The DOBlog

Category: Data Protection

data protection

  • The curious case of Enda and the Technology

    Enda Kenny found himself slightly ambushed on the news last night (6-One News on RTE) by Bryan Dobson. At the end of a segment about the trials and tribulations of Brian Cowen, Enda was asked about the problems that have befallen the FG website.

    Enda’s response was telling on a number of fronts.

    1. He indicated that the FG site had been implemented because he’d been impressed by a to the European People’s Party (Maman Poulet wrote about that a while ago).
    2. He indicated that they were looking into moving the site to an Irish host.
    3. He stated that he was not competent in the technology
    4. He stressed that “40 young people” were being trained in these new technologies in FG HQ, which would add to their CVs.

    The Obsession

    In short… FG are focusing on the technology. This is exactly the point I was trying to make in my first post about the need to set “the tone at the top” and ensure that the values expressed in that tone cascade down the organisation and are expressed and executed through effective governance.

    By focusing on the technology rather than the effective governance of the information (in a way that would support their objectives and their brand), it seems FG have got tunnel vision on a particular technology and missed the point completely.

    Indeed, back in 1999, Peter Drucker wrote that:

    So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.

    The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

    FG may have had a purpose (to listen, and to build a mailing list) but they don’t appear to have considered what it means to gather personal data, particularly SENSITIVE personal data.

    In this context, Enda and the leadership of FG are not being asked to suddenly become PhD level experts in all aspects of Information Security and Web design. What they are expected to do is apply reasonable levels of due diligence to ensure compliance with the law of the land and the standard of care that is expected of organisations who process Sensitive Personal Data.

    Organisations like, for example, the Civil Service, who have produced very clear guidelines on the processing of personal data and the standards of care that must be exercised. Those guidelines are very explicit in a number of sections about the importance of encrypting sensitive data when it is being transferred. For example, in relation to transfer of personal data by email the guidelines say:

    1. Standard unencrypted email should never be used to transmit any data of a personal or sensitive nature. Departments that wish to use email to transfer such data must ensure that personal or sensitive information is encrypted either through file encryption or through the use of a secure email facility which will encrypt the data (including any attachments) being sent. The strongest encryption methods available should be used. Departments should also ensure that such email is sent only to the intended recipient.

    So, if FG become the leaders of the next Government, will it be a case of the Executive arm telling the Civil Service “Do as we say, don’t do as we do?”

    That is what I mean by SETTING THE TONE FROM THE TOP.

    Given the comments in the Evening Herald yesterday, apparently from the hackers who attacked the FG website, that the web-designers who built the FG website had left various passwords set to their defaults, my attention is drawn to the comments in the Civil Service Guidance Notice in relation to passwords.

    In the context of mobile devices (like phones), the Guidance explicitly states that

    Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device.

    So, default settings aren’t allowed for security reasons in the Civil Service on devices as common place as mobile phones. In relation to databases and other devices, the guidance says:

    Passwords used to access PCs, applications, databases, etc. should be of sufficient strength to deter password cracking or guessing attacks.

    A reasonable implication here is “don’t leave it at the default settings”.

    If it is good enough for the Civil Service, why not good enough for Fine Gael?

    The Training

    Enda tried to make a big noise about the “40 young people” who were getting training in the technology. It is very far-reaching to teach young people (how old are they?) how to use Social Networks and Twitter.

    What would be more far reaching would be to ensure that all levels of the FG organisation received appropriate training in Data Protection principles and practice and rather than instill a technocratic focus in the culture of the organisation that FG began the process of inculcating a info-centric culture that put the meaning, purpose, and value, of Information at the heart of their strategy.

    That info-centric culture would need to extend beyond flashy websites to the mundane matters of organisational governance, control, and accountability for information that the Party organisation processes, whether it is on the web, by email, or on paper.

    A beneficial by-product

    A by-product of such a culture change (and it would need to be an actual change, not just more banal lip-service) might be that we would get, perhaps for the first time, the articulation of what a “Knowledge Economy”  might actually be, expressed in terms that might echo the sentiments of Peter Drucker over a decade ago, that wouldn’t descend into babbling and burbling about technologies which, by his own admission, Enda isn’t competent to talk about.

