The DOBlog

Category: Data Protection

data protection

  • Qui Custodiet CAI?

    The CAI (@the_cai on twitter), not to be confused with that famous venture capital firm based in Langley Virginia, the CIA, has today announced that it wants people who have been affected by the Ulster Bank IT outage in recent weeks to provide personal data to them for the purposes of starting a Class Action http://thecai.ie/media-news/the-consumers-association-of-ireland-cai-ub-%E2%80%98class-action%E2%80%99-initiative/suit. Or Initiative. It’s not entirely clear which, for reasons to follow.

    Jebus.. where do I start on this one?

    1. I have the legal standing of a Matlock script (4 yrs UCD Law as a BBLSer but never qualified professionally) and even I know that there is NO SUCH THING AS A CLASS ACTION SUIT IN IRISH LAW. So to claim that you are going to initiate such a thing is false and misleading advertising. So the CAI has stated it is a process to gather information to provide to the Dept of Finance and the Central Bank for the purposes of calculating the losses and impacts suffered.
    2. Should this campaign ever appear in print or media adverts as a “class action” I will be lodging a complaint with the Advertising Standards Authority on the basis that any such advert would be misleading as to a significant matter of fact
    3. Journalists covering the story should pay attention to the Press Council code of practice on accuracy in reporting – do not report as being something that is about to happen something that CANNOT EVER HAPPEN. Talk to a lawyer about this and get a quote from one. Simon over in McGarr Solicitors is a good one, and Fergal Crehan BL is a frequent media commentator on legal issues whose surname is not McDermott.
    4. I think the use of the phrase “Class Action” in this context is just dumb as the average consumer doesn’t know that there is no such thing as a Class Action in Irish law, given that their legal training and skills are derived from reruns of LA Law and Boston Legal, and perhaps a few episodes of the Good Wife. Therefore I would suggest that the CAI needs to be very careful how they set and manage expectations here.

    Right, now that that bit is out of the way, it is worth considering the implications of what the CAI is proposing to do here.

    • Obtain Personal Data and potentially Personal Financial Data from individuals
    • For the stated purpose of doing
    • A thing that can not be done without a legislative change that has been long fingered… well, since I was a doe-eyed undergrad in UCD Law to be honest, unless the thing that is being done is just to forward the information on to the Central Bank and Dept of Finance.

    But the DPC is very clear that the expectation of the customer is important here – they should not be ‘surprised’ by the processing of their data. And what exactly will be presented to Government? Raw data or aggregated data? The former creates risk of ‘scope creep’ if data is left with Government and finds its way into other processes.

    I’ve put the words “Personal Data” and “Personal Financial Data” in Capitals because they are important Words of Power (to steal a term from Frank Herbert’s Dune saga, a story that has more chance of happening than the ‘Class Action’ the CAI is discussing).

    Personal Data is protected under the Data Protection Acts. It must be obtained for a specified and lawful purpose, be adequate and not excessive for the stated purpose, and it needs to be disposed of once that purpose has expired. And while you have it you have to keep it safe and secure.

    Personal Financial Data is a term that entered Irish Data Protection practice in July 2010 with the introduction of the Data Security Breach Code of Practice (which I was involved in consultation submissions on). Basically it is a surname and an account number, or an account number or data from which a surname could reasonably be inferred.

    Personal Financial Data needs to be kept safe and secure as well. And if there is even the suspicion that it has been lost, stolen, misplaced, accessed with out authority, or otherwise tampered with, the Data Controller (in this case the CAI) has a very clear duty to notify the Data Protection Commissioner and the affected Data Subjects. It too must be obtained lawfully and fairly by the Data Controller.

    So, let’s run the rule over this shall we:

    • There is a specified purpose.
    • It is not one that can be achieved in law… (Oh… there’s a problem, if people think they’re entering a process to have their day in Court).
    • The purpose for which it is being obtained cannot come into being (if it is a “Class Action” as described), therefore the data should not be retained. (OK.. fill out a form, press send, clear form, don’t send any data).
    • Given that the stated purpose cannot actually be achieved (see my earlier point about Class Actions in Irish Law) then, by definition, any data obtained for that purpose is excessive and should not be captured or retained.

