data was not returned)? Those are two different categories of purpose.

    [Whack]

    But what about the DPC’s position?

    The Data Protection Commissioner’s statement to the Irish Times actually limits its comment to the legitimacy and proportionality of the purpose that the Department may have for seeking to process this data. Ensuring children move from Primary to Secondary education and ensuring that the State has data available to help identify any trends in drop-out rates and ensure that limited resources are deployed as efficiently as possible to ensure equality of access to education (here’s a link to some more stuff from Barnardo’s on that) and support children in getting the best education outcomes possible.

    Legitimacy and proportionality are linked to the purpose for which the data is being obtained. And the need to ensure that data is “Obtained fairly and processed for a specified and lawful purpose” it is just the first two of eight Data Protection principles. So what is the purpose the DPC was told about? Are there new purposes?

    So, when the Minister comments on the retention of data about primary school children until they are 30 years old, and says that

    “I did say I would examine it but it looks to me that up to the 30th birthday is probably appropriate and it satisfies the Data Commissioner as well which is obviously very important,”

    it is really important to ask: What is the purpose for which this long a retention period is required?

    [Whack]

    It’s actually more than that: it’s essential that the Minister is able to say categorically what the purpose is for this retention and why a 25 to 26 year retention period for personal and sensitive personal data is required (“probably appropriate” is not the test… “retention for no longer than is necessary for the purpose for which the data is being processed” is the test under the Data Protection Acts. It is also important to assess whether the purpose and requirement can be met by less personally identifying data: would anonymised or pseudonymised data support the objective? If yes, then it ceases to be necessary to hold the raw data, so it is no longer “probably appropriate”).

    [Whack]

    So… what is the specific purpose for which a retention period of “until 30th birthday” is required? State it. Assess it. Compare against other alternative methods. And then make a clear decision based on the Privacy impact and the necessity and proportionality of the processing. “Probably appropriate” is not a form of words that fills me with confidence. “Assessed to be necessary and proportionate against other options, which were rejected because of X, Y, Z reasons” would be more illustrative and evidential of a proper Privacy Impact Assessment and Privacy by Design thinking at work.

    [Whack]

    For other purposes it might not be appropriate to allow access to the identifiable data even 90 seconds after it is recorded. Those purposes need to be identified and appropriate governance and controls defined and put in place to ensure only appropriate data is disclosed that is adequate, relevant, and not excessive to the purpose for which it is being processed. And that purpose needs to be consistent with and not incompatible with the purpose. The Data Protection Commissioner doesn’t appear to have actually commented on that. So the standard protocol of clear statutory basis and an appropriate system of Governance still needs to be considered and put in place for any sharing of data or subsequent use of data to be compliant with the Data Protection Acts (and, just in case we forget, Article 8 of the EU Charter of Fundamental Rights).

    [Whack]

    Disturbingly, the Minister seems to imply that it is irrelevant if parents provide their PPSN to the Department or not as they will be able to obtain that data from the Department of Social Protection. It is true that name, address, date of birth and mother’s maiden name can be used to validate a PPSN. However I would question the  basis under which the passing of that data to obtain the PPSN would be valid, given that the Dept of Education’s registration with Client Identity Services in the DSP seems to presume the Department has the PPSN it needs.The rent has been paid up on the battlefield it appears, and there is no going back.

    [Whack. Whack]

    (Name, address, date of birth, and mother’s maiden name could form a composite key to identify a child uniquely on the database where no PPSN is available. In which case, what is the purpose for the PPSN?)

    [Whack]

    What does the Minister’s statement mean?

    In my opinion, the Minster’s statement means that the Department are mis-understanding the role of the Data Protection Commissioner and what it means for the DPC to give an opinion on the appropriateness of processing. The DPC will determine if there is risk of non-compliance with a proposed purpose for processing and will give guidance and feedback based on the information that is provided to them.

    If that information is incomplete, or doesn’t match the final implementation of a system, then the DPC can (and does) change their position. It’s also not the role of the DPC to correct the homework of a Government Department, and the new Commissioner Helen Dixon has made that exceptionally clear to Public sector representatives in at least two forums since November. Her role is to enforce the legislation and support the protection of fundamental data privacy rights of individuals and to be independent of Government (that’s a Treaty obligation by the way since 2009… and towards the end of his term Billy Hawkes the former Commissioner exercised that independence by, for example, prosecuting the Minister for Justice).