  • Fine Gael’s website: some thoughts

    It looks like there’s been some rework done on the FG website to address Data Protection concerns.

    This good and is to be commended. It is also in line with how the Data Protection Commissioner works with organisations who have compliance issues.  However, issues did exist prior to yesterday which will continue to present challenges to FG regarding their compliance with the Data Protection Acts.

    Here’s a screen shot I took yesterday

    finegael 2011 screenshot 7th Jan 2011
    Screenshot of FG website on 7th January

    It is a bit small to read in the image, but the tick boxes on the site (after you submit your personal data) have the following text beside them:

    • I agree to receive campaign messages on my mobile telephone
    • I agree to share my comments on the website.

    So, if you posted a comment prior to yesterday, the only communication you could provide any consent to was an SMS. If you found you had been added to a mailing list the data had not been fairly obtained (you didn’t know you were going to be getting emails) and any processing of your personal data to send you an email is technically a breach of  S.2 of the Data Protection Acts.

    Given that a number of people apparently complained to the Data Protection Commissioner about getting unsolicited emails when they had posted comments the website is changed as of this morning with a very subtle edit to the wording of the text next to the first tick box…

    I agree to receive campaign messages from Fine Gael.

    … is what your choice is now when you post your comment. That is a broader statement that does now permit FG to email you (and potentially SMS you as well) with their campaign messages if you don’t ensure that you uncheck the box. Please note that this is an OPT OUT of their mailing list, not an OPT IN.

    So, one compliance issue addressed. Of course, that leaves the question as to what they will do with the emails they captured prior to yesterday which cannot be used as it is unclear if the person has opted in or out of the use of their email address for campaign mailings. This is one of those areas where Data Protection and Information Quality overlap – where the meaning of a flag in the database changes at a point in time and the interpretation of that flag can have significant regulatory and compliance impacts.

    I encountered this when running data migrations in a telco many years ago. The billing system had a flag “Junk Mail”, which allowed a “Yes” or a “No”. The problem was that there was no agreement on whether “Junk Mail =Y” meant people wanted junk mail or “Junk Mail = N” meant people wanted junk mail – the meaning of the value had been lost in the mist of time and the absence of formal documentation about the processes.

    Suggestion: FG should use the date stamp (that they hopefully have) in their database to exclude any email address created on their database prior to January 8th from any email messages… just to be on the safe side. And as they don’t have a use for that data (they can’t email people) they would  be required under the Data Protection Acts to get rid of it they can’t hold data for longer than they have a legitimate purpose for it.

    The Privacy Statement

    I’ve written a few times over on the company site about the need for Privacy Statements to actually reflect the reality of what is happening with personal data that you are obtaining and the balance that needs to be struck by Data Controllers.

    Fine Gael Privacy Statement Screenshot
    Screenshot of FG2011.com Privacy Statement

    FG finally got around to putting up a Privacy Statement on their website late in the day yesterday (check the image above… its’ not there in the morning when I took the screen grab). They copied the privacy statement from their old website, which was accessible yesterday (along with all their policies etc.) at http://finegael.org but appears to have gone away as the screenshot from today below shows. Perhaps their web sites have moved (for security reasons, as FG say in today’s Irish Times).

    Screenshot of finegael.org backup site as of 8th Jan 2011 14:14
    Finegael.org – Gone away?

    While they have a link and can tick the box about having a Privacy Statement, in my personal view they get 10 out 10 for effort, but fail the test of whether that Privacy Statement actually reflects what they are doing in reality.

    The first test is failed in the very first paragraph which says that

    Visitors can use most of the site without being personally identified by Fine Gael.

    OK. If by “Use” you mean “Sit and Read” then that is a correct statement. But if you want to engage with any of the primary functions of the site (like having your voice heard, telling them your opinions and complaints, all the good and wholesome stuff that Enda is inviting us to do) then you HAVE to provide them with personally identifying information. And in some cases that information can end up being quite granular. For example, if I was to put in my name and village I live in I would be uniquely identifiable as I’m the only person of that name in that village.

    The fact that the Privacy Statement doesn’t address many of the specific  points that the Data Protection Commissioner and the legislation actually require to be addressed in a Privacy Statement is another key issue.