    So, in short…

    IN OPERATING A PROCESS TO OBTAIN AND RETAIN PERSONAL DATA AND PERSONAL FINANCIAL DATA FOR THE PURPOSES OF A CLASS ACTION WHICH CAN NEVER TAKE PLACE UNDER THE CURRENT LEGAL SYSTEM IN IRELAND CAI ARE ALMOST CERTAINLY ACTING IN BREACH OF THE DATA PROTECTION ACTS.

    Of course, we are in the wonderful world of branding and sound-bites and the phrase “Class Action” will doubtless wind its way into UB Headquarters where it will be bounced around meeting rooms like a tribble at a Star Trek convention (I used to freak out when people mis-used the term “Duty of Care” and talked about “Precedence” when they meant “Precedents”, all without a fricking clue what the terms ACTUALLY meant in a Legal & Regulatory context – but a man on Matlock kept saying them so they must be WORDS OF POWER they told me).

    This may spark some more serious introspection about the issues involved in the Bank but won’t actually get inside a Court, which could be a problem for CAI if people submitting information to them believe that a mass litigation is the end game with money at the end of the rainbow.

    So, CAI need to be a little more up-front and explicit about the SPECIFIC PURPOSE for the data they are processing. The branding isn’t helping that and could trigger problems under the Data Protection Acts. Also, they need to be clear about WHAT data is being presented to the Government and the Central Bank. And they need to be clear about what will happen to it once the Government and Central Bank have been briefed. And then they need to be clear about when it will be deleted. Also they need to be darned sure that the security on the submission of that data is secure (hint: email is not PCI-DSS compliant).

    Yes.. lobby and campaign and organise on behalf of consumers. But in doing so don’t get so caught up in the branding, image, and soundbites of what you are doing that you forget about the rights of the, well… ummmm…, CONSUMER.

    (There is a way they can go about this without any of the problems outlined above but it will mean

    • Changing their branding and eating humble pie about the whole thing
    • Hiring me to be VERY VERY CLEVER on their behalf with some Smart Monkey Consulting â„¢

    Heck, if they want to have an independent Data Quality review of the end to end processes and impacts I am a qualified Information Quality practitioner with years of experience and two books under my belt. (Hint… the key to it all is process and information flows).

  • Olympic betting scandal and Data Protection

    An Irish athlete is under investigation less than 24hrs into the Olympics arising from allegations that they, in effect, bet against themselves.

    An anonymous source became aware of the pattern of betting and notified the authorities.

    This blog post is being written to help media commentators avoid either putting their feet in it or wasting the scarce time of the Data Protection Commissioner raising spurious enquiries about whether the disclosure of the data in this was legal.

    Bluntly – you don’t want to come out swinging against the bookies if they were acting correctly as you’ll look like a fool. And, if they were in the wrong, you don’t want to throw the Data Protection Act around like snuff at a wake as there’s enough bullshit out there about what it is and what it does to fertilise the Rose Gardens in St Anne’s Park until doomsday.

    First things first: we need to bone up on some of the law governing gambling, specifically section 11 of the Gaming and Lotteries Act 1956. That legislation makes it an offence to cheat.

    11.—Every person who by any fraud or cheat in promoting or operating or assisting in promoting or operating or in providing facilities for any game or in acting as banker for those who play or in playing at, or in wagering on the event of, any game, sport, pastime or exercise wins from any other person or causes or procures any person to win from another anything capable of being stolen shall be deemed guilty of obtaining such thing from such other person by a false pretence, with intent to defraud, within the meaning of section 10 of the Criminal Justice Act, 1951 (No. 2 of 1951), and on conviction shall be punished accordingly.