    It also means that the Minister is at risk of having to dig herself out of an entrenched position. The road to heck is paved with good intentions. This scheme (and all the other education outcome tracking databases that the Department has) are all valid and valuable as part of a coherent information strategy for the design and implementation of education services and delivery of education outcomes in Ireland. But the design and execution of the systems of processing (not just the technology systems but the wider scheme of stakeholder engagement, controls, governance, and impact assessments) is leaving a lot to be desired.

    It means, unfortunately, that rather than display their homework around Privacy Impact Assessment, Governance controls, and Privacy by Design, the Minister and her Department are reacting exactly as I described in yesterday’s blog post:

    Data Protection Expert: I think this raises significant issues and may be illegal

    Government Representative: It’s too late. I’ve already paid a months’ rent on the PR agency project.

    So far the report card reads:

    • Intention: 10 /10
    • Effort: 4 /10 for effort.
    • Execution:  2 / 10  (and negative marking applies here).

    “Trust us, we’re the Government” doesn’t work any more because the Government has failed spectacularly to build and engender trust on previous data gathering and data sharing initiatives. So, laudable as the goals are, there was already a mountain to climb to put this data gathering inside the “circle of trust”.

    My €0.02

    Having reviewed a range of documentation around the Primary Online Database (including the specifications for the drop down fields in the database).

    1. The project has mis-identified as “non-sensitive” data a range of questions which are capturing sensitive personal data about medical or psychological assessments.
    2. The system has a notes field which currently can be accessed by users of the system in the Department but it is proposed that that will be restricted to just schools but in reality that means that the data is still being stored on a system designed and controlled by the Department and which would be accessible by anyone with an administrator access to the underlying database.
    3. The communication of purpose for processing, and the explanation of the retention period, is bordering on the unintelligible to me. And I read and write those kind of things for a living. I teach this stuff to lawyers. The defence that “it’s based on the Department circular” is not a defence. The requirement under the Data Protection Acts is that data be fairly obtained for a specified purpose. That requires that the statement of purpose be comprehensible (I advise clients to apply adult literacy standards to their text and aim for a reading age of 12 to 15). If the circular is incomprehensible, write a ‘friendly version’ or get the Circular redone.
    4. The project has gone to the wrong source for the data. The schools do not have a lot of this data, and even then they have obtained it for a different specified purpose. Schools guessing at ethnicity or religion or other aspects of the data being gathered makes little sense and creates an admin burden for the schools. The 50% response rate in the pilot project should have been a warning that the execution method was not appropriate.
    5. The use of “local” versions of the questionnaire by schools (where schools have modified the Department’s form and sent it out to parents) means that the Department (as Data Controller) has lost control of the statement of and explanation of purposes and processing. That means that no assumptions can be made now about what parents understood they were agreeing to because the ‘official’ form of communication may not have been used.
    6. There is no clear justification for a retention period of raw, identifiable, data until a child’s 30th year.
    7. The stance adopted by the Minister is not good. In the face of valid criticism she has adopted an entrenched position, clutching to the DPC as a shield rather than a fig leaf. Given the narrative arc in the Irish Water debacle that is, as Sir Humphrey Appleby would say, “Courageous Minister, very courageous”. (Data relating to children, “all cleared by the DPC”, challenge in public by knowledgeable experts, public disquiet, “DPC said it was OK”, immediate reverse ferret after a reshuffle… [we are at stage 3 now].)

    Pausing. Assessing and defining an appropriate strategy for strategic use of data in education for statistical planning and centralisation of operational data, combined with an appropriate Privacy Impact Assessment that takes in to account recent rulings on necessity and proportionality by the CJEU would be advisable at this time.

    Anything else is simply courageous, Minister.

  • Irish Government projects and the Data Protection Rake

    The more I see the mindset of the Irish Civil Service around data and its potential for use (and misuse and abuse), the harder I find it to get this video out of my mind. Over the past two years, literally at every turn, an initiative has been launched which has, within a short period of time, raised questions about the fairness of obtaining of personal data, the legitimacy of the purpose for processing, the scope and scale of data sharing, retention periods for data, and the governance of the data once it has been obtained.