    Compare the Fine Gael Privacy Statement (or Fianna Fail’s) to the equivalent statements on websites from UK political parties:

    The UK Greens (like their Irish counterparts) don’t have a Privacy Statement on their website.

    Given that FG have moved to new servers, with a website with new functionality and new purposes for personal data at the very least they should have reviewed their Privacy Statement to make sure it is still valid.

    Indeed, that type of regular review is a recommendation of the Data Protection Commissioner and is a requirement of the BS10012:2009 standard for Personal Information Management Systems.

    Suggestion: FG should review their Privacy Statement to make sure it actually matches what is actually going on. This should form part of their regular and on-going governance of data to ensure compliance.

    Some Thoughts

    Fine Gael seem to have made significant efforts in the past day or so to address a problem that earlier in the week they didn’t want to engage with. Indeed, up to yesterday morning they were telling TheJournal.ie that they “weren’t interested“. In that context, the steps that they have taken are a laudable effort.

    But if they had actually taken the time to plan and build their Data Protection obligations into their new processes and website and ensure that they were demonstrably in compliance with the legislation before launching their site then this story would never have existed for anyone to be interested in at all!

    The lesson that needs to be learned from the Fine Gael experience is that it is always far better to design privacy and data protection concerns into systems and processes rather than having to inspect out defects and errors. Just like with any quality process, if you don’t design quality in you will inevitably find yourself having to fire-fight issues in crisis mode, which means that you will almost always miss something else.

    Privacy by Design is a key concept in Data Protection circles. The fact that the Data Protection Acts create a Duty of Care, then care should be taken when embarking on the processing of personal data to ensure that you understand that Duty of Care and how to meet the associated Standard of Care.

    Not do so means you risk regulatory penalties, litigation (where there is damage suffered as a result of the breach of the Data Protection rules), and damage to your brand and commercial reputation. Regulatory penalties can be paid, court cases can be settled, but the media coverage and comment on your brand, particularly in the age of Twitter, blogging and Google will have a half-life all of its own.

    A lawyer friend of mine often tells people:

    There’s only one thing worse than being sued and losing, and that’s being sued and winning. Because no one will remember that you won! It’s always better to avoid being sued in the first place.

  • Red Herrings, Hosting, and Data Protection

    I’ve written a new post over on my business website that looks at some of the issues that have been raised by TheJournal.ie in an article today. I won’t rehash the whole thing here – please follow the link to read the full post on the other site.

    Suffice it to say, there is a big difference between compliance with EU legislation and taking business decisions based on patriotic motives or a desire to “buy Irish”.

    The fact that various parties have their sites hosted in the UK is not a compliance issue per se – the UK is still in the EU and has equivalent legislation to us based on the same root Directive. Norway is a member of the EEA and as such has legislation that is derived from the same Directive as underpins our Data Protection laws (I may be the only person in the country who has actually READ the Norwegian Data Protection Act… it’s very similar in intent and execution to our own law).

    A big issue is hosting personal data, including sensitive personal data outside the EU or EEA or other “Safe Country” without any apparent controls in place, such as using a Data Processor who is registered with Safe Harbor and ensuring you have a written contract in place.

    It is extremely wrong for anyone to claim that hosts don’t have to comply with the Data Protection legislation. They do. As Data Processors, their obligations are not as extensive as those owed by Data Controllers, but the relationship between the Data Controller and the Data Processor is critical to the end-to -end governance of Data Protection obligations.

  • Setting tone from the Top

    In the rush to adopt new technologies and new ways of working, particularly When an organisation embarks on a change to systems and processes it is often very easy to get caught up in the whirlwind of enthusiasm for the new technology and the promised benefits of new ways of working.

    Nearly 2 years ago I wrote a post on this blog about the adoption of US style internet campaigning and the use of Web2.0 in Irish politics from an information quality perspective. The scorecard wasn’t good from a data quality perspective. The strategy seemed to be “If Obama can get elected using this Internet thingy, then we need to copy what he did”. No attention seemed to have been paid to the simple fact that a “cut and paste” adoption of a pre-canned solution from elsewhere would not necessarily work.