    That is important as Section 8 of the Data Protection Acts permits the disclosure of personal data where necessary to allow the prevention, detection, or investigation of a crime. In this case cheating.

    Note: I’m not saying that any cheating actually took place here, just that circumstances appear to exist which seem to require investigation of the possibility of such cheating.

    As winning bets were drawn down that might fit the bill under the Gaming Acts.

    I always advise clients to have at least two lawful processing conditions to rely on. In this case the bookmakers could probably argue the “Legitimate Interest” grounds… It is in their interest to red flag potential cheating in the placing of bets or rigging of events. And the remedy to that would be to alert the appropriate body who would in turn have a legitimate interest in ensuring the propriety of the Games.

    Of course, the complicating factor is that the information was sent to the OCI from an “anonymous email”. If the sender was an employee of the bookmakers then, if they had permission from their employer to alert the OCI then that might be an allowable disclosure. But if they aren’t an employee (for example if they work with the police and came into possession of information relating to an investigation) or didn’t have permission to disclose the details of the athlete then that could be a breach of the Data Protection Acts.

    So. Before we start chasing hares that aren’t there, let’s all step back and remember what the law actually is here. Far more important to focus on google and their ‘factual inexactitude’ on street view and the paltry resources of our DPC.

    Thus endeth the rant

  • Support your Local Sheriff–why the DPC needs us to help them help us.

    Problem Statement

    The Irish Government is tripping over itself to win FDI from the new ‘Big Data’ enterprises. Whether it is promoting Ireland as a perfect location for Data Centres (it is, apparently we’re in a temperate Goldilocks zone) or chasing flagship investments in European headquarters for companies such as LinkedIn, Facebook, Zynga Games, Twitter, not to mention the pursuit of “home grown” ‘Big Data’ firms or the development of long term residents like Apple or Amazon from ‘box packers’ or call centres to foot prints of ‘Big Data’ behemoths, the Government can’t help itself.

    And why would it. These organisations bring needed jobs, needed credibility to the Irish Economy, and much needed positive headlines for beleaguered politicians.

    Of course there is a catch. A small problem. Actually two small problems.Well actually one problem but one that is so small but so significant that it is worth mentioning twice:

    Our Data Protection Commissioner is chronically understaffed and, in my view, may lack skills and experience necessary to engage with and properly enforce EU Data Protection regulations.

    If the Government is viewing “Data” and its related services as the “New Finance” they are showing precious little evidence of having learned from the failures of the past and I increasingly believe we are facing a scenario where either

    1. A major Data Protection scandal sweeps across big name players in Ireland and the DPC is wholly overwhelmed and cannot respond appropriately.
    2. Once new EU Data Protection Regulations are in place, we find ourselves in the eye of a major Data Protection issue and the Irish DPC finds himself with no option but to cede responsibility for the investigation and enforcement to another EU Data Protection Authority under the enhanced co-operation protocols in the revised Data Protection Directive.

    (more…)

  • Why Apple’s iOS6 changes mean increased work for Irish Data Protection Commissioner

    At Apple’s WWDC conference this week nerds, fanbois and developers were greet by the news that Apple will be shipping iOS6 later in the autumn (or “fall” for non European readers). Among the features that Apple is touting are:

    1. Ditching Google Maps for its own mapping product and GPS tools
    2. More deeply integrating Facebook with iOS, similar to the deep integration with twitter that emerged in iOS5.

    I personally have some privacy concerns about this level of integration and the potential for Apple to become even more the “Big Brother” they so eloquently mocked in their 1984 TV advert.

    Maps

    By ‘baking in’ an application (Apple Maps) that will likely require me to disclose my location to Apple in order to work (and which at first glance appears to be less useful than Google Maps), I’m getting a less good deal on which to base the sharing of my personal data. And Apple aren’t giving me a map for the good of my health or because they want me to know where I am.