    Government Departments seem intent on continuing with poorly planned, inappropriately executed, and ill-advisedly governed initiatives. This happens even in the face of valid comment and concern from an increasingly informed and aware citizenry, and in some cases in the face of question and comment from experts in the field who are raising valid concerns based on little more than practical experience and deep professional knowledge. Questions or requests for less haste and more analysis are met with a grim determination to hit specific timelines. “This is a data protection disaster waiting to happen” is greeted with a continued roll out of the initiative that gives rise to concern.

    While Side Show Bob illustrates the inevitable public fall out of not engaging with concerns in a constructive manner, it is the Marx Brothers who give the most apposite quote.

    In Duck Soup, the following exchange takes place between the President of Freedonia (Groucho Marx) and the Ambassador of a neighbouring country on the eve of war…

    Ambassador Trentino: I am willing to do anything to prevent this war.

    Rufus T. Firefly: It’s too late. I’ve already paid a month’s rent on the battlefield.

    On Irish Government data projects, the all to oft-repeated script now reads:

    Data Protection Expert: I think this raises significant issues and may be illegal

    Government Representative: It’s too late. I’ve already paid a months’ rent on the PR agency project.

    Last year it was Irish Water. This year it will be eircodes and Primary Online Database. Both are things that have potentially great benefits for society, but both are becoming hallmarked with the rake-mark of poor planning and execution, especially when the questions of Data Protection and Privacy are considered. If the investment in PR agencies to spin the projects and manage the media once questions are asked was matched by an investment in proper design and planning for Data Protection and Data Privacy issues, there would be fewer blogs, tweets, column inches and broadcast minutes devoted to discussing the issues and asking awkward questions for the media consultants to spin.

    Leaving eircodes to one side for a moment (that’s a big bucket of fish to discuss from a data quality and data privacy perspective), the on-going roll out of the Primary Online Database project is a classic example of valid and legitimate purposes and objectives in processing data being undermined by poor planning, execution, design, and governance around the fundamental rights issues of Data Protection and Privacy.

    The Good

    Our education system is broken. Scare resources are not applied or allocated effectively. Schools have resources rationed from the Department, but under privileged schools are unable to supplement those resources (such as psychological assessments, SNA hours, other classroom supports) to the same level as schools in middle class or more privileged areas. Children drop out of the system and drop off the radar. Having data about outcomes in education, and about social or demographic issues that might affect those outcomes is valuable to identifying causal factors and prioritizing investment in education services and interventions in an ‘evidence based’ policy framework. Questions like: Does Timmy start primary? does he go to secondary? Does he go straight to University or do a PLC or Further Education course? What schools did he attend? Did Timmy drop out and then re-enter as a mature student either at 3rd level or re-entering 2nd level.

    Of course, this longitudinal data is valuable. And if at the granular level of the individual it is a deeply personal snapshot of the life, trials, and tribulations of little Timmy from the age of four years of age.

    This data is to be held in the Revenue Commissioner’s data centre. This is a good thing. The Revenue Commissioners have a very secure data centre. I would not automatically assume a nefarious intent in putting data that requires a high level of protection in a location that has been designed, built, and resourced to have a high level of technical security protection.

    The Bad

    There are three bits of bad that concern me.

    Bad  #1

    The first bad arises where the planning and execution of this data gathering fails to consider the data subject and the context. It’s data about children. It’s data about medical and psychological conditions that a child might have (that’s Sensitive Personal data even though the Department of Education appears to think that it isn’t). It’s data about their ethnicity, their family make-up, their socio-economic status, and a range of other factors. It’s data that is tied uniquely to them by their PPSN. It’s data that includes comments written about the child by administrators in the school, which will be written to a database in the Department of Education’s control. And that data will be held until the child is 30 years old.

    Of course, documentation tells us that access to that field is going to be restricted so Department of Education staff can’t access it and only people in the school that the child is in will be able to see it. Of course, that means that anyone with administrator rights to that database can access that data. And that means that it will almost inevitably be looked at. This is despite the Department having no statistical reason for having detailed notes about students.

    Bad #2

    The bad goes to worse when the means for gathering  the data is looked at. The data is being obtained from schools, with only a subset being asked for from parents. The schools have obtained data for a particular purpose. The Department’s purpose is a new purpose, and it is the Department’s purpose not the school’s. So it is incompatible with the purpose for which the school originally obtained the data. Schools are being asked to provide data based on their own records, or their own guesswork about ethnicity or religion or other socio-demographic data.