    2 years on I would have thought that some lessons might have been learned. So when Fine Gael announced they’d “stood down” their finegael.ie website in favour of a more interactive presence in the run up to the election I thought I’d take a quick look. While the Information Quality issues with the form were not too bad, the structure and operation of the site raise a number of concerns from a Data Protection perspective.

    Bluntly – when a US election solution provider rolls up in Europe they will find that they literally ain’t in Kansas anymore, particularly with regards to what you must and must not do with regards to the capture and processing of personal data. Political parties buying these services need to be aware that they are Data Controllers and that the solution providers are Data Processors in the context of the Data Protection Acts 1988 and 2003.

    Failure to set the “tone at the top” and cascade it through the organisation means that often the important questions are not asked (or the answers are ignored).

    Ultimately, in a Data Protection context, you are dealing with issues that can impact on your brand. If you are positioning yourself as being a political party that will “get tough” with vested interests through more effective regulation and enforcement you can’t really start the ball rolling by flouting basic principles of Data Protection law.

    Indeed, back as far as 2004 the Data Protection Commissioner wrote:

    It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law

    In 2009’s annual report the Commissioner also wrote that:

    Rapidly changing technology can be both a threat to this right and the means of protecting it. Building data protection safeguards into new technologies and applications of these technologies remains the best approach. This is as much true of data processing in the “cloud” as it is of a routine development of an IT application in an organisation.

    So… the issues? (more…)

  • Bruce Schneier on Privacy

    Via the Twitters I came across this absolutely brilliant video of Bruce Schneier talking about data privacy (that’s the American for Data Protection). Bruce makes some great points.

    One of the key points that overlaps between Data Protection and Information Quality is where he tells us that

    Data is the pollution problem of the Information Age.  It stays around, it has to dealt with and its secondary uses are what concerns us. Just as… … we look back at the the beginning of the previous century and sort of marvel at how the titans of industry in the rush to build the industrial age would ignore pollution, I think… … we will be judged by our grandchildren and great-grandchildren by how well we dealt with data, with individuals and their relationships to their data, in the information society.

    This echoes the Peter Drucker comment that I reference constantly in talks and with clients of my company where Drucker said that

    So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.  The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

    Bruce raises a number of other great points, such as how as a species we haven’t adapted to what is technically possible and the complexity of control is the challenge for the individual, with younger people having to make increasingly complex and informed decisions about their privacy and what data they put where and why (back to meaning and purpose).

    I really like his points on the legal economics of Information and Data. In college I really enjoyed my “Economics of Law” courses and I tend to look at legalistic problems through an economic prism (after all, the law is just another balancing mechanism for human conduct). I like them so much I’m going to park my thoughts on them for another post.

    But, to return to Bruce’s point that Data is the pollution problem of the Information age, I believe that that statement is horribly true whether we consider data privacy/protection or Information Quality. How much of the crud data that clutters up organisations and sucks resources away from the bottom line is essentially the toxic slag of inefficient and “environmentally unfriendly” processes and business models? How much of that toxic waste is being buried and ignored rather than cleaned up or disposed of with care?

    Is Information Quality Management a “Green” industry flying under a different flag?

  • The Who/What/How and Why

    Data protection and Information Quality are linked in a number of ways. At one level, the EU Directive on Data Protection (95/46/EC) describes the underlying fundamental principles of Data Protection as “Principles for Data Quality”.
    While that is great pub quiz content, it helps to be able to make some more pragmatic and practical links as well.
    On a project a while ago, I was asked to help a client ensure that certain business processes they were putting in place with a partner organisation were data protection compliant. They’d been asked to do this by the partner organisation’s lawyers.
    I leaped into action, assuming that this would be an easy few days of billable. After all, all I needed to know was what data the partner organisation needed when and why to document some recommendations for my client on how to build a transparent and compliant set of policies and procedures for data protection.