    Location data is part of the “Big Data” gold rush. Traditionally it has been mobile telcos who have access to this data and can analyse it to determine a variety of offerings for customers (next time you get a “pleasantly surprising” SMS message telling you about a special offer in the coffee shop you just happen to be near, congratulations, you’ll have walked within range of a ‘geo-fence’ that will have triggered the SMS. Assuming of course you opted-in to that kind of thing. Like that voucher service you signed up to).

    Google tracks you as well when you used Google Maps on your iphone. But, in the absence of a Google login that tracking is relatively anonymous, going down at most to being able to identify that a particular device was in a particular location (unless you’re logged into a Google service on your device, in which case rest assured Google is probably making associations on the fly).

    Apple on the other hand can also link your location to your phone. And your phone is registered to you. Through iTunes. So Apple will potentially have access to a more granular level of data about who is where, when, who is near them, who they are contacting (iMessage makes your SMS free to another iPhone user… congratulations, Apple now knows who you are messaging). Apple knows what kind of music you like, what movies you rent, your demographic segment… (it’s the iTunes platform!)

    By adding maps to the mix in the iOS/iTunes platform, Apple can also tap information about you in motion – where you are travelling from, to, how fast and can probably make assumptions about your mode of transport (moving fast, not on a road, in a relatively straight line… means you’re probably on a train. Well done, Apple now knows you are probably a user of public transport).

    As CNET reporter Rafe Needleman writes:

    …the more users you have running your geolocation software, the more data you have about how fast people are moving. Apple’s adoption of its own mapping platform means it will now get access to that data from its iPhone users, assuming (and it’s a big assumption) that Apple can hurdle the privacy issues over gathering that data.

    And as Apple’s European HQ is based in Cork, it will be the Irish Data Protection Commissioner who will be in the vanguard of haggling with Apple with regard to the nature of the terms and conditions and controls that will be placed on the processing of the valuable and very identifiable personal data in question.

    Facebook

    I use Facebook. I have a Facebook profile. I am a believer in Sun Tzu’s mantra that one must know your enemy.

    By tightly integrating Facebook with iOS6 Apple potentially gets access to a valuable array of data about who you know, your interests, etc. Facebook get an easier to manage interface and a more ‘baked in’ and reflexive sharing of content and information by Facebook users.

    And the individual gets another avenue by which personal data by and about them may wind up in places they were not expecting or being used in ways they didn’t anticipate.

    Later this month Facebook will be facing into the return visit of the Irish Data Protection Commissioner who made relatively negative findings in their audit report earlier this year (but not as negative as many may have hoped). As the integration with iOS was not in the scope of their original review, I suspect it will not be on the table for discussion (at least not formally).

    But again it is the Irish Data Protection Commissioner who is in the vanguard of protecting the fundamental rights to Data Privacy which are enshrined in EU law and which Facebook, through it’s terms and conditions, extends to Facebook users everywhere outside of the US and Canada.

    And it means Apple don’t have to waste any more time and effort trying to put the bounce into Ping. They will have effectively outsourced that to Facebook. So Apple wins something. Facebook wins something. Where is the consumer’s win (and is it big enough to balance the impact on privacy).

    Evolving the Platform

    Any minute now I expect my friend Phil Simon to fire out a blog post about how Apple’s ditching of Google and locking in and locking down of Facebook represents a platform strategy play in The Age of the Platform. Apple is simply adding more “planks” to its platform, pushing out a competitor platform and reducing the incentive for another platform to start competing in devices (or at least minimising the impact of any such competition by leveraging the critical mass of the iOS/iTunes platform).

    But to stretch and mangle Phil’s Platform analogy to the nth degree, any form of large scale construction requires permits and clearance and needs to balance the utility and convenience of what is being built (whether it is a shopping mall or a social media data sucking behemoth) with the impediments it may cause to the rights and enjoyments of individuals.

    And the “Building Control Inspector” in this case will more than likely be the Irish Data Protection Commissioner.