    Upshot: data will either not be returned, or will be inaccurate. So statistical analyses based on that data will have skew and bias that will need to be controlled for. The Department’s own pilot programme only had a 50% response rate.

    • A better option: Invest time and effort in a proper strategy for educational data management. Educate parents and guardians and school management about the purposes, benefits, and strategic objective. Seek the data from the parents of the children. (Difficulty: requires budget, means you need to have a load of key decisions made and documented up front, and you need to take time to engage with the citizenry… even the tin-foil hat wearers).

    Bad #3

    Another level of bad arises in the context of the sharing of the data. What data will be shared, with whom, and why, and under what controls? These are basic questions that need clear and intelligible answers. And the answers need to be understandable. And the sharing needs to be necessary and proportionate. With defined governance controls over the changes to the use of that data or the changes to the sharing of that data. If data is being obtained for a statistical analysis purpose, there is no operational data management purpose that would permit the sharing of that data with another entity. If the data is being obtained for both statistical analysis and planning purposes and for day-to-day operational purposes, it means that the question of who actually has access to the data on a day to day basis arises – notwithstanding the assurances that only a small number of people in the Statistics unit of the Department of Education would be able to access the data.

    • What data will be shared? Will it be identifiable data or will it be aggregated statistical data?
    • If identifiable data will be shared, on what basis and in what format? Will it be on a record by record basis for specific intervention in a specific case where there may be a risk to the health or welfare of the data subject? Or will it be possible to request the data for other purposes such as the investigation of alleged criminal offenses?
    • If the scope of sharing changes, either in terms of entity that data will be shared with or the format and scale of sharing, what controls are in place at the time the data is gathered to ensure that those changes are subject to an appropriate Privacy Impact Assessment.

    The Ugly

    There are three levels of Ugly that emerge.

    Ugly #1

    The first is the traditional fig-leaf that is dangled on projects like this: “We have consulted with the Office of the Data Protection Commissioner”. This is the Public Sector data project equivalent of waving a hand to dismiss an inquisitive Storm Trooper: “These aren’t the droids you’re looking for; Move along.”

    But… that is NOT the role of the Data Protection Commissioner. Their role is not to advise that an organisation is compliant. Their role in the context of a Prior Consultation process is to flag any glaring issues of non-compliance that would need to be addressed. All too often their advisory is ignored by organisations. Their role then becomes one of investigation and prosecution should the mechanisms of processing that are implemented breach the Data Protection Acts.

    In a prior consultation process, the DPC’s comments are made based on the information provided to them at that time. Their assessment is based on the quality of the information, the detail of the proposed processing, the assessment of risk, and their ability to follow the proposal that they have been given. And they can get it wrong based on that information. And the Data Controller who goes to them for a prior consultation process might misunderstand what is being asked of them or implement a system that doesn’t match what is actually needed. So, on foot of a complaint, the DPC may find that a particular instance of processing does actually breach the requirements of the Data Protection Acts even if their prior consultation didn’t find a specific thing that would be a breach.

    Take the retention until 30 years of age. The DPC may have advised the Department that a retention period for personal data that is necessary and proportionate to the purpose for which the data was obtained is required under the Acts. The Department may not have had any retention period in mind and simply pulled a figure that gave a long range of data for longitudinal analysis and study (I call that “The Anglo-Irish Bank approach to critical data”).

    The DPC will not have determined if that is necessary and proportionate. That is the Department of Education’s job to determine and justify the necessity and proportionality.

    The new Data Protection Commissioner, Helen Dixon, has made it very clear that it is NOT the role of the Office of the Data Protection Commissioner to do the homework of public sector departments for them. They need to own the decisions they take about the processing of personal data.

    Ugly #2

    The second strand of ugly that arises:

    • There is no standard communication of purpose, or of the data that is being processed, to the parents of children.

    So far this month I’ve seen at least three different versions of letters that have gone home to parents. Clients of mine in other sectors have been ending meetings with questions about this database and showing me the letters. They are all different.

    There is a standard letter from the Department website. Some schools are using this. It attempts valiantly to explain the purposes for processing and the length of retention and who data will be shared with. But fails in that regard.

    Other schools have taken just the questions that the Department has identified as requiring explicit consent (the ones about ethnicity and religion) and have included them in a letter that says that the Department wants this information. No further explanation. And no mention of all the other sensitive personal data such as data about physical or mental health that the Department is getting from the school directly without explicit consent. That’s another Data Protection #fail.