    Unfortunately the partner organisation seemed to lack an understanding of the what’s, why’s, when’s, and how’s of their data. This was perplexing as, nice and all as a blank canvas is, sometimes you need to have a sense of the landscape to draw your conclusions against.
    The engagement I had from the partner organisation was focussed on their need to be able to take certain steps if certain circumstances came to pass. While the focus on the goal was commendable, it served to generate tunnel vision on the part of the partner that put a significantly valuable project at risk.
    Goals and objectives (why) are all well and good. But Knowledge Workers need to be able to link these to processes (how) and information needs (what). Deming famously said that if you can’t describe what you are doing as a process then you don’t know what you are doing. I’d go further and say that if you can’t identify the data and information you need to do what you are doing then you can’t be doing it- at least not without massively increased costs and risks (particularly of non-compliance with regulations).
    In the end I made some assumptions about the what’s and how’s of the partner organisation’s processes in order to meet the goal that they had focussed on so narrowly.
    That enabled me to map out an approach to data protection compliance based on a “minimum necessary” principle. And that got my client and their partner over the hump.
    But, from an information quality perspective, not being able to answer the why/why/how questions means you can’t set meaningful measures of “fitness for purpose”. If you don’t know what facts are needed you don’t know if information is missing. if you don’t know what use data will be put to you can’t possibly tell if it is accurate enough.

    So, both Data Protection and Information Quality require people to know the what/why/how questions about their information to allow any meaningful outcome to ensue. If you can’t answer those questions you simply cannot be doing business.
    To paraphrase Deming – we need to work on our processes, not their outcome.

  • John Gormley, Commercial motor tax, and Data Protection Penalties

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection blog. It has been republished here as it is my original work and I’m trying to get all my Data Protection musings in one place. Some links have been updated to point to different targets here and on my company’s website.

    I listened with interest this morning to the media coverage of how John Gormley was introducing a new tax on commercial vehicles. My interest was twofold. My wife used to work in the Motor Tax section of a local authority. She left there nearly 4 years ago. Even then drivers of light commercial vehicles had to sign a declaration that the vehicle was for commercial purposes and not for private use. Back then, she used to have private motorists trying to register their large 4x4s as commercial to avoid the higher rates of motor tax on private vehicles. And I’ve recently written about how penalties for breaches of legislation are the third lever the government has to help balance the books.

    So, the existence of a declaration form isn’t really anything new it seems. What is new is that the Minister is asking people to take it seriously and some penalty is now attached to making a false declaration. It may well be that the specifics of enforcement will be difficult, and it is likely that a blanket ban on “mixed use” will ever be 100% effective. But it does show that the Government are seeking to maximise the income they can generate from existing processes by increasing the enforcement and the penalties associated.  This is precisely the point I made in my last post on this blog when I wrote about how the introduction of penalties for breaches of the Data Protection Acts was probably inevitable, regardless of when the new Directive comes into being, simply by reason of the State needing to open as many sources of revenue as possible.

    Of course this “change” in the Motor Tax regime is, to an extent, unfair as commercial vehicle owners have gotten used to being able to drop the kids to school and use their vehicles on weekends for leisure purposes etc, enjoying all the benefits of private vehicle use on a fraction of the tax. The media response (particularly from the AA) has been to suggest that the Minister will drive people to buy second cars or is imposing a burden on small businesses. And that is unfair. Personally, I think a change to the motor tax regime where a “mixed use” category would be introduced might have merit.

    However, thinking back to my last post on this blog, would there be as much of an outcry if penalties for breaches of the Data Protection Acts were introduced? Bear in mind that the Commissioner operates on a conciliatory basis, seeking to promote Compliance, not punish non Compliance. Also bear in mind that breaches of the Data Protection Acts occur when Data Controllers fail to respect the Duty of Care that they owe to individuals to hold their personal data on trust and to respect their privacy.  I would suspect that, when penalties are introduced (I say “when” because it will happen either through domestic legislation or further alignment of EU frameworks through a revised Directive) they will be applied only where a Data Controller has failed to act, or acted with willful neglect of their duties under the legislation.

    Where currently the Commissioner can dangle the carrot of constructive engagement and guidance, in the future that will be supplemented by the big stick of fines or other penalties.

    I suspect that penalties that might be levied for breaches such as (for example) operating CCTV without adequate Fair Processing Notices would be quite small (at least initially), perhaps just enough to get the Data Controller to engage with the DPC. But persistent offending might lead to higher penalties

    In short – only the worst offenders will likely be penalised.