    • With less than 22 full time staff
    • A budget of less than €1.5million

    I fear that the back-end complexity of Apple’s move to front-end simplicity may be a killer blow to the efficiency and effectiveness of the Office of the Data Protection Commissioner, which is already creaking under the strain.

    Given the influx of DataSuck Platform companies in to Ireland (LinkedIn, Facebook, Twitter, Google, Apple –admittedly here for years, Zynga etc.) the Irish Data Protection Commissioner is rapidly becoming the “Local Sheriff” in the Wild West of ‘Big Data’ exploitation for more than just the 4.5 Million people living on our little island.

    #SupportyourLocalSheriff

  • An Enforcement Reality supporting my “Penalty Points” idea

    Over my morning coffee this morning I read this story from eConsultancy.com about the UK ICO beginning ‘soft enforcement’ of the ePrivacy regulations around cookies.

    Good news: They are starting to enforce the law. They will be taking a balanced approach. I assume that the letters will take the form of Information Notices and possibly Enforcement Notices.

    Bad news: The level of breach that not complying with the Cookie provisions of the ePrivacy Directive constitutes is not likely to meet the standard of severity required for the ICO to levy a fine.

    So businesses will receive a letter. But we can be assured it will be a strongly worded one. But, given the mental discounting that management do in compliance situations, this is inevitably going to lead to precisely no change in compliance behaviour. When faced with the question “So, what’s the worst that is likely to happen?” Data Protection Officers or advisors will have nowhere to go in their persuasion. It is all carrot and no stick. And CxO level managers are pure carnivores, so carrots are not that enticing on their own.

    • There will be no financial penalty for the Cookie breach
    • Any penalty that might arise will be for failing to comply with an Enforcement notice or provide information requested under an Information Notice. But that would require another cycle or three of communication between the ICO and the infringing company.

    There is no sting in the tail. The arc that must be travelled between Breach and Penalty is too long. And as every parent of a toddler knows, there is no point putting them on the naughty step days or weeks after their valiant but doomed attempt to juggle with kittens.

    Hence the need, in my view, to have something else that allows a sting to be put in the tail, that wraps the polite letter from the ICO (or the Irish DPC for that matter) in a small brick that will get attention. In my opinion, if the EU is serious about changing attitudes to Data Protection amongst businesses it needs to ensure that the laws that are passed can be enforced with both carrot and stick so that culture and values in business will change.

    Breaches of the Cookies rules fit the bill nicely for a structured penalty system that allows for cumulative penalties to build towards a more serious fine or enforcement action. Assume, for argument, that writing a non-essential cookie without notice and consent was a 1 point offence carrying a fixed penalty notice of €120/£100 for first offence (with higher penalties for subsequent offences). Audit tools such as those developed by CookieQ.com could be used to audit the site, tot up the number of cookies, an investigator could make a judgement as to the essentialness and generate a fixed penalty notice attached to the letter.

    Perhaps the 1st offence would be a “freebie”, with a second failure leading to a penalty (after all, we want this to be fair and graduated). At some threshold (let’s say 20 points) more serious penalties would kick in (perhaps the €2million outlined in the proposed Regulation, or mandatory multi-year privacy audits such as being imposed on firms in the US by the FTC). As this is an evolving thought doodle I won’t waste time mapping specifics here.

    If the penalty points for the Cookie infringement formed part of the overall “scorecard” that a company would accumulate, adding to the risk of a more severe penalty (and the inevitability for hard core recidivists). If, as with parking tickets and speeding fines, the Data Controller had the right to appeal the fixed penalty to the Courts (at the risk of a greater penalty and increased publicity), the “mental discounting’” would need to change. This would change the conversation for Data Protection Officers and advisors when the letter comes.

    Boss: "What is the worst that they can do?

    DP Team: “Well,50 cookies being written has already cost you €5000 in fixed price penalties. You can appeal them to Court, but that carries a risk of the penalty being increased further and a conviction being recorded against you.”

    Boss: “OK, so pay the fine and then we keep going.”