    Ugly #3

    The third strand of ugly that arises is this:

    Part of the defence raised by the Department to the processing of data in the Primary Online Database is that it is being done already for pre-school, post-primary, and beyond.

    That’s a line of argument that presumes there is no breach of fundamental rights in the design and execution of data processing or data sharing in relation to any other database about participants in the education system that is under the control of the Department of Education. And while the data in these databases is different (the post-primary database is more focussed on academic achievement and results on courses – particularly as it encompasses Further Education courses such as those accredited by QQI/FETAC).

    It’s like arguing that you haven’t broken the law by stealing a car because you were never arrested for stealing a motorbike and a truck in the past.

    Or like a child insisting to their parent that their misbehaviour is justified because all the other kids are doing it too.

    But then… everyone else is stepping on Data Protection rakes, why not the Department of Education?

  • Adequate, Relevant, Not Excessive

    For the last number of weeks we have been told by the Government and by Irish Water that PPS numbers are required by Irish Water for the purposes of validating entitlement to allowances. We have been told that not providing the information will result in people not being able to have their water bills reduced by the credit amounts. The invasiveness of the request for data, particularly data about children, by a private company (albeit one operating to provide a public utility service) has sparked much concern and discussion. I think it has, in no small way, helped make Data Protection issues more relevant and personal for the citizen.

    This morning we are told that the budget announcement will include the introduction of a tax credit for low and middle income earners for their water. This will be in addition to the existing household water allowances. Other provisions are mooted on the social welfare side of the fence to alleviate financial impact on lower income families.

    So. The Government is proposing using the Revenue systems and the Social Welfare systems to implement a system where by the cost of water services provided by a utility company. Which raises the question: if the Government can achieve this objective through the existing Revenue and Social Protection systems, which do not require PPSN data to be shared with a private company (notwithstanding the existence of legislation to allow it to be done), what does this mean for the necessity and proportionality of existing provisions that do require this to be done, in processes that exist to achieve broadly the same objective (reduction of cost to households of water service charges)?

    Three weeks ago I asked this question in relation to the current system of allowances: could the same goal have been achieved through different means that did not require a private company to process PPSN data? I blogged about it here and set out a high level alternative approach.

    Assuming the mechanism that is used to implement the proposed budget changes is broadly in line with the structure I outlined, the question must be asked now what is necessary and not excessive about the processing of PPSN data by Irish Water if a broadly similar impact on the household bottom line can be delivered in the Budget through existing public sector processes/systems?

    I’m sure there is a clear and compelling difference I’m missing that makes the PPSN relevant and not excessive for the objectives of Irish Water.

    <update><update 2 – tweaked again to correctly reflect a nuance in DRI v Ireland>

    One of my erudite and learned colleagues has pointed out that the European Court of Justice recently reiterated the critical nature of the proportionality, relevance, necessity, and not excessive elements of data processing, even where there is a bit of a law that, on the face of it, allows the processing. The CJEU held in Digital Rights v Ireland that, even where there is a statutory basis, processing of personal data must be done in a manner that is proportionate to the need, relevant to the objective, necessary for achieving that objective, and not excessive to achieving that objective – basically the key tests under Article 8 of the European Charter of Fundamental Rights that we all signed up to under the Lisbon Treaty.

    What this means is that where a less intrusive option might exist that can achieve the same goal, the relative impact on privacy must be assessed and the measures taken cannot go beyond what is required to achieve those objectives (see paragraph 46 of the CJEU ruling in Digital Rights v Ireland). And that assessment of proportionality needs to take into account the appropriateness and existence of safeguards where “personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data” (to quote from paragraph 55 of the CJEU ruling).

    The CJEU struck down an entire Directive on that basis. Given that the State appears able to introduce additional tax credits in the budget, it would suggest that a less intrusive option does exist, and did exist at the time the data processing for Irish Water was being devised. Absent a very compelling reason why this is different, or why the processing of PPSN by Irish Water is proportionate to the objective of reducing cost to households (and it would probably have to be good enough to get past the CJEU, who struck down a Directive because those supporting the action didn’t have their homework done) the alternative option might indeed need to be adopted.

    The upshot: The Government needs to have clarity in their homework as to why Irish Water is processing PPSN data versus it being handled via the Social Welfare and taxation systems. That clarity has, thus far, not been entirely forthcoming. And the clarity needs to show why it is proportionate, relevant, and not excessive to do it the way it is being done.