    So, the morning talk-radio interview might go:

    Data Controller: “These new penalties are a burden on us”

    Interviewer: “But they are just penalties for stuff you are supposed to be doing anyway to protect people’s privacy etc.”

    Data Controller: “But it’s a big cost to our business if we get a fine every time we do this”.

    Interviewer: “But you shouldn’t be doing it, and the fine is only imposed after the Commissioner tries to get you to correct your behaviour”

    Data Controller: “That’s not the point”

    Interviewer: “That is the point. If you want to avoid the penalty, stop playing fast and loose with people’s personal data”.

    And that’s the point…  while it may be unfair and burdensome in the land of soundbites to expect a small business owner to buy and run a second car or face a penalty for misusing a commercial vehicle, penalties under the Data Protection Acts would be avoidable simply by complying with the legislation.

    So long as you know the rules of the game, work on being compliant, and respect the Duty of Care you owe to your Data Subjects (all things a Data Controller should be doing anyway) there is no additional burden. As such, any increase in penalties would likely be easier to defend than an increase in taxes or restrictions on how a vehicle is used.

    It would also be easier to enforce.

    So, the call to action from this article? I am suggesting that anyone processing personal data in the course of their commercial activities should start getting their house in order now ahead of any changes which might bring in penalties. Ensure your staff are properly trained in the principles of Data Protection. Start working now to make it part of “how things get done” in your organisation, not “another bloody thing to do”.

  • Putting Teeth In the Tiger

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection Blog. I’ve copied it to here as it is my work and I want to put all my Data Protection musings in one place. Please feel free to go and look at it on the ICS site as well.

    The Information Commissioner’s office in the UK has recently flagged their lack of powers to the European Commission. This is slightly amusing for those of us working under the Irish data protection regime, who look at the powers that the UK ICO have to levy penalties for breaches of the UK Data Protection Act, compared to the relatively limited powers of the Irish Data Protection Commissioner to issue Enforcement or Prohibition Notices and only to take prosecutions for breaches of the e-privacy regulations.

    Of course, the Irish Commissioner does have the power since the 2003 Act to conduct audits and investigations on their own account (i.e. not on foot of an actual complaint). The UK ICO has limited powers by comparison. Likewise, they lack an equivalent Data Breach provisions that the Irish Data Protection  Commissioner introduced last month (but there are plans to do so in the UK soon).

    There is a new draft Data Protection Directive in the pipeline (albeit stalled at the request of the French to allow sufficient time for effective consultation). Just as Directive 95/46/EC (the root of Ireland’s 2003 Data Protection Amendment Act) was introduced to address divergences in the implementation of the previous Convention on Data Privacy (Convention 108), it is likely that this revised directive will seek to address some of the remaining areas of divergence in national laws which implement Directive 95/45/EC.  One area which is likely to be addressed will be the nature and type of penalties which will be applicable to various categories of breach.

    The drafting of the revised Directive has been delayed. Even when the Directive comes into being, the Irish Government’s track record in implementing Data Protection regulations in a timely manner has been less than impressive. So it may well be that, from point of view of EU mandated changes, we could be in for a long wait.

    However there is a significant elephant in the room. The State needs to balance the books. The two traditional levers which can be pulled by the State are either Taxation or reductions in spending. Both of these levers are politically difficult to pull. Increasing taxes creates resistance and revolution  (increases in taxation historically trigger revolutions – particularly taxes on property or on the middle classes). Cutting spending likewise creates resistance and exacerbates social disadvantage (in many cases undoing valuable work previously done using tax euros).

    Both of these are the items on the current agenda.

    Of course, there is a third lever which can be used to generate revenue for the State and which can (at least in the short to medium term) bring about a change in behaviour. That third lever is the levying of fines and penalties. While this lever may not contribute as quickly or substantially to balancing the books, it would be remiss of the government to overlook any potential source of revenue at this time. And as this revenue is being generated on foot of behaviour which is illegal, under legislation which has been in existence for a number of years, and (unlike a tax) it can be avoided by simply taking the necessary steps to comply with the legislation.

    The introduction of such penalties would require a minor amendment to the existing legislation.