     Boss: “Oh shit. Let’s fix this then”

    Just as cumulative breaches of Road safety lead to serious penalties, cumulative breaches of Data Protection rules could lead to more serious penalties.

    The benefit of this approach is it would encourage and incentivise organisations to focus on the small stuff. And as repeated studies in risk management and accident investigation have shown, the major disasters are usually a result of an accumulation of small things.

    According to econsultancy, the ICO is considering applying penalties based on a scale. It is not a significant jump from a scale for a specific penalty to a framework for levying administrative sanctions in a structured and transparent manner.

  • An open letter to Viviane Reding

    Dear Commissioner Reding,

    I’m writing to you as an EU Citizen who is passionate about data, is use, its quality, and its protection. I’m not writing to you as the Managing Director of a company that offers Data Protection training and consulting services, but in the interests of transparency I think it best to disclose that that is my day job.

    I am writing to you about the new Data Protection Regulation. In particular I’m writing to you about the penalties contained in the current draft proposal. Frankly I think they suck. I don’t think they’ll have the effect that you think they will have. I’m basing my opinion on a number of bases:

    1. I have worked in Regulatory Operations in a Regulated industry that you are familar with, telecommunications.
    2. I’m a keen student of human psychology and economics, particularly the psychology and economics of risk and reward.Understanding this “theory of psychology” is important in the world of Information Quality.
    3. I like to observe and learn from other industries and areas of life to see what can be applied to improving quality systems for and the governance of information.
    4. I’m the parent of a toddler. This might not appear immediately relevant but, in the context of Data Protection, my immediate experiences dealing with a stubborn personality in development who is programmed to push boundaries and infuriate me with apparent disregard for the standard of behaviour expected of her all too often find their parallels in the management teams and staff of organisations I’ve worked with.

    Taking these elements together I am afraid that 5% of Global turnover will not work as a penalty. It’s a great soundbite but will, in practical terms, amount to little more. There are a few reasons for this.

    (more…)

  • Newspaper Licensing Ireland–a return

    The last post was a little long and analytical. Having reread the great post on McGarrSolicitors.ie I thought I’d reframe my Data Protection take on this in terms that might be more familiar.

    Personal Data is being processed via your website without an appropriate Privacy Statement and without any communication of the purposes for that processing. Furthermore, the failure to have such a privacy statement on your site which references the use of Google Analytics is a breach of Section 8 of the terms and conditions that apply to Google Analytics. Failure to obtain consent for the use of the cookies written by Google for the purposes of Google Analytics is a breach of SI336.

    You are breaking the law; you risk exposing your company to investigation and prosecution, with financial penalties and brand damage ensuing. Processing personal data without it being obtained fairly for a lawful purpose, and writing 3rd party cookies without consent is illegal and breaches a fundamental Human Right in the European Union.

    What do you think?

    I may be over egging it a little. I need a cup of tea now and a good sit down.

  • Newspaper Licensing Ireland– some thoughts

    This post is about the website of Newspaper Licensing Ireland, who have recently written to a non-profit organisation whose aims I wholeheartedly support, seeking license fees for linking to newspaper content published on the internet by the newspaper publishers. McGarr Solicitors, who are acting for Women’s Aid, have published a detailed analysis of the situation and the questions raised on their website, which I link to in the confidence that the McGarrs won’t come looking for a pound of flesh in return.Sticky buns perhaps, but nothing worse.

    I will ignore the fact that this action seems to be in ignorance of the way the Internet works, particularly with regard to search engine optimisation and page ranking where relevance and significance of content, and hence it’s positioning in Google searches and the value of the real-estate for on-line advertising purposes. I’ll ignore how the use of links simply tells people to “look over here – I found this interesting, so you might to”. I’ll ignore the fact that links are effectively the footnotes on the Interweb that tell people where your source was for a thing. 