    (I knew all that of course but didn’t want to bore people with too much detailed law talking).

    </update></update 2>

  • Irish Water channelling Alec Guinness

    Irish Water channelling Alec Guinness

     

    Irish Water is working hard on Twitter and in other forums to convince itself, if not us, that all is well with regard to their Data Protection policies and procedures.

    In response to questions raised about the retention of data, specifically PPSN data once allowance entitlements are validated and personal data of non-customers, Irish Water have trotted out the standard 140 character line. Their response is essentially a variation on the following:

    Data will be stored in Irish Water, after a customer ceases to be a customer but not longer than is required by law.

    It is that response that has prompted my choice of image for this post. Those of you over the age of 12 will recognise Alec Guinness in one of his most famous mortgage paying roles, Obi Wan Kenobi in the original Star Wars. And why does my brain make this connection?

    These aren’t the droids you’re looking for. You can go about your business. Move along” (waves hand enigmatically)

    Unfortunately for Irish Water many of us are not as feeble minded as an Imperial Storm Trooper in a fictional universe. These Jedi Mind Tricks don’t work. We have a detailed specification for the specific droids we are seeking and we are pretty sure those are they.

    1. What is the specific purpose for the processing and retention of non-customer data by Irish Water? (i.e. why are they processing data about people who are not connected to a public water supply?)
    2. What is the retention period for that data? Why is it being retained? What is the basis for the retention period that has been selected that makes that retention proportionate? Which law are they operating within for their retention period?
    3. What is the retention period that Irish Water are applying to PPSN data provided to them? Why is that data being retained (for what purpose) given that the sole purpose Irish Water has for processing PPSN data is the validation of entitlements, suggesting that once that purpose has been completed the data should be deleted.

    These are simple questions. They should be easy to answer if appropriate efforts were made to conduct Privacy by Design based compliance with the Data Protection Acts.

    Once this grumpy old Storm Trooper gets a coherent and credible answer I’ll gladly move along.

  • Morning Ireland, Irish Water, and Data Protection clarifications

    Elizabeth Arnett of Irish Water was on Morning Ireland this morning. Some good and important clarifications given.

    1. She confirmed PPSN would only be used for the purposes of validating allowance entitlements. That differs from the commentary in yesterday’s Irish Times in the context of landlords and tenants, but clears up the confusion. Irish Water will not be using the PPSN for a purpose not covered in their Data Protection Notice. Therefore, a lot of the concerns I raised yesterday here should prove unfounded as that use is not going to happen and I can only hope and assume that Irish Water have implemented appropriate internal governance to ensure that the temptation to stretch the scope of use of PPSN is resisted. My experience in organisations is that temptation to process data “because we can” is often very difficult to overcome and needs a strong governance culture to push back on rash impulses

    Given that the DPC has expressed concern that there is a lack of clarity in the Data Protection Notice regarding the use of PPSN, it would be worth Irish Water investing time to ensure that the permitted use of PPSN is clearly communicated in the Data Protection notice and clearly reflected in internal policies and governance.

    1. The only 3rd parties that data will be shared with will be contractors delivering services on behalf of Irish Water, or Data Processors in Data Protection terms. There will be no sharing of data for marketing purposes. Again, this is a welcome clarification that should be reflected by appropriate wording in their Data Protection Notice. The wording that is there is reasonably good, but an example of the kind of person or kinds of purpose would help people understand better the processing involved. For example: “Examples of these kinds of 3rd parties would include maintenance engineers who would be provided with customer address and contact information for the purpose of carrying out maintenance on meters or doing ‘first fix free’ repairs for customers, contractors providing IT development or support services or related activities, or contractors providing bill processing or similar services.”)
    2. Ms Arnett clarified that Irish Water would only be engaging in postal marketing by way of bill insert and that this was something that people could opt out of. That is compatible with SI336 and the DPA, but needs to be clarified further in their Data Protection Notice which, as of this morning, still says

      Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer by text message, email, post, landline or in person about water related products or services which may be of interest to the customer (“Marketing Purpose”).

    Based on the clarification given verbally by Ms Arnett, this should now read:

    Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer by post about water related products or services which may be of interest to the customer (“Marketing Purpose”).