    So, given that there are indications emerging which suggest upcoming changes to standardise the types of penalty which will apply to breaches of the Data Protection regulations across the EU27 States, and that the State has an increasingly urgent need to generate revenue, I would not be surprised if we were to see some changes in the Data Protection legislation in Ireland sooner rather than later which would introduce some penalties which will put some additional teeth in the Data Protection Commissioner’s enforcement powers.

    But this is only a worry for anyone who isn’t complying with the Data Protection Acts. The prudent course of action for anyone processing personal data would be to make sure that they get their house in order ahead of any potential changes, either emerging from Europe or from the Government’s need to claw in as much income as possible.

  • “It’s the Information, Stupid”

    This post was first published in the Irish Computer Society Data Protection blog. I’m republishing it here as it is my original work and I am putting my Data Protection musings in one place.

    A recent news story in the Irish Times about the data protection compliance problems faced by the Irish Insurance industry serves as a timely reminder of one of the mantras for Data Protection compliance:

    Just because you can, doesn’t mean you should.

    In this instance, a perfectly legitimate process existed for sharing data in certain circumstances (when a claim was being made) to help flag instances of insurance fraud etc. All of that processing is legitimate and legal.

    The problem arose where the information was being shared when a claimmight be made, resulting in disclosures of personal data between insurance providers without any legal justification. It was these disclosures that the Commissioner has flagged as being in breach of the Data Protection Acts.

    Technology is great. It allows for the analysis of data quickly to find important nuggets of information. However, only if you have obtained that source data legally will you be able to legitimately act on the facts you uncover.

    Just because you can, doesn’t mean you should.

    This case also highlights another aspect of Data Protection Compliance – it is not all about technology or the IT department. In this case, business decisions were taken to share information. Without business rules to restrict or permit disclosure of information (e.g. “only disclose if a claim is in progress”), information was disclosed without due cause.  Business managers need to step up to the mark and be proactive about how they manage their core business asset (information) in a way that ensures and assures compliance, trust and, at the end of the day, their ability to keep using that information.

    To paraphrase Bill Clinton – “It’s the Information, Stupid”.

  • For the want of a nudie pen Tom Happens is exposed

    One of the most popular presenters on one of the most popular radio stations in Ireland recently launched a great idea – a loyalty card for his listeners. This card seems to be the replacement for his previous gimmick, a “Nudie Pen”.

    Visit the radio station website (NewsTalk.ie, tell them your name, your address, your email address, your 3 favourite bands and your favourite foods and a piece of plastic featuring a picture of the host will wend its way to your door.

    Simple.

    At least it is unless you step back and think about the process from the point of view of Data Protection principles.

    Personal data must be obtained and processed fairly for specific purposes. What are the purposes for which NewsTalk wants my personal data? If it is just to send me a card then we walk right into another issue – information gathered should not be excessive to that purpose.

    So, if you are just sending me a card, why do you need to know my music and food preferences?

    Sensitive personal data, such as data pertaining to medical conditions or political beliefs or ethnic origins is treated with more seriousness under the Data Protection Act. So, depending on the responses to those questions about music and favourite foods, sensitive personal data could be being processed.

    The explanation of the loyalty card scheme that is on the NewsTalk website is great and in keeping with the light hearted nature of Tom’s show. However it doesn’t go far enough in explaining or setting out the purposes for which the data is being captured.

    Other issues arise as a result of processing personal data via a website, such as the legal requirement to have a privacy policy displayed on the site and the data protection requirements of keeping the data safe and secure and only keeping it for as long as it is needed for the specified purpose. I’ll explore these in later posts.

    It is all too easy to fall foul of the simple rules that exist to ensure trust and transparency in how personal data can be processed. Prior planning can ensure that Compliance is an enabler of business and customer interaction rather than a nagging fear of being caught dragging at your actions.

    Taking out your Nudie Pen and mapping out what your information objectives, purposes, etc. are (see this tutorial on my company website for an example) is time well spent to make sure you aren’t creating a rod to beat yourself with. Using your Nudie pen to sign up for some Data Protection Training (such as that offered by the Irish Computer Society or my company) would also be a worthwhile step, particularly given the Data Protection Commissioner’s recent findings on the need for the management teams in businesses to be aware of the Data Protection implications of their actions.