    (But if you do want to actually understand this aspect, the Wikipedia entry on Search Engine Optimisation has a reference to the Google PageRank algorithm and how it works (at a high level). And Dr. Cathal Gurrin in Dublin City University did his Doctoral thesis on the topic.And I’m sure someone somewhere has done an economic analysis of link density [the number of inbound links to a site] but I can’t be bothered to look for it tonight.)

    What I will talk about here is the fact that, when I went to the NewsPaper Licensing Ireland site (which I won’t link to… just in case) to see what the potential cost to an SME with 0-10 employees would be. I still don’t know the answer.

    I’d expected a form that would take certain inputs and churn them around to spit out a ball park figure. I’d expected to see something that would relate the license cost to, for example, the average hits or distinct site visits on the SME company site per month (to make the cost meaningful as those stats are the foot fall of the Web).

    What I didn’t expect was to be asked for a contact name and the name of the company on that form. Company name I’m not to concerned about. But the contact name…

    …that’s personal data. Therefore under s2 of the Data Protection Acts it must be obtained for specified and lawful purpose and must be fairly obtained. So I went looking for a Privacy Statement (there was none). So I turned on my cookie checkers to see what was being written by the site to my device wot is connected to a public communications network (and therefore would be a cookie within the meaning of SI336 and as such would require consent unless necessary for the service I’m trying to avail of).

    My tools revealed that NLI are using Google Analytics on their site. In a manner which is in breach of the Terms and Conditions of use for Google Analytics which state very clearly in Section 8:

    8. PRIVACY

    8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

    “This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

    The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

    NLI have no such Privacy statement, and no such text, so no mechanism to confirm my consent to the cookies that are being written by Google Analytics.

    So, the site is operating in breach of SI336 and Google’s terms and conditions, and is effectively breaching contractual conditions governing the use of Google’s services and the fundamental right to Personal Data Privacy as enshrined in Article 16 of the Lisbon Treaty.

    All of which I’d never have considered looking at at all if they weren’t sending threatening letters to a charity that exists to help and protect women experiencing domestic violence.

  • Culture of Compliance

    So, Phil Hogan believes that the vast majority of people in Ireland want to be compliant with legislation, specifically the Household Charge. Perhaps a first step to ensuring that compliance would be for the Minister to ensure that the Household Charge is being implemented in a manner that is compliant with the Data Protection Acts. That would have meant

    1. Early consultation with the Data Protection Commissioner to identify and mitigate Data Protection risks in the Household Charge legislation
    2. Early consultation with the Data Protection Commissioner to ensure that appropriate mechanisms for data sharing were given effective legislative support within the Household Charge legislation
    3. Ensuring clarity about the current and proposed future uses for the (significant) amount of data which is being gathered as part of the registration process
    4. Ensuring that the use of PPS Numbers as part of the registration process was clearly and demonstrably being approached in a manner that complies with the requirements of the Social Welfare Consolidation Act 2005
    5. Ensuring clarity about who the Data Controller is for the Household Charge scheme (it appears to be de facto the Department at this point, despite the text on the Privacy Statement on their website).
    6. Communicating early and often with the public about the charge, its legal basis, the purposes to which data that is being collected will be put to etc. etc.

    Instead we have a Minister announcing on national radio that the Government is backing him in reviewing all relevant legislation, including the Data Protection Acts, to allow the Household Charge to be collected. Thankfully the Data Protection Commissioner’s rebuttal of that utter nonsense has been getting more air time since, but I thought it might be worth a quick examination of why the Minister’s comments were total poppycock.

    (more…)

  • Chuggers (and why I’m not a fan of them)

    Imagine I walked up to you on the street with my arm outstretched to shake your hand and making direct eye contact with you and smiling. Imagine if the next thing I said or did was to ask you to give me

    • Your name
    • Your credit card or bank details
    • Your mobile phone number
    • Your home address
    • Your email address
    • A copy of your signature

    and a range of other personal data. Which I wrote down on a piece of paper and stuck in my bag before thanking you and walking off.