    These are important clarifications. They should be included in Irish Water’s Data Protection Notice which, while improved, can be improved further.

    However there are a number of points that need to be clarified by Irish Water still. Among those are the following:

    1. What is the retention period that will be applied to PPSN data once allowances are validated? “For as long as permitted by law” is a nonsense as the DPA doesn’t provide a specific retention period (it says “no longer than necessary for the purpose for which the data was obtained”). So either the data is dumped immediately (to comply with the DPA requirement) or it is retained for defined period for a secondary related purpose that is not incompatible with the validation of allowances (the statutory purpose for which Irish Water was permitted to request and process PPSN). Clarification is needed on that point. “For the length of a piece of string” is a platitude not a policy.
    2. What are the purposes for which email, mobile phone, or landline data that might be provided will be used for? For example, is that data needed to contact customers in emergencies? Clarification is important to help restore trust and compliance with the DPA.
    3. The retention period for “non-customer” data should be clarified. Irish Water’s social media team have been stating that it will be retained until such time as the information is verified. Is this an audit process where the data will be clashed against LPT data or Dept of Environment data to identify people who are claiming to be non-customers but are (perhaps through innocent mistake)? If so, that is a purpose for processing of non-customer data that needs to be stated in the Data Protection Notice. If there is no billing purpose, no allowances purpose, and no audit/verification purpose, I am unclear what the purpose for retaining this data is (and would have to ask why money is being spent processing data that has no purpose). It there is a purpose for processing non-customer data, it should be clearly communicated so that such data is obtained and processed fairly for a specified and lawful purpose as required under the DPA.

    There are other questions that I’m sure Irish Water will be able to answer soon as well such as:

    • What happens if you have a birth or a death in your family? How can you update the allowances etc.
    • What happens if you move house? How do you transfer over allowances? How will personal data be kept accurate and up to date in that context?

    It is also worth noting that, since the sixth of September, Irish Water have slowly made steps to improve their communication of Data Processing purposes. Almost a month. Played out in the media. Almost a month, during which time the DPC went from being disengaged to being actively involved. Almost a month in which trust in Irish Water was damaged by inconsistent and incomplete communication. Almost a month for the tip of the iceberg (the Data Protection notice) to begin to be hammered into shape, but clarifications are still required and communication still needs to improve.

    Privacy by Design thinking applied to the life cycle of information (which includes “PLANNING”) could have helped avoid a lot of this. One of the key points of Privacy by Design is it puts the customer at the centre of focus. It also puts Privacy at the Design stage in any initiative… and a month spent in design and in ensuring clarity of process, consistency of communication, and transparency of Data Protection Notice would have been a month well spent by Irish Water.

    [I’m speaking on Data Protection, Data Governance, and Privacy by Design at EDBI in London next month and at IGQIE2014 in Dublin on the 7th of November. Tickets are still available for IGQIE2014 and discounted student rates are available for the morning session.]

  • Reposted: Irish Water, the letter from the DPC, and what it all means

    [On the 24th September I posted this. I’ve updated it to insert relevant updates in other posts in context]

    This evening the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

    Dear Deputy Shortall,

    I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

    Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

    [This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

    One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water’s job to make sure that that clarity is there.

    “The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice” basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of “on-going contact” with organisations that have not quite got what is required of them.

    If the DPC is in “on-going contact” with you to give “best practice advice” you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

    Update: Today I posted this which looked at the apparent lack of a “signed off” movers/leavers process for when people change address and the data protection and operational implications. That is basic utility billing stuff, and is also a basic requirement under the Data Protection Acts – at least to have the mechanism by which changes to data can be made in the course of a customer life cycle.]

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    [This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

    The bit in bold is interesting. The DPC are “giving their views” on the clarity of the Data Protection notice (which is also referred to as a “fair processing notice” in Data Protection-speak) because they are of the view that the notice as published doesn’t give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

    Again, if the DPC is contacting you to “provide views” on something, you are not compliant. The DPC does not tend to write letters telling you you’re brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in “correspondence” – the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

    I suspect Irish Water may get a mention but not for the right reasons.

    Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

    Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It’s reassuring to see that the Data Protection Commissioner shares the concerns I raised.

    Update: I wrote this this morning following an Irish Times report that Irish Water would use PPSN as part of debt collection. This is not a stated purpose, and is not the “sole purpose” that the DPC had recognised and approved of.  It appears Irish Water are unclear internally about things that the Regulator believes they are clear about]

    The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

    [Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

    The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can’t see how that fits with only identifying categories, but would be happy to help figure it out. 