    Chances are I wouldn’t get very far in gathering that information. Your natural sense of risk would (or should) kick in. Chances are you’d call the police on me.

    But imagine that scenario again with one small change. I’m wearing a polyester jacket with the logo of a charity on it and I’ve got an ID badge hung around my neck and a backpack. What would you do then? Hey, I’m collecting for a charity.

    I am a charitable person. I like to support good causes and I like to contribute as much as I can when ever I can to such causes. But I’d say no to me because  of my personal sense of Information risk.

    Others base their dislike of Chuggers (Charity Muggers) on the methods that some use to get people to sign up, methods which are often the result of the commission or quota based systems that some of these people work under (and I’ve content elsewhere about why quotas are a BAD idea in the delivery of quality service). Of course, these are methods which charities who use this means of fundraising disavow all knowledge of and disown completely, but which I have witnessed.

    My avoidance of chuggers is based simply on good Information Security practice. I don’t like the idea of my data being in a bag around someone’s neck or a plastic zip-lock folder, in a public place.  From a Data Protection of view I’d rather not have to have a real-world test of the compliance of the organisations that run these collection methods with things like the Data Security Breach Code of Practice or the requirement under S2 of the Data Protection Acts to take reasonable and appropriate steps to ensure the security of personal data. Particularly not with my data. The data that is obtained by Chuggers is Personal Data within the meaning of the legislation as it is data that has been obtained with the intention of processing it electronically or of filing it in a relevant filing system, ergo it needs to be treated with care.

    I’ve advised clients in the non-profit sector of the potential for brand damage arising from something as simple as one of their Chuggers being mugged and their bag being stolen… or to put it another way: the temporary storage location of an array of personal data. I’m not saying don’t use the method. What I’m saying is your controls need to be very tight.

    Among the controls that need to be in place is appropriate training for staff on Data Protection. I’m not sure if such training is happening as many of the techniques I’ve seen or heard of being used to get people to stop could actually be construed as being contrary to the requirement for consent to processing of data to be freely given. That said, a volunteer for one charity came on a Data Protection course I taught a few years back and they stopped using chuggers afterwards.

    If the UK experience is anything to go by, my risk aversion is justified. The ICO there has investigated charities for loss of data. It is inevitable that similar will happen here, if it hasn’t already (but if it has I can’t find a reference to it on the Data Protection Commissioner’s website). The root cause in the UK case I link to was a lack of training and awareness that lead to a loss of data.

    So how should your chugger experience go? Well, first of all you should know what happens to all this information you have just given them. The chugger is meant to either give you a data protection statement to read or explain to you who will be processing (using) your information, who they will share it with and also give you the chance to say you do not want them to pass it on to anyone else. They should also make sure that once you have signed the form to agree to what you want to do, the form is kept safe and secure, rather than what normally happens where they add it to some others in a plastic folder or clipboard they are holding.

    My advice to anyone accosted by a chugger is: if you can’t get away, ask politely for a copy of the charity’s form for you to fill in at your leisure. If they don’t give it to you take their name from their ID badge and report them to their Charity and if the Charity doesn’t take it seriously report it to the Data Protection Commissioner. (If they don’t have an ID badge, assume they are not representing a charity and you’re about to be mugged – react accordingly).

    My advice to any Chugger who is careless with their folder or is mugged for their bag… notify your Charity immediately. The Charity should notify the Gardaí as well and make sure they know that there was personal and financial data stolen/mislaid. The charity should also notify the Data Protection Commissioner. As the paper work will not have been processed you won’t be able to notify the Data Subjects directly (as is required under the Code of Practice) so they will likely have to put out a public statement about the loss of data to alert people who have given their details to the risk of identity theft.

    Personally, I make my donations either on-line (and I look for PCI compliant payment processors and HTTPS security on the donation page) or over the phone. I have never and will never donate to a charity by means of a chugger, and when faced with a choice I will opt for a charity that doesn’t use them.