    Interestingly, the DPC seems to be going beyond what I’d included in my mockup “alternative universe” version of the Data Protection Notice. I’ll be taking note of that and advising clients accordingly.

    Also, the requirement to specify “categories” of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

    Again, the DPC is “following up with Irish Water on this matter”. An organisation that is compliant with the requirements of the Acts does not require the DPC to “follow up”, and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

    Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identifywhere possible what type of data and for what purpose a transfer would occur.

    [This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It’s a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

    I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

    Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?”

    The DPC’s request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about “under what controls”.

    Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the “amicable resolution zone” where the DPC talks gently to you to encourage more compliant behaviours. That’s a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

    I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

    Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

    The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

    I suspect this particular well has not yet run dry.

  • Irish Water and PPSN data

    This morning the Irish Times has a story about Irish Water, landlords, tenants, and PPSNs

    The article tells us that:

    Bills are to be issued quarterly, but as Irish Water will have the tenant’s PPS number, the utility firm will be able to pursue the tenant for any arrears and even apply any arrears to new accounts, when the tenant moves to a new address.

    What this tells me as a data geek is:

    1. Irish Water has a purpose for PPSN data that goes beyond the purpose agreed with the DPC (the validation of allowances)
    2. They are using PPSN as a primary key to identify people linked to properties (which goes beyond the “validation of allowances” purpose agreed with the DPC)
    3. Irish Water have some mechanism to identify tenants versus landlords, otherwise they are retaining ALL PPSN details for a period of at least six years. (It may be the PRTB data they have access to under S26 of the Water Services Act 2013).
    4. The retention period for PPSN is likely to be 6 years from the date of the final bill issued, but only where there are arrears on the account. Therefore, retention will be a rolling period for PPSN as bills are issued. It will only crystallise at 6 years once a final bill issues.
    5. The tenant who fills out the Irish Water application will be responsible for any arrears, even if they only wash every second week while their flatmates operate a water park in the kitchen.
    6. Irish Water haven’t modeled scenarios correctly as not every tenant in a rented property will be registered on the Application form… only one. I refer back to point number 5.

    Let’s just remind ourselves of what Irish Water told the Data Protection Commissioner they were going to use PPSN data for. The quote below is from a letter sent by the Acting Data Protection Commissioner to Roisin Shorthall TD that I blogged about last week.

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    I’ve highlighted the relevant sentence. And the crucial word. So any use of or retention of PPSN for purposes other than validating allowances is potentially a breach of the Data Protection Acts. Full Stop. End of story. Move along.

    [It also means that they can’t validate the rest of the data – only the entitlement. So they can verify that the PPSN of Joe Blow is valid, and that the PPSN data provided for Joe’s 623 children is valid and that those 623 children exist and are resident in the jurisdiction. No more. So they cannot legally “enrich” their data from the DSP’s data sets (despite what some people are stating might be the case). Of course, this is a perfect reason why the Water Allowance for Children, which is payable only to children in receipt of Child Benefit, would have been better paid as an allowance from the DSP, as I’ve blogged about already.]

    Are Irish Water making this up as they go along ?  If so, this crisis of communication around a critical issue of Regulatory compliance could be a lot worse under the surface. For example, has Irish Water modeled their data and processes to allow for customer life events (births, deaths, marriages, divorces, people moving in, people moving out)? Not doing that will lead to data quality and data protection headaches down the line. If those scenarios are not catered for in their processes, bills will be wrong. Designing for Privacy means considering data and its processing, which means you being to look at how the organisation knows or can know important facts about things it needs to know. Lurching around like a drunken uncle at a country wedding does not suggest good design for processes, data, or privacy.

    At an upcoming conference on the 7th of November I’ll be talking about Data Protection, Data Governance, and Privacy by Design. The other delegates include some of the world’s leading experts on Data Governance, Information Strategy, and Data Quality. It’s a pretty darn good conference.

    Irish Water might want to send some people so they can learn from the other delegates and I about Data Protection, Data Modelling, and Data Governance.

    [Update: This status update has appeared via the @IrishWater twitter account which seems to suggest the Irish Times had it wrong:

    Because Irish Water can’t be wrong can they? Left hand needs to communicate with right hand and then talk to their customers